Share this article on:
A brand new ransomware operation launched this month on both the clear and dark nets. Here’s what we know about Trisec.
The Trisec ransomware gang made its first post to its dark net leak site on 17 February, announcing its first apparent victim: an Irish Toyota dealership called Cogans Toyota Cork.
“Pay in time, or we will leak all of the data we found, trust me you don’t want that,” a Trisec spokesperson said on the group’s leak site. “Pay before the timer ends and keep your data safe.”
At the time, the dealership had 20 days to pay and was instructed to contact the hackers and offer a price – a bit of a change from the usual habit of demanding a specific figure. Curiously, the initial ransom post is no longer live. There have been scattered reports of other victims across X, but so far, Cogans appears to be the group’s only publicised victim – or at least only ransomware victim.
Trisec does not appear to be your average ransomware group, but rather one that has openly affiliated itself with a nation-state – and it’s not Russia or China, but rather Tunisia. The Tunisian flag figures prominently in the group’s Telegram channels, and its leak site says the group is looking to hire only Tunisians.
“We are hiring Tunisian blackhats,” the group’s darknet front page said.
“We are looking for Malware Developers, Web developers, Phishing pros, Social Engineers, and traffers.”
Traffers are hackers or hacking groups that specialise in credential theft.
The group is also active on the clear net hacking site BreachForums, where it first posted on 21 January; only in the post, the group called itself Tri-Security Vision. The post went on to introduce the group, explain its motivations, and share its Onion addresses.
“What about our goals? Financial Gain, And glory to Tunisia,” the post said.
“Our vision? We want to see our work demolish the cyber world.
“Who we are? We are a cyber-crime group that engages in a diverse range of activities, including both state-sponsored and financially motivated attacks, like ransomware.”
In another post, the group advertises a new site design, as well as a new “victim list” – and a new name: TriSec Vision. However, that site – an Onion address as well, only accessible via the Tor browser – currently says the group is busy with another “operation”.
“Working on Operation Pied Piper of Hamelin, sorry we don’t have time to get more victims, this op is more important,” the page said before listing a selection of MITRE ATT&CK techniques, presumably ones the group uses.
In its most recent post, on 22 February, the group attempted to sell unauthorised access to the Swedish Karolinska Institutet. When asked by another forum member why it wasn’t hacking the university itself, a spokesperson said: “We do not attack educational sites.”
Assuming Trisec’s claims of state-backing to be true – and we’re taking it with quite a grain of salt – it’s quite a unique operation. It’s certainly something that the Tunisian government might have something to say about, assuming that’s the state that Trisec is alluding to when it talks about taking state-sponsored action. Cyber Daily has reached out to the Tunisian consulate for comment.
Or it might just be saying it is willing to hire itself out for government work, making them, in effect, hopeful cyber mercenaries with a ransomware-as-a-service model. It’s hard to say.
As far as we can tell, Trisec appears to still be working out exactly what kind of group it wants to be. But it certainly seems to be up to something.
It just remains to be seen exactly what that is.
A note on naming: While the gang seems to be evolving its name and identity, currently calling itself Trisec Vision, we’re going with threat tracker FalconFeeds.io’s nomenclature: Trisec.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.