Monti Ransomware Returns with New Linux Variant and Enhanced Evasion Tactics

Monti Ransomware Returns with New Linux Variant and Enhanced Evasion Tactics

The threat actors behind the Monti ransomware have resurfaced after a two-month break with a new Linux version of the encryptor in its attacks targeting government and legal sectors.

The new version, per Trend Micro, is a departure of sorts, exhibiting significant changes from its other Linux-based predecessors.

“Unlike the earlier variant, which is primarily based on the leaked Conti source code, this new version employs a different encryptor with additional distinct behaviors,” Trend Micro researchers Nathaniel Morales and Joshua Paul Ignacio said.

Some of the crucial changes include the addition of a ‘–whitelist’ parameter to instruct the locker to skip a list of virtual machines as well as the removal of command-line arguments –size, –log, and –vmlist.

The Linux variant is also designed to tamper with the motd (aka message of the day) file to display the ransom note, employ AES-256-CTR encryption instead of Salsa20, and solely rely on the file size for its encryption process.

Monti Ransomware

In other words, files larger than 1.048 MB but smaller than 4.19 MB will only have the first 100,000 (0xFFFFF) bytes of the file encrypted, while those exceeding 4.19 MB have a chunk of their content locked depending on the outcoming of a Shift Right operation.

Files that have a size smaller than 1.048 MB will have all their contents encrypted.

“Furthermore, by altering the code, Monti’s operators are enhancing its ability to evade detection, making their malicious activities even more challenging to identify and mitigate.”