Pierluigi Paganini
August 15, 2023
The Monti ransomware operators returned, after a two-month break, with a new Linux version of the encryptor. The variant was employed in attacks aimed at organizations in government and legal sectors.
The Monti group has been active since June 2022, shortly after the Conti ransomware gang shut down its operations. Researchers noticed multiple similarities between the TTPs of the two gangs, Monti operators also based their encrytor on the Conti’s leaked source code.
According to Trend Micro, this variant is quite different from the previous Linux-based version.
“a fresh Linux-based variant of Monti (Ransom.Linux.MONTI.THGOCBC) has emerged, displaying significant deviations from its other Linux-based predecessors.” reads the report published by Trend Micro. “Unlike the earlier variant, which is primarily based on the leaked Conti source code, this new version employs a different encryptor with additional distinct behaviors.”
The researchers compared the new variant to the old one using BinDiff and discovered a similarity rate of 29% as opposed to the 99% similarity rate of the older variants and Conti.
The new Linux variant of the ecryptor doesn’t accept some arguments from its older variant and adds the –whitelist parameter, which is used to avoid encrypting virtual machines.
| Argument | Description |
|---|---|
| –help | Displays arguments usage |
| –path <string> | Path to be encrypted |
| –whitelist <string> | List of VMs to be skipped |
| –vmkill | Option to Kill virtual machine (VM) |
| –detach | Detach from terminal |
| –size | removed |
| –log | removed |
| –vmlist | removed |
The researchers observed that the developers also tampered with the /etc/motd and index.html files, replacing their contents with a ransom note.
The new Linux encryptor appends the bytes “MONTI” followed by an additional 256 bytes that are linked to the encryption key.
The new Linux variant uses AES-256-CTR encryption instead of Salsa20. The researchers also discovered that the new variant, unlike the previous version which utilized a –size argument to determine the percentage of the file to be encrypted, solely relies on the file size for its encryption process.
“Before proceeding with its encryption routine, the ransomware will check specific conditions. First, it checks whether the file size is 261 bytes or below, which corresponds to the size of the infection marker it appends after encryption. If this condition is met — indicating that the file is not encrypted given that its size is smaller than the appended infection marker — the ransomware proceeds with the infection process.” continues the report. “If the initial condition is not met, Monti will then check the last 261 bytes of the file to verify the presence of the string “MONTI.” If this string is detected, the file will be skipped, signifying that it has already been encrypted. However, if the string is not found, the malware will proceed with the encryption process for the file.”
Files larger than 1.048 MB but smaller than 4.19 MB will only have the first 100,000 (0xFFFFF) bytes of the file encrypted. For files greater than 4.19 MB, the encryptor employs a Shift Right operation to calculate the total size of the file to be encrypted. Meanwhile, files with a size smaller than 1.048MB will have all their content encrypted.
“It’s likely that the threat actors behind Monti still employed parts of the Conti source code as the base for the new variant, as evidenced by some similar functions, but implemented significant changes to the code — especially to the encryption algorithm.” concludes the report. “Furthermore, by altering the code, Monti’s operators are enhancing its ability to evade detection, making their malicious activities even more challenging to identify and mitigate.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Monti Ransomware)
