Chris Swagler | September 12th, 2023

After a two-month hiatus, the Monti ransomware syndicate has returned to the cyber battleground, wielding a potent new Linux iteration of their notorious encryption tool. This latest iteration has set its sights on VMware ESXi servers and legal and government entities, demonstrating a renewed determination to wreak havoc in the digital realm. A recent analysis conducted by cybersecurity experts has illuminated the distinctive features of this novel Monti ransomware strain, which exhibits a departure from its Linux-based predecessors in several significant ways. Notably, during this interim period, the gang had previously abstained from revealing their victims on their data leak platform. Unlike prior Monti locker versions, which leaned heavily on the leaked Conti ransomware code (reaching up to 99% similarity), this fresh variant displays just a 29% resemblance to its forerunners, showcasing a noteworthy shift in strategy and execution. The alterations implemented by the Monti gang include:

  • Parameter Refinement: The new version has dispensed with the ‘–size,’ ‘–log,’ and ‘–vmlist’ parameters in its antecedents. Instead, it employs the ‘—type=soft’ parameter, enabling it to surreptitiously terminate ESXi virtual machines (VMs) in a manner designed to evade detection effectively.
  • Selective Targeting: A ‘–whitelist’ parameter has been introduced, empowering the locker to bypass specific ESXi VMs hosted on the system.
  • User Interaction: The ransom note content is now prominently displayed upon user login by manipulating the ‘motd’ (Message of the Day) and ‘index.html’ files.
  • Encryption Modification: An additional layer of complexity has been introduced in the encryption process. The ransomware now appends the byte signature “MONTI” and an extra 256 bytes linked to the encryption key to the encrypted files.
  • File Size-based Encryption: The ransomware now distinguishes between smaller and larger files. Files below 261 bytes are encrypted, while larger files undergo further scrutiny by checking for the presence of the “MONTI” string. If the string is missing, the ransomware proceeds to encrypt the file.
  • Encryption Algorithm Transition: The encryption method has transitioned from the previously used Salsa20 to the AES-256-CTR encryption technique from the OpenSSL library.
  • Granular Encryption: Files of varying sizes receive distinct treatment. Files between 1.048MB and 4.19MB see only the first 100,000 bytes encrypted. Files smaller than 1.048MB are entirely encrypted, while files surpassing 4.19MB have a portion of their content encrypted based on a calculated Shift Right operation.
  • File Naming and Ransom Note Generation: The new iteration adds the “.MONTI” extension to encrypted files and generates a ransom note named ‘readme.txt’ within each processed directory.

One of the most striking aspects of this fresh Monti ransomware iteration lies in its enhanced capacity to evade detection. The syndicate has honed its ability to obscure its activities, rendering it more arduous for cybersecurity professionals to pinpoint and neutralize their attacks. Monti’s background traces back to its emergence in June 2022, closely following the discontinuation of the Conti ransomware group’s operations. While initially, Monti appeared as a clone of Conti, utilizing a significant portion of its code, this new variant showcases the evolution and maturation of the threat actor’s tactics. In a paradoxical twist, members of the Monti gang perceive their actions as exposing security vulnerabilities within corporate networks rather than engaging in malicious cyber activities. Despite reframing their actions as “penetration testing,” the gang employs the same tactics as traditional ransomware groups—breaching networks, exfiltrating data, and demanding ransoms.

As the cyber landscape continues to evolve, the Monti ransomware’s resurgence with an advanced Linux variant underscores the persistent and changing nature of the threat. Cybersecurity professionals face an ongoing challenge to adapt and respond to these shifting tactics as threat actors refine their strategies to evade detection and maximize their impact. At SpearTip, our certified engineers work continuously at our 24/7/365 Security Operations Center, monitoring companies’ network infrastructures for potential ransomware threats.

Our remediation team works to restore companies’ operations, isolate malware to reclaim their networks and recover their business-critical assets. Our cyber maturity assessments assess the overall maturity of companies’ network configurations, current security tools, personnel and related security measures, and organizational preparedness and capabilities. SpearTip will examine companies’ security posture to improve the weak points in their networks. Our team engages its people, processes, and technology to measure the maturity of the technical environment. Our experts provide a technological roadmap for any vulnerability we uncover to ensure companies have the awareness and support to optimize their cybersecurity posture.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.