Monti Ransomware

Monti ransomware, a malicious software designed to exploit and damage computer systems, has made a return after a two-month hiatus with a new Linux variant of its encryptor. The malware infiltrates servers, modifies and replaces files like "/etc/motd, and index.html" to announce successful infiltration. Before encrypting, the ransomware verifies certain conditions such as file size and presence of the string "MONTI." The latest version has shifted strategy, opting for the "-type=soft" parameter over "--type=hard" when terminating virtual machines, potentially to reduce immediate detection. This new variant specifically targets legal entities, financial services, government entities, and healthcare industries. The Monti ransomware group operates a data leak site with a "wall of shame," possibly copied from other ransomware gangs like Ragnar Locker. While currently no victims are listed, a provocative message suggests that many victims were "cooperative" and paid the ransom, except for one victim in Argentina. The group's tactics are observed to be similar to those used by the Conti team, including the use of their TTPs (Tactics, Techniques, and Procedures) and leaked source code and tools. Cybersecurity researchers at Trend Micro have noted several significant differences in this new variant of Monti ransomware compared to previous Linux-based versions. They also reported changes in the content of motd (Message of the Day), which was replaced by the creators of Monti ransomware. The industries of the companies appearing on the Monti ransomware leak site indicate the sectors being targeted, and the ransom note dropped by Monti ransomware provides further insight into the group's operations.