Encrypted

Monti ransomware targets legal and gov’t entities with new Linux-based variant

The Monti hacker gang appears to have resumed its operations after a two-month break, this time claiming to target legal and government entities with a fresh Linux-based ransomware variant, according to new research.

Monti was first discovered in June 2022, shortly after the infamous Conti ransomware group went out of business.

The hackers seemed to be imitating their predecessors, choosing a similar name, copying Conti's attack tactics and using its leaked source code to develop their own tools.

Yet the group behind Monti ransomware appears relatively inexperienced, according to Allan Liska, a ransomware expert at Recorded Future. The Record is an editorially independent arm of Recorded Future.

Since March, at least 13 apparent victims from the legal, financial services, and healthcare sectors have appeared on Monti's leak site, as reported by Trend Micro.

“Their victims have not been widespread, but they seem to have hit enough to likely reinvest some of their ransom payments in building new and better code,” Liska said.

The group recently released a Linux-based version of its ransomware that is significantly different from its predecessor.

While the older version had a 99% similarity rate to Conti, Trend Micro’s analysis found the latest version only shares a 29% similarity rate. Specifically, the new version uses a different encryptor that holds the victim's data hostage until a ransom is paid.

By altering Conti’s code, Monti’s operators are enhancing the group’s ability to evade detection, making their malicious activities even more challenging to identify and mitigate, the researchers said.

Monti portrays itself as an atypical cybercrime group. It claims its malicious software highlights security problems in company networks, And if companies don't pay the ransom, Monti puts their names on the "Wall of Shame" section of their data leak site.

While the group hasn't gained significant attention from researchers due to the relatively low attack volume, that could change in the future as Monti is improving its code and becoming more effective, likely by reinvesting ransom payments into ransomware development.

“This is a pattern we see repeatedly from inexperienced ransomware groups,” Liska said. “And, unfortunately, with so much leaked code readily available (in addition to Conti, there is REvil, Babuk, LockBit and more) we will continue to see this happening.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.