Related Families: Conti
Verticals Targeted: Legal, Government
Executive Summary
A new Linux variant of Monti ransomware was recently discovered. Its evolution includes added detection evasion and encryption features.
Key Takeaways
- A new Linux variant of Monti ransomware was recently discovered.
- It includes new capabilities that make it harder to detect.
- This variant has a 29% similarity rate to the original Conti code, whereas other variants have a 99% similar rate.
What is Monti?
Trend Micro recently reported on the newly discovered Linux variant of Monti ransomware. The original Windows variant of Monti first emerged in mid-2022. Recent attacks using Monti have focused on government and legal services entities. Monti bears similarities to Conti in both name and TTPs used.
While earlier Monti variants were primarily based on leaked Conti source code, the recent variant uses a different decryptor. Trend Micro used BinDiff to detect similarities between the new Monti variant and old variants versus Conti. While the older variants had a 99% similarity rate, the new variant only has a 29% similarity rate.
The new Monti variant is more evasive than previous versions. Its command line arguments include options to skip or kill virtual machines. When the new variant encrypts files, it appends the bytes MONTI and an additional 256 bytes linked to the encryption key. It also has a feature to determine whether files are already encrypted. This variant uses AES-256-CTR encryption and evp_enc from the OpenSSL library. As with previous variants, the .monti extension is appended to the names of encrypted files, and a ransom note is dropped into every directory.
It is interesting to note that Trend Micro researchers found the decryption code during malware analysis. Most ransomware families’ decryption code, together with the key, is usually provided after payment of the ransom. However, the decryption code is not usable without the threat actor’s private key.
IOCs
PolySwarm has a sample of Monti.
44c0774f53ab5071ee2969c5e44df56b13f5047e3fca6108375e6055998b86f2
You can use the following CLI command to search for all Monti samples in our portal:
$ polyswarm link list -f Monti
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports