A web server with RDP access had been brute forced by an actor who the DeepSeas cyber threat intelligence crew believes may have been trying to deliver and execute Trigona ransomware. The intruder performed many different malicious actions in the client’s environment after gaining initial access; establishing persistence, escalating privileges, evading defenses, performing asset discovery, conducting lateral movement, data collection, and more. Upon review of the intruder’s activities DeepSeas noted that some of the tactics, techniques, and procedures (TTPs) matched previously observed TTPs associated with the actor responsible for the Trigona ransomware.