Monti Returns From 2-Month Break with Revamped Ransomware Variant – Source: securityboulevard.com

The Monti ransomware group that emerged in June 2022 used source code, tools, and tactics – not to mention an almost identical name – of the notorious Conti gang as it targeted more than a dozen companies in a range of industries.

The stark similarities between the two ransomware groups has had cybersecurity pros debating whether Monti is a reworked Conti operation or a new one that includes some ex-Conti hackers and is using leaked Conti source code to mold their own ransomware threats.

“Whether this is Conti being rebranded as Monti, in a bid to mock the former strain, or it is just another new ransomware variant on the block, it is likely we will continue to see this new variant impact businesses globally,” researchers with Intel471 wrote in September 2022.

Now, after a two-month hiatus from listing victims on its leak site, Monti is ramping up attacks again and doing so with a new Linux-based variant of its ransomware that shows stark differences from its previous Conti-heavy predecessor, Trend Micro threat hunters Nathaniel Morales and Joshua Paul Ignacio wrote in a report today.

“Unlike the earlier variant, which is primarily based on the leaked Conti source code, this new version employs a different encryptor with additional distinct behaviors,” Morales and Ignacio wrote. “It’s likely that the threat actors behind Monti still employed parts of the Conti source code as the base for the new variant, as evidenced by some similar functions, but implemented significant changes to the code — especially to the encryption algorithm.”

By making such significant changes to the code, those behind the Monti operation are more able to evade detection, which makes their activities more difficult to identify and address, they wrote.

The Rise and Fall of Conti

Conti emerged in 2020 and quickly established itself has a significant double-extortion threat, not only encrypting files and demanding a ransom but also exfiltrating the data and threatening to publish or sell it if the ransom isn’t paid.

However, in March 2022, a Ukrainian member of the gang thought to be angered by the Conti operators’ support of Russia and its illegal invasion of Ukraine leaked 393 internal file that included the source code, with a number of groups using the code to set up their own ransomware and ransomware-as-a-service (RaaS) operations.

That could include Monti, which drops a ransom note that resembles that used by Conti, according to Fortinet’s FortiGuard Labs threat intelligence group.

BlackBerry researchers in a September 2022 wrote that “it seems likely that attackers chose this blatant emulation strategy because of the availability of Conti group’s internal communications, chat logs, training guides, real-world identities, and source code. … Having access to this trove of information effectively gave Monti threat actors a step-by-step guide to emulating Conti’s notoriously successful activities.”

Either way, corporations now have to deal with a Monti operation with a significantly revamped Linux variant that can be used against victims in such sectors as financial services, health care, and legal as well as VMware ESXi servers.

Monti also uses a Windows variant, though the changes seen by Trend Micro are in the Linux tool.

Significant Changes in Linux Variant

The previous Linux variant showed a 99% similarity rate to Conti’s leaked code, the researchers found. By comparison, the new variant has a 29% similarity rate. It’s so different that of the security vendors that had samples of the code, only three tagged it as malicious on VirusTotal, according to Trend Micro.

The changes detected by the researchers were in areas like the parameters in command line arguments – such as the parameter used to terminate virtual machines on a targeted system to reduce the chance of immediate detection – and encryption techniques.

The new variant uses AES-256-CTR encryption that uses the evp_enc from the OpenSSL library instead of the Salsa20 stream cipher leveraged in the previous version.

“We also discovered that the sample we analyzed employs various encryption methods for files,” Morales and Ignacio wrote. “Unlike the previous variant, which utilized a –size argument to determine the percentage of the file to be encrypted, this new variant solely relies on the file size for its encryption process.”

The sample of the new variant Trend Micro studied will encrypt only the first 100,000 bytes of the file, appending its infection marker at the end of the file if the size is larger than 1.048MB but smaller than 4.19MB. If the size is larger than 4.19MB, the ransomware will calculate the total size of the file to be encrypted.

“Meanwhile, files with a size smaller than 1.048MB will have all their content encrypted,” they wrote.

Organizations will have to now take the new variant under consideration, but to the Trend Micro researchers, the defenses are straightforward: take steps to safeguard data and establish procedures to backup and recovery to ensure the data is secure and can be restored if there is a ransomware attack.

Leveraging multifactor authentication (MFA) to slow attackers’ abilities to move laterally in a compromised network and use the 3-2-1 guideline for file backups: create three backup copies in two distinct file formats with one copy stored in a separate location.