Trigona ransomware operators ship a custom command-line data-theft tool to speed exfil and reduce dwell time

BleepingComputer reported on April 23 that recent Trigona ransomware intrusions are using a purpose-built command-line exfiltration tool rather than off-the-shelf rclone or MEGAcmd. The custom utility is small, supports parallel uploads, filters by file extension and size before transferring, and logs progress in a format optimized for ransomware operator dashboards. Researchers say the tool reduces dwell time meaningfully - operators are now exfiltrating high-value files in hours rather than days. The shift fits a broader trend (Akira, Black Basta, Play) toward bespoke tooling and away from detectable third-party utilities, making static endpoint signatures less reliable.

Check

Tighten outbound DLP and egress rules around document and source-code repositories - detect bulk reads regardless of which utility is doing the reading.

Affected

Organizations in Trigona's typical victim profile (manufacturing, healthcare, education, mid-market enterprises) without modern data-exfiltration detection. Static endpoint signature lists for rclone, MEGAcmd, FileZilla won't catch this custom tool. Networks without egress-bandwidth alerting on file servers or document-management hosts are equally exposed.

Fix

Switch outbound detection from utility names to behavior: alert on processes opening many files in many directories within a short window, on outbound TLS sessions transferring more than ~500MB from non-server endpoints, and on uploads to consumer cloud storage (Mega, Dropbox personal accounts) from corporate hosts. Add canary files in document repositories and alert on any read.