The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Monti Ransomware Linux Variant

Aug 21, 2023 12:49:38 PM / by The Hivemind

MONTIRelated Families: Conti
Verticals Targeted: Legal, Government

Executive Summary

A new Linux variant of Monti ransomware was recently discovered. Its evolution includes added detection evasion and encryption features.

Key Takeaways

  • A new Linux variant of Monti ransomware was recently discovered.
  • It includes new capabilities that make it harder to detect. 
  • This variant has a 29% similarity rate to the original Conti code, whereas other variants have a 99% similar rate. 

What is Monti?

Trend Micro recently reported on the newly discovered Linux variant of Monti ransomware. The original Windows variant of Monti first emerged in mid-2022. Recent attacks using Monti have focused on government and legal services entities. Monti bears similarities to Conti in both name and TTPs used.

While earlier Monti variants were primarily based on leaked Conti source code, the recent variant uses a different decryptor. Trend Micro used BinDiff to detect similarities between the new Monti variant and old variants versus Conti. While the older variants had a 99% similarity rate, the new variant only has a 29% similarity rate.

The new Monti variant is more evasive than previous versions. Its command line arguments include options to skip or kill virtual machines. When the new variant encrypts files, it appends the bytes MONTI and an additional 256 bytes linked to the encryption key. It also has a feature to determine whether files are already encrypted. This variant uses AES-256-CTR encryption and evp_enc from the OpenSSL library. As with previous variants, the .monti extension is appended to the names of encrypted files, and a ransom note is dropped into every directory.

It is interesting to note that Trend Micro researchers found the decryption code during malware analysis. Most ransomware families’ decryption code, together with the key, is usually provided after payment of the ransom. However, the decryption code is not usable without the threat actor’s private key.


PolySwarm has a sample of Monti.




You can use the following CLI command to search for all Monti samples in our portal:

$ polyswarm link list -f Monti


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports


Topics: Threat Bulletin, Ransomware, Linux, Conti, Monti

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts