{"group":"trigona","count":1,"rules":[{"rule_name":"trigona.yar","rule_text":"/*\nTrigona ransomware\n*/\n\nrule Trigona_Ransomnote\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.trigona\"\n        description = \"Detects Trigona ransomware ransom note\"\n        date = \"2026-05-04\"\n        severity = 7\n        score = 70\n\n    strings:\n        $s1 = \"_how_to_decrypt.hta\" ascii nocase\n        $s2 = \"TRIGONA\" ascii nocase\n        $s3 = \"._locked\" ascii\n        $s4 = \"trigona.onion\" ascii nocase\n\n    condition:\n        any of them\n}\n\nrule Trigona_PE\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.trigona\"\n        description = \"Detects Trigona ransomware executable\"\n        date = \"2026-05-04\"\n        severity = 9\n        score = 90\n\n    strings:\n        $s1 = \"TRIGONA\" ascii wide\n        $s2 = \"_how_to_decrypt.hta\" ascii\n        $s3 = \"NTRUEncrypt\" ascii nocase\n\n    condition:\n        uint16(0) == 0x5A4D and 2 of them\n}","sha256":"32b435389a8c4fbb1e25d974deace430b52c4d7bd0e837290c8a154b9834b67a","byte_size":901,"updated_at":"2026-06-24 05:16:05"}]}