The menace actors behind the Monti ransomware have resurfaced after a two-month break with a brand new Linux model of the encryptor in its assaults focusing on authorities and authorized sectors.
Monti emerged in June 2022, weeks after the Conti ransomware group shut down its operations, intentionally imitating the techniques and instruments related to the latter, together with its leaked supply code. Not anymore.
The brand new model, per Development Micro, is a departure of types, exhibiting vital adjustments from its different Linux-based predecessors.
“Not like the sooner variant, which is based on the leaked Conti supply code, this new model employs a special encryptor with further distinct behaviors,” Development Micro researchers Nathaniel Morales and Joshua Paul Ignacio mentioned.
A BinDiff evaluation has revealed that whereas the older iterations had a 99% similarity price with Conti, the most recent model has solely a 29% similarity price, suggesting an overhaul.
A number of the essential adjustments embody the addition of a ‘–whitelist’ parameter to instruct the locker to skip a listing of digital machines in addition to the removing of command-line arguments –size, –log, and –vmlist.
The Linux variant can be designed to tamper with the motd (aka message of the day) file to show the ransom observe, make use of AES-256-CTR encryption as an alternative of Salsa20, and solely depend on the file dimension for its encryption course of.
In different phrases, information bigger than 1.048 MB however smaller than 4.19 MB will solely have the primary 100,000 (0xFFFFF) bytes of the file encrypted, whereas these exceeding 4.19 MB have a bit of their content material locked relying on the outcoming of a Shift Proper operation.
Information which have a dimension smaller than 1.048 MB may have all their contents encrypted.
“It is seemingly that the menace actors behind Monti nonetheless employed elements of the Conti supply code as the bottom for the brand new variant, as evidenced by some comparable capabilities, however carried out vital adjustments to the code — particularly to the encryption algorithm,” the researchers mentioned.
“Moreover, by altering the code, Monti’s operators are enhancing its capacity to evade detection, making their malicious actions much more difficult to determine and mitigate.”