In February 2024, "Trisec - Cyber Outlaw," a purported ransomware operation, which presents itself with Tunisia-related symbolism, emerged claiming ransomware attacks in Ireland, Sweden and Italy - all of them unconfirmed at the time of writing.
As the group appeared on the threat landscape, we released an initial analysis of their leak site linking the actor to a Russia-based operation. As the terms for Trisec ransom demands expired without any confirmation of the alleged attacks or release of indicators, it is reasonable to question whether the actor reflects a real threat or it is just the last ransomware scam.
Few Factual Elements
There is still little we know about this group. Most of knowns come from an unsolicited email our company received to the corporate mailbox info@clipeusintellige.com on February 13, 2024. This unusual direction of interest came to our company directly from the actor Trisec; the threat actor leveraged an email address consistent with the domain cock[.]li to contact us and send us a .onion link. We did not engage with this unsolicited email and notified various law enforcement agencies. At the same time, we analyzed the email in order to identify potential elements of interest. This analysis led to the following elements:
The email originated from a mailing server with IP address 37[.]120[.]193[.]123, geolocating in Belgrade, Serbia and resolving to an internet service provider (ISP) in Romania, Secure Data Systems / M247.
The IP address 37[.]120[.]193[.]123 is correlated with 14 domains, of which 8 created on February 9, 2024 throughout February 21, 2024, i.e. in a timeframe consistent with the emergence on Trisec.
The hostname is consistent with cock[.]li, a presumed privacy-oriented email service maintained by an individual with a purported location in Bucharest, Romania, and with a presence with virtual private servers across South-Eastern Europe.
The same mailing service was used by other ransomware actors such as Cuba and Snatch. Ransom notes from these groups published by a number of sources show usage of the cock[.]li service. Moreover, we observed the same domain on the leak site of the Everest group as well. This finding may suggest a correlation between Trisec and these groups, or any of these groups. However, the mailing service is publicly accessible to any user and, at present time, there is no further element that would confirm such correlation. As a result, a linkage between Trisec and any of these groups remains to be validated.
A purported "Pied Piper of Hamelin" Operation
When we first analyzed the Trisec's leak site on February 17, 2024, we found an extensive amount of content both in writing and visuals, possibly consistent with the actor's effort to build credibility. The website presented a purported large operation which the actor named "Pied Piper of Hamelin" after the German legend - a name which in 2018 was used to indicate a TA505 campaign (for more details, refer to our previous post).
It is quite interesting that, during the last week, the Trisec site has been significantly redesigned, removing all the extensive visual and writing content. This evolution is likely to be consistent with the behavior of a scam group which approaches a potential exit. The site currently presents only a link to the group's Telegram channel (Trisec_vision). Nonetheless, the site maintains a reference to the operation whose existence remains unproven.
Correlations With Russia
In addition to the elements we had already collected last February 17, there are now further elements that suggest Trisec is in fact linked to Russian individuals or entities:
The group's Telegram channel and another correlated to it - "NetInfect" - present prevalent usage of Russian language, and clear Russian themes, including a mockery of the Ukraine's leadership.
As Trisec made the effort to reach out to us, analysis of our internal logs reveals unusual connections to our website occurring shortly before the email we received on February 13, 2024, originating from IP addresses in Russia, namely Krasnodar and Astrakhan, and Tunisia, specifically Aryanah and Bizerte. While available data do not allow to conclusively attribute these activities to Trisec, the timing and the unusual locations may suggest an attribution of such activities to the group.
Conclusion
There is presently no indication that Trisec reflects an actual threat. It is highly suspicious that, after the expiration of the terms for ransom demands, there is no confirmation of the hacks or any indicators available via open sources. It is even more suspicious that the actor reduced its online footprint instead of increasing it as the deadline given to the purported victims approached.
At the same time, the geographical anomalies in our internal logs aligned with the contents and themes of the NetInfect Telegram channel reinforce our initial hypothesis of a linkage to Russia. Trisec's usage of a mailing service historically leveraged by established ransomware operations also represents a factor of interest.
We will share new updates, should new elements emerge.