Monti ransomware, known for its versions on both Windows and Linux systems, grabbed the attention of cybersecurity experts in June 2022. The ransomware became noticed not only for its similar name to the notorious Conti ransomware but also for its use of similar tactics.
Monti intentionally copied the tactics, techniques, and procedures (TTPs) of the Conti team. They even incorporated many of Conti's tools and took advantage of Conti's leaked source code. Since its discovery, the Monti ransomware group has been consistently targeting companies and exposing their data on their leak site. Let’s look at Monti, their tactics and techniques and their motive for attacks.
As previously stated, Monti ransomware was discovered by researchers in June 2022. The group drew attention due to operating like the now defunct, Conti ransomware group. Not only is the group’s name similar to Conti’s but Monti’s TTPs are similar as well. Monti has been observed targeting companies in the legal and government sectors, posting their breaches to a data leak site built by the operators.
In September 2022, BlackBerry's Incident Response team investigated a security incident linked to Monti. The threat actor had exploited the well-known Log4Shell vulnerability on a client's internet-facing VMware Horizon virtualization system. During the investigation, it was found that Monti had encrypted 18 user desktops and compromised a three-server ESXi cluster, affecting a total of 21 virtualized servers.
Once Monti gained entry to the victim's VMware Horizon Connection Broker server through the Log4Shell exploit, they proceeded to install Google Chrome and used it for downloading attack tools onto the server. They also downloaded and installed AnyDesk and Action1, which are remote monitoring and maintenance agents.
The attackers, armed with their own tools, extracted login credentials from computer memory and scanned the network. They used Microsoft Windows' built-in Remote Desktop Protocol (RDP) to link to other servers, link to shared network files, and, in the end, introduce the Monti ransomware strain. Their goal was to encrypt several hosts in the network, including those containing Veeam-based backups. Here is a list of various tools leveraged by Monti:
Another key takeaway is that this was the time researchers from the Malware Hunter Team discovered that Monti’s encrypted files seemed similar to encrypted files by a Conti version, which suggested codebase reuse. They also noticed that Monti’s ransomware note was very similar to Conti’s, with only two minor changes.
Image 1: Monti's Ransomware Note
Source: BlackBerry
After initial analysis, Black Berry’s Incident Response team found that the file they examined closely matched the characteristics of the locker.exe executable found in the Conti v3 code leaks, such as file name, size, compile time, and import table hash. Most section hashes also matched, except for the .data section, strengthening the evidence that the file is a Conti v3 payload.
Further investigation showed that while the code within the leaked Conti executable was identical to the team’s sample, running the Conti payload didn't actually encrypt any files.
Examining the .data section of the leaked locker.exe revealed its purpose. The presence of certain strings like DECRYPT_NOTE, .EXTEN, and publickey suggested that the file served as a template for creating functional ransomware payloads.
After taking a hiatus, Monti came back in August 2023 with a new Linux-based Monti variant (Ransom.Linux.MONTI.THGOCBC). The researchers at Trend Micro reported that there are notable differences from pervious Linux-based versions. Unlike the previous variant, which relied heavily on Conti’s leaked source code, this new version uses a different encryption method and exhibits unique behaviors. When comparing the new variant to the old one, the researchers found that Monti’s new code base is only 29% similar to Conti’s leaked code, as opposed to the previous 99% similarity rate.
The new Linux version is meant to target VMware ESXi servers, legal, and government organizations. There are some notable modifications in the new version which include:
Trend Micro’s analysis also found that the new variant uses AES-256-CTR encryption via the OpenSSL library’s evp_enc – a departure from the old variant’s use of Salsa2020. The researchers also discovered that their analyzed sample employs different encryption methods for files. However, the previous method utilized a --size argument to determine how much of a file to encrypt. The new variant solely relies on the file size for its encryption process.
Similar to earlier versions, the latest version adds the .monti file extension to files that it encrypts and places its ransom note, named readme.txt, in each affected directory. The ransom note does not read differently than the one from 2022.
Monti used some elements of the Conti source code as a foundation for their new variant, which is apparent due to similar functions. However, they made substantial modifications to the code, particularly to the encryption algorithm. These code enhancements not only indicate Monti’s intent to improve evasion of detection but the group also wants to make it even harder for security professionals to detect and mitigate their actions.
To safeguard your organization, consider these recommendations based on Monti's TTPs:
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe from Monti ransomware attacks:
URLs
SHA1
MD5
SHA256
Domain
The Curious Case of “Monti” Ransomware: A Real-World Doppelganger (blackberry.com)
Ransomware Roundup – Monti, BlackHunt, and Putin | FortiGuard Labs (fortinet.com)
Monti Ransomware Unleashes a New Encryptor for Linux (trendmicro.com)
Monti, the New Conti: Ransomware Gang Uses Recycled Code (darkreading.com)
Monti ransomware targets VMware ESXi servers with new Linux locker (bleepingcomputer.com)
Monti Ransomware Unleashes a New Encryptor for Linux (trendmicro.com)
Monti Ransomware New Linux Variant Attacking Industries (gbhackers.com)
Cyber Swachhta Kendra: Monti Ransomware (csk.gov.in)
Monti ransomware targets legal and gov’t entities with new Linux-based variant (therecord.media)
Monti Returns From 2-Month Break with Revamped Ransomware Variant - Security Boulevard
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.