September 29, 2023

The Monti hacker gang seems to have resumed its operations after a two-month break, this time claiming to focus on authorized and authorities entities with a contemporary Linux-based ransomware variant, in line with new analysis.

Monti was first found in June 2022, shortly after the notorious Conti ransomware group went out of enterprise.

The hackers gave the impression to be imitating their predecessors, selecting an identical title, copying Conti’s assault techniques and utilizing its leaked supply code to develop their very own instruments.

But the group behind Monti ransomware seems comparatively inexperienced, in line with Allan Liska, a ransomware knowledgeable at Recorded Future. The File is an editorially unbiased arm of Recorded Future.

Since March, no less than 13 obvious victims from the authorized, monetary providers, and healthcare sectors have appeared on Monti’s leak web site, as reported by Development Micro.

“Their victims haven’t been widespread, however they appear to have hit sufficient to doubtless reinvest a few of their ransom funds in constructing new and higher code,” Liska mentioned.

The group just lately launched a Linux-based model of its ransomware that’s considerably completely different from its predecessor.

Whereas the older model had a 99% similarity price to Conti, Development Micro’s evaluation discovered the most recent model solely shares a 29% similarity price. Particularly, the brand new model makes use of a distinct encryptor that holds the sufferer’s information hostage till a ransom is paid.

By altering Conti’s code, Monti’s operators are enhancing the group’s potential to evade detection, making their malicious actions much more difficult to determine and mitigate, the researchers mentioned.

Monti portrays itself as an atypical cybercrime group. It claims its malicious software program highlights safety issues in firm networks, And if corporations do not pay the ransom, Monti places their names on the “Wall of Disgrace” part of their information leak web site.

Whereas the group hasn’t gained important consideration from researchers because of the comparatively low assault quantity, that would change sooner or later as Monti is enhancing its code and turning into more practical, doubtless by reinvesting ransom funds into ransomware improvement.

“It is a sample we see repeatedly from inexperienced ransomware teams,” Liska mentioned. “And, sadly, with a lot leaked code available (along with Conti, there may be REvil, Babuk, LockBit and extra) we’ll proceed to see this occurring.”

Get extra insights with the

Recorded Future

Intelligence Cloud.

Study extra.

Daryna Antoniuk

Daryna Antoniuk
is a contract reporter for Recorded Future Information based mostly in Ukraine. She writes about cybersecurity startups, cyberattacks in Japanese Europe and the state of the cyberwar between Ukraine and Russia. She beforehand was a tech reporter for Forbes Ukraine. Her work has additionally been revealed at Sifted, The Kyiv Impartial and The Kyiv Publish.