The Monti ransomware, discovered in June 2022, drew attention due to similarities with the infamous Conti software. The likeness extends beyond the name, encompassing tactics employed by the attackers.
Monti Ransomware: Evolving Tactics and Targets
The group, operating as “Monti,” utilized tactics akin to Conti, even leveraging leaked Conti source code, raising valid concerns among cybersecurity experts.
In a recent update, hackers shifted focus to target government and legal institutions, heightening alert levels further.
The Linux version of Monti’s new iteration exhibited only 29% similarity to the older version, a significant deviation from the previous 99% match.
The updated ransomware introduced fresh commands and a modified encryptor, likely geared towards evading security systems.
This variant adds an infection marker, labeling files “MONTI” along with an additional 256 bytes tied to the encryption key. Files ≤261 bytes undergo encryption; those with “MONTI” in the last 261 bytes are skipped.
AES-256-CTR encryption replaces the previously used Salsa20 encryption, and file portions to encode are now determined by size, unlike the former version’s approach.
Compromised files gain a .monti extension and a ransom note in each directory.
Decryption code was discovered during analysis, indicating potential pre-release testing. Despite changes, Monti retains parts of Conti’s source code.
Trend Micro offers multi-layered defense solutions against such threats, providing protection for organizations.
Though evidence suggests similarities, definitive proof of shared developers or group affiliation between Monti and Conti remains lacking. Conclusions stem from software analysis and behavior comparison, necessitating more research for firmer conclusions.