Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours

In late December 2022 threat actors gained access to an exposed RDP host using legitimate Administrator credentials, used SoftPerfect Netscan for network discovery, staged rclone to exfiltrate files to Mega, disabled Windows Defender via commands and scripts, and executed Trigona ransomware which spread over SMB to encrypt network-accessible hosts, producing a double-extortion outcome; the report includes IOCs (IPs, hashes, filenames), recovered scripts, and detection rules (Sigma/Yara).