Rewterz Threat Alert – New Linux Locker by Monti Ransomware Targets VMware ESXi Servers – Active IOCs

Severity

High

Analysis Summary

The Monti ransomware group, which had taken a two-month hiatus, reemerged with a new Linux version of their encryptor. This variant was used in targeted attacks against government and legal sector organizations. The Monti group has been active since June 2022, following the shutdown of the Conti ransomware gang. Researchers noticed similarities in tactics, techniques, and procedures (TTPs) between Monti and Conti, with Monti using Conti’s leaked source code as the foundation for their encryptor.

Researchers reported that this new Linux-based Monti variant (Ransom.Linux.MONTI.THGOCBC) showed notable differences from its predecessors. Unlike the previous version, which heavily relied on the Conti source code, this variant employed a different encryption approach and exhibited distinct behaviors. Another analysis revealed that the new variant had only a 29% similarity rate compared to the older variants and Conti’s code.

Notable changes in the new Linux variant of the encryptor included the addition of the “–whitelist” parameter, preventing the encryption of virtual machines. The ransom note was incorporated by altering the “/etc/motd” and “index.html” files. Additionally, the encryptor appended the label “MONTI” followed by 256 bytes linked to the encryption key.

The encryption algorithm was modified in the new variant, switching from Salsa20 to AES-256-CTR encryption. In terms of the encryption process, the previous version used a “–size” argument to determine the percentage of a file to encrypt, while the new version relied solely on file size. The ransomware now checks specific conditions before proceeding with the encryption process. If a file is 261 bytes or smaller, indicating that it’s not encrypted due to the appended infection marker, the ransomware proceeds. Otherwise, it checks the last 261 bytes of the file for the presence of the string “MONTI.” If found, the file is skipped; if not, the file is encrypted.

The new encryptor handles file sizes differently. Files larger than 1.048 MB but smaller than 4.19 MB have only the first 100,000 bytes encrypted. For files greater than 4.19 MB, a Shift Right operation determines the total encrypted size. Files smaller than 1.048 MB are fully encrypted. Also, the latest version appends the .MONTI extension to encrypted files and creates a ransom note named ‘readme.txt’ in each processed directory.

ransom note and encrypted file

The report concludes that while Monti likely used parts of Conti’s source code as a foundation for the new variant, significant changes were made, especially to the encryption algorithm. These changes enhance Monti’s ability to evade detection, making their malicious activities more challenging to detect and mitigate.

Impact

• Sensitive File Theft
• File Encryption
• Financial Loss

Indicators of Compromise

MD5

• ecdbfee4904dcb3ae2e20f050b5b69b3
• 0ce82210b5678f3f7e28ad0244e56af9

SHA-256

• 44c0774f53ab5071ee2969c5e44df56b13f5047e3fca6108375e6055998b86f2
• cd8ad31e1d760b4f79eb1c3d5ff15770eb88fa1c576c02775ec659ff872c1bf7

SHA-1

• f1c0054bc76e8753d4331a881cdf9156dd8b812a
• a0c9dd3f3e3d0e2cd5d1da06b3aac019cdbc74ef

URL

• http://monti5o7lvyrpyk26lqofnfvajtyqruwatlfaazgm3zskt3xiktudwid.onion/
• http://mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid.onion/

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
• Implement network segmentation to isolate critical systems and sensitive data. This can limit the lateral movement of ransomware within the network, preventing its spread.
• Implement the principle of least privilege (PoLP) to restrict user and system access only to the resources and data they require. 
• Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
• Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
• Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
• Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
• Implement intrusion detection and prevention systems (IDPS) to identify and block suspicious activities and network intrusions.
• Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
• Develop a comprehensive incident response plan that outlines steps to take in the event of a ransomware attack. This plan should include communication procedures, technical steps, and coordination with law enforcement if necessary.
• Implement continuous network monitoring to detect unusual behavior and unauthorized access. Timely detection can help prevent the ransomware from spreading further.
• Invest in security solutions that use behavior-based detection techniques to identify suspicious activities and prevent ransomware from executing its malicious actions.
• Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.
• Collaborate with legal experts and law enforcement agencies in case of an attack. Legal advice and law enforcement involvement can be crucial when dealing with ransomware incidents.