Skip to content

Monti ransomware gang emerges with new tactics and variant

  • by
  • 3 min read
Which files does ransomware encrypt? Does it affect the files on cloud?

The Monti ransomware group, known for its Windows and Linux-based variants, has resumed its cybercriminal activities after a two-month hiatus.

According to researchers from Trend Micro, the group has strategically adopted tactics, techniques, and procedures (TTN) from the Conti team, incorporating tools and source code to enhance their malicious activities.

The group gained notoriety in June 2022 due to its resemblance to the infamous Conti ransomware in both name and tactics. After lying low for a few months, Monti has focused on the legal and government sectors, targeting organisations within these domains. This resurgence in attacks coincides with the emergence of a new Linux-based variant of Monti, marked by notable deviations from its predecessors.

Unlike the earlier variant that heavily relied on leaked Conti source code, the new version employs a distinct encryptor and introduces new behaviours.

Encrypted file (left) vs the original file (right). | Source: Trend Micro

Comparative analysis between the two variants using BinDiff revealed a significant difference in similarity rates. The newer variant displayed only a 29% similarity rate compared to the 99% similarity rate between the older variants and Conti, signalling a substantial departure from its roots.

The fresh Linux variant of Monti introduces alterations in its command line arguments, adding the –whitelist parameter while omitting others. Additionally, it incorporates the -type=soft parameter to terminate virtual machines, suggesting a tactical shift to evade immediate detection during its operation.

The ransomware checks specific conditions to ensure effective infection before initiating its encryption process. These conditions include file size, the presence of the appended marker, and the string “MONTI” within the last 261 bytes of the file.

Code snippet demonstrating the presence of MONTI string. | Source: Trend Micro

Unlike its predecessor, which utilised the Salsa20 encryption algorithm, the new variant employs AES-256-CTR encryption using the OpenSSL library’s evp_enc function. Furthermore, the ransomware’s approach to file encryption has evolved. It now differentiates encryption based on file size ranges, encrypting the first 100,000 bytes for files between 1.048 MB and 4.19 MB and employing a Shift Right operation for files exceeding 4.19 MB.

Similar to prior iterations, the new Monti variant appends the .monti file extension to the encrypted files and deposits a ransom note named readme.txt in each directory.

Interestingly, a decryption code was discovered within the sample, suggesting the threat actors tested the functionality but inadvertently left it in the code. However, the decryption code remains ineffective without the private key possessed only by the malware author.

Organisations are urged to implement multifactor authentication (MFA) to counter such threats to hinder lateral movement within networks. Furthermore, adhering to the 3-2-1 backup guideline — creating three backup copies in two formats, with one stored off-site — can ensure data redundancy and mitigate data loss risks in the event of encryption or deletion.

In the News: Microsoft pulls the plug on the Cortana app for Windows 11


Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: [email protected]