Wednesday, September 18, 2024
HomeCyber Security NewsMonti Ransomware’s Linux Variant Attacks the Financial & Healthcare Industries

Monti Ransomware’s Linux Variant Attacks the Financial & Healthcare Industries

Published on

The Monti ransomware was found in June 2022 that attracted notice due to its close resemblance to the Conti ransomware, both in name and tactics, drawing attention from cybersecurity experts and organizations.

Monti ransomware group has been observed to employ tactics similar to those of the Conti team, including utilizing their TTPs and leaked source code and tools.

Apart from this, Monti also consistently targeted the companies and posted their breaches to expose their details on a leaked site built by the operators of Monti.

- Advertisement - EHA

After a two-month gap, the Monti ransomware gang is back again, and now it’s back with a new Linux locker targeting:-

  • Legal entities
  • Financial services
  • Government entities
  • Healthcare industries

Compared to the previous Linux-based variants, this new encryption tool has several significant differences, as noted by the cybersecurity researchers at Trend Micro.

Monti Ransomware New Linux Variant

With distinct behaviors, this new variant of MONTI (Ransom.Linux.MONTI.THGOCBC) makes use of a different encryptor. While at the moment there are only three security vendors on VirusTotal have identified the sample as malicious.

Besides this, a BinDiff analysis highlights a mere 29% similarity between the new and old variants, in contrast to the older versions’ 99% resemblance to Conti.

Comparison of the old and new Monti variants (Source – Trend Micro)

The latest version of Monti ransomware opts for the “-type=soft” parameter over “–type=hard” when terminating virtual machines, possibly indicating a strategic move to reduce immediate detection.

Moreover, the inclusion of a string ‘MONTI’ followed by a 256-byte sequence tied to the encryption key is one of the new additions to this new variant.

To announce or signify the successful server infiltration, the “/etc/motd, and index.html files” were modified and replaced by the creators of Monti ransomware.

New replaced content of motd (Source – Trend Micro)

Prior to encryption, the ransomware verifies the following conditions:-

  • If a file’s size is 261 bytes or less
  • Matching the appended marker
  • Encryption proceeds as the file remains unencrypted

Monti ransomware verifies the last 261 bytes for the presence of the string “MONTI,” if the first condition isn’t satisfied. 

While in this scenario, two instances could occur, and here they are:-

  • The file will be skipped if this string is detected.
  • The malware proceeds with the encryption process if the string is not found.
Code snippet to check for the presence of the “MONTI” string (Source – Trend Micro)

Rather than using the Salsa20, this new variant now opted for the AES-256-CTR encryption with OpenSSL’s evp_enc. For files between 1.048MB and 4.19MB, the ransomware encrypts only the initial 100,000 bytes (0xFFFFF) and then adds its infection marker at the file’s end.

Recommendations

Here below, we have mentioned all the recommendations offered by the security analysts:-

  • Make sure to implement multifactor authentication (MFA).
  • Always follow the 3-2-1 backup rule for important data.
  • Do not open any suspicious attachments received from an unknown sender.
  • Always use robust security solutions and AV tools.
  • Make sure to keep AV tools, security solutions, and systems up-to-date with the latest available updates and patches.

IoCs

SHA1Detection
f1c0054bc76e8753d4331a881cdf9156dd8b812aRansom.Linux.MONTI.THGOCBC
a0c9dd3f3e3d0e2cd5d1da06b3aac019cdbc74efRansom.Linux.MONTI.THGADBC

Keep informed about the latest Cyber Security News by following us on GoogleNewsLinkedinTwitter, and Facebook.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Discord Announces End-to-End Encryption for Audio & Video Chats

Discord has introduced end-to-end encryption (E2EE) for audio and video chats.Known as the...

Threat Actor Allegedly Selling Bharat Petroleum Database

A threat actor has allegedly put up for sale a database belonging to Bharat...

Chrome 129 Released with Fix for Multiple Security Vulnerabilities

The Chrome team has officially announced the release of Chrome 129, which is now...

VMware vCenter Server Vulnerability Let Attackers Escalate Privileges

VMware has issued a critical security advisory (VMSA-2024-0019) addressing two significant vulnerabilities in its...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Discord Announces End-to-End Encryption for Audio & Video Chats

Discord has introduced end-to-end encryption (E2EE) for audio and video chats.Known as the...

Threat Actor Allegedly Selling Bharat Petroleum Database

A threat actor has allegedly put up for sale a database belonging to Bharat...

Chrome 129 Released with Fix for Multiple Security Vulnerabilities

The Chrome team has officially announced the release of Chrome 129, which is now...