Monti is back with a vengeance. The dreaded ransomware variant that dropped off the radar a couple of months ago has now returned with an upgraded encryptor and more bells and whistles.
This is according to cybersecurity researchers from Trend Micro, which recently obtained a copy of the new encryption tool. Their conclusion is that it carries “significant” deviations from its other Linux-based predecessors. This one targets VMware ESXi servers, organizations in the public sector, and legal firms.
Earlier versions relied almost entirely on Conti, a defunct ransomware encryptor used by a Russian threat actor and terminated once the source code leaked online. In this new version, less than a third of the code bares similarities to Conti.
As per a BleepingComputer report, the biggest change is that the new variant is more subtle, and thus more likely to evade detection. Furthermore, it approaches the encryption work differently and leaves a ransom note in every folder it encrypts.
Monti was first observed in June 2022 by cybersecurity experts from the MalwareHunterTeam. A few months later, a separate cybersecurity firm, Intel 471, suggested that Monti could actually be a rebrand of Conti, as the initial network access methods were identical for both.
But Monti wasn’t as active as its predecessors, which is why researchers didn’t pay much attention to it, BleepingComputer added. The only report detailing the variant was published in January 2023 by Fortinet.
Ransomware is one of the fastest-moving types of cybercrime. Since its surge in popularity, which happened roughly half a decade ago, ransomware has gone through extensive changes.
These days, many operators refrain from encrypting the data. Instead, they just steal it and demand payment in exchange for not releasing it online. Experts argue this method is more effective as it eliminates the cost of building and maintaining malware strains.
Also gaining traction is the Ransomware-as-a-Service (RaaS) model, where bad actors develop ransomware tools and rent them out on a subscription basis to other cybercriminals on dark web forums. This means that increasingly, technical knowledge is no longer required to launch devastating attacks, which in turn opens the door for more threat actors to appear on the scene.