The threat artist behind the Monti ransomware has resurfaced after a two-month hiatus with a new Linux version of the encryptor in attacks targeting government and legal sectors.
Monti emerged in June 2022, weeks after the Conti ransomware group ceased its operations, having intentionally copied its associated tactics and tools, including its leaked source code. Not anymore.
According to Trend Micro, the new version differs in a way that exhibits significant changes from its other Linux-based predecessors.
“Unlike the previous version, which is primarily based on the leaked Conti source code, this new version employs a different encryptor with additional specific behaviors,” said Trend Micro researchers Nathaniel Morales and Joshua Paul Ignacio.
Bindiff analysis showed that while older iterations had a 99% similarity rate with Conti, the latest version only has a 29% similarity rate, suggesting an overhaul.
Some significant changes include the addition of the ‘–whitelist’ parameter to instruct Locker to skip a list of virtual machines, as well as the removal of the command-line arguments –size, –log, and –vmlist.
The Linux version was found to be tampering with the motd (aka message of the day) file to display the ransom note, employed AES-256-CTR encryption instead of Salsa20, and relied only on file size for its encryption process.
In other words, files larger than 1.048 MB but smaller than 4.19 MB will have only the first 100,000 (0xFFFF) bytes of the file encrypted, while files larger than 4.19 MB may have a portion of their contents locked based on the result of a shift write operation.
Files whose size is smaller than 1.048MB will have all their contents encrypted.
“It’s likely that the threat actors behind Monti still employed parts of the Conti source code as the basis for the new variant, as evidenced by some similar functions, but implemented significant changes to the code — especially to the encryption algorithm,” the researchers said.
“Additionally, by changing the code, Monti’s operators are increasing its ability to evade detection, making their malicious activity even more challenging to detect and mitigate.”
