Security News > 2023 > October > Ukrainian activists hack Trigona ransomware gang, wipe servers
A group of cyber activists under the Ukrainian Cyber Alliance banner has hacked the servers of the Trigona ransomware gang and wiped them clean after copying all the information available.
Ukrainian Cyber Alliance hackers gained access to Trigona ransomware's infrastructure by using a public exploit for CVE-2023-22515, a critical vulnerability in Confluence Data Center and Server that can be leveraged remotely to escalate privileges.
The Ukrainian Cyber Alliance, or UCA for short, first breached Trigona ransomware's Confluence server about six days ago, established persistence, and mapped the cybercriminal's infrastructure completely unnoticed.
After a UCA activist using the handle herm1t published screenshots of the ransomware gang's internal support documents, BleepingComputer was told that Trigona ransomware initially panicked and responded by changing the password and taking down its public-facing infrastructure.
The Trigona ransomware operation emerged under this name in late October last year, when the gang launched a Tor site to negotiate ransom payments in Monero cryptocurrency with victims of their attacks.
At the moment, due to the Ukrainian Cyber Alliance's recent actions, none of the Trigona ransomware public websites and services are online.
News URL
Related news
- FBI disrupts the Dispossessor ransomware operation, seizes servers (source)
- FBI Shuts Down Dispossessor Ransomware Group's Servers Across U.S., U.K., and Germany (source)
- Belarusian-Ukrainian Hacker Extradited to U.S. for Ransomware and Cybercrime Charges (source)
- Linux version of new Cicada ransomware targets VMware ESXi servers (source)
- VMware ESXi Servers Targeted by New Ransomware Variant from Cicada3301 Group (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-04 | CVE-2023-22515 | Unspecified vulnerability in Atlassian Confluence Data Center and Confluence Server Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. | 9.8 |