Saturday, December 21, 2024
HomeCyber Security NewsMonti Ransomware’s Linux Variant Attacks the Financial & Healthcare Industries

Monti Ransomware’s Linux Variant Attacks the Financial & Healthcare Industries

Published on

SIEM as a Service

The Monti ransomware was found in June 2022 that attracted notice due to its close resemblance to the Conti ransomware, both in name and tactics, drawing attention from cybersecurity experts and organizations.

Monti ransomware group has been observed to employ tactics similar to those of the Conti team, including utilizing their TTPs and leaked source code and tools.

Apart from this, Monti also consistently targeted the companies and posted their breaches to expose their details on a leaked site built by the operators of Monti.

- Advertisement - SIEM as a Service

After a two-month gap, the Monti ransomware gang is back again, and now it’s back with a new Linux locker targeting:-

  • Legal entities
  • Financial services
  • Government entities
  • Healthcare industries

Compared to the previous Linux-based variants, this new encryption tool has several significant differences, as noted by the cybersecurity researchers at Trend Micro.

Monti Ransomware New Linux Variant

With distinct behaviors, this new variant of MONTI (Ransom.Linux.MONTI.THGOCBC) makes use of a different encryptor. While at the moment there are only three security vendors on VirusTotal have identified the sample as malicious.

Besides this, a BinDiff analysis highlights a mere 29% similarity between the new and old variants, in contrast to the older versions’ 99% resemblance to Conti.

Comparison of the old and new Monti variants (Source – Trend Micro)

The latest version of Monti ransomware opts for the “-type=soft” parameter over “–type=hard” when terminating virtual machines, possibly indicating a strategic move to reduce immediate detection.

Moreover, the inclusion of a string ‘MONTI’ followed by a 256-byte sequence tied to the encryption key is one of the new additions to this new variant.

To announce or signify the successful server infiltration, the “/etc/motd, and index.html files” were modified and replaced by the creators of Monti ransomware.

New replaced content of motd (Source – Trend Micro)

Prior to encryption, the ransomware verifies the following conditions:-

  • If a file’s size is 261 bytes or less
  • Matching the appended marker
  • Encryption proceeds as the file remains unencrypted

Monti ransomware verifies the last 261 bytes for the presence of the string “MONTI,” if the first condition isn’t satisfied. 

While in this scenario, two instances could occur, and here they are:-

  • The file will be skipped if this string is detected.
  • The malware proceeds with the encryption process if the string is not found.
Code snippet to check for the presence of the “MONTI” string (Source – Trend Micro)

Rather than using the Salsa20, this new variant now opted for the AES-256-CTR encryption with OpenSSL’s evp_enc. For files between 1.048MB and 4.19MB, the ransomware encrypts only the initial 100,000 bytes (0xFFFFF) and then adds its infection marker at the file’s end.

Recommendations

Here below, we have mentioned all the recommendations offered by the security analysts:-

  • Make sure to implement multifactor authentication (MFA).
  • Always follow the 3-2-1 backup rule for important data.
  • Do not open any suspicious attachments received from an unknown sender.
  • Always use robust security solutions and AV tools.
  • Make sure to keep AV tools, security solutions, and systems up-to-date with the latest available updates and patches.

IoCs

SHA1Detection
f1c0054bc76e8753d4331a881cdf9156dd8b812aRansom.Linux.MONTI.THGOCBC
a0c9dd3f3e3d0e2cd5d1da06b3aac019cdbc74efRansom.Linux.MONTI.THGADBC

Keep informed about the latest Cyber Security News by following us on GoogleNewsLinkedinTwitter, and Facebook.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could...

Foxit PDF Editor Vulnerabilities Allows Remote Code Execution

Foxit Software has issued critical security updates for its widely used PDF solutions, Foxit...

Windows 11 Privilege Escalation Vulnerability Lets Attackers Execute Code to Gain Access

Microsoft has swiftly addressed a critical security vulnerability affecting Windows 11 (version 23H2), which...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could...

Foxit PDF Editor Vulnerabilities Allows Remote Code Execution

Foxit Software has issued critical security updates for its widely used PDF solutions, Foxit...