The Monti ransomware group, which had taken a two-month hiatus, reemerged with a new Linux version of their encryptor. This variant was used in targeted attacks against government and legal sector organizations. The Monti group has been active since June 2022, following the shutdown of the Conti ransomware gang. Researchers noticed similarities in tactics, techniques, and procedures (TTPs) between Monti and Conti, with Monti using Conti’s leaked source code as the foundation for their encryptor.
Researchers reported that this new Linux-based Monti variant (Ransom.Linux.MONTI.THGOCBC) showed notable differences from its predecessors. Unlike the previous version, which heavily relied on the Conti source code, this variant employed a different encryption approach and exhibited distinct behaviors. Another analysis revealed that the new variant had only a 29% similarity rate compared to the older variants and Conti’s code.
Notable changes in the new Linux variant of the encryptor included the addition of the “–whitelist” parameter, preventing the encryption of virtual machines. The ransom note was incorporated by altering the “/etc/motd” and “index.html” files. Additionally, the encryptor appended the label “MONTI” followed by 256 bytes linked to the encryption key.
The encryption algorithm was modified in the new variant, switching from Salsa20 to AES-256-CTR encryption. In terms of the encryption process, the previous version used a “–size” argument to determine the percentage of a file to encrypt, while the new version relied solely on file size. The ransomware now checks specific conditions before proceeding with the encryption process. If a file is 261 bytes or smaller, indicating that it’s not encrypted due to the appended infection marker, the ransomware proceeds. Otherwise, it checks the last 261 bytes of the file for the presence of the string “MONTI.” If found, the file is skipped; if not, the file is encrypted.
The new encryptor handles file sizes differently. Files larger than 1.048 MB but smaller than 4.19 MB have only the first 100,000 bytes encrypted. For files greater than 4.19 MB, a Shift Right operation determines the total encrypted size. Files smaller than 1.048 MB are fully encrypted. Also, the latest version appends the .MONTI extension to encrypted files and creates a ransom note named ‘readme.txt’ in each processed directory.
ransom note and encrypted file
The report concludes that while Monti likely used parts of Conti’s source code as a foundation for the new variant, significant changes were made, especially to the encryption algorithm. These changes enhance Monti’s ability to evade detection, making their malicious activities more challenging to detect and mitigate.