Monti Ransomware’s Linux Variant Attacks the Financial & Healthcare Industries

The Monti ransomware was found in June 2022 that attracted notice due to its close resemblance to the Conti ransomware, both in name and tactics, drawing attention from cybersecurity experts and organizations.

Monti ransomware group has been observed to employ tactics similar to those of the Conti team, including utilizing their TTPs and leaked source code and tools.

Apart from this, Monti also consistently targeted the companies and posted their breaches to expose their details on a leaked site built by the operators of Monti.

After a two-month gap, the Monti ransomware gang is back again, and now it’s back with a new Linux locker targeting:-

• Legal entities
• Financial services
• Government entities
• Healthcare industries

Compared to the previous Linux-based variants, this new encryption tool has several significant differences, as noted by the cybersecurity researchers at Trend Micro.

Monti Ransomware New Linux Variant

With distinct behaviors, this new variant of MONTI (Ransom.Linux.MONTI.THGOCBC) makes use of a different encryptor. While at the moment there are only three security vendors on VirusTotal have identified the sample as malicious.

Besides this, a BinDiff analysis highlights a mere 29% similarity between the new and old variants, in contrast to the older versions’ 99% resemblance to Conti.

The latest version of Monti ransomware opts for the “-type=soft” parameter over “–type=hard” when terminating virtual machines, possibly indicating a strategic move to reduce immediate detection.

Moreover, the inclusion of a string ‘MONTI’ followed by a 256-byte sequence tied to the encryption key is one of the new additions to this new variant.

To announce or signify the successful server infiltration, the “/etc/motd, and index.html files” were modified and replaced by the creators of Monti ransomware.

Prior to encryption, the ransomware verifies the following conditions:-

• If a file’s size is 261 bytes or less
• Matching the appended marker
• Encryption proceeds as the file remains unencrypted

Monti ransomware verifies the last 261 bytes for the presence of the string “MONTI,” if the first condition isn’t satisfied. 

While in this scenario, two instances could occur, and here they are:-

• The file will be skipped if this string is detected.
• The malware proceeds with the encryption process if the string is not found.

Rather than using the Salsa20, this new variant now opted for the AES-256-CTR encryption with OpenSSL’s evp_enc. For files between 1.048MB and 4.19MB, the ransomware encrypts only the initial 100,000 bytes (0xFFFFF) and then adds its infection marker at the file’s end.

Recommendations

Here below, we have mentioned all the recommendations offered by the security analysts:-

• Make sure to implement multifactor authentication (MFA).
• Always follow the 3-2-1 backup rule for important data.
• Do not open any suspicious attachments received from an unknown sender.
• Always use robust security solutions and AV tools.
• Make sure to keep AV tools, security solutions, and systems up-to-date with the latest available updates and patches.

IoCs

SHA1	Detection
f1c0054bc76e8753d4331a881cdf9156dd8b812a	Ransom.Linux.MONTI.THGOCBC
a0c9dd3f3e3d0e2cd5d1da06b3aac019cdbc74ef	Ransom.Linux.MONTI.THGADBC

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.