Experts found a lot of similarities in the two malware programs, but it's not so simple.
The Monti ransomware program, discovered in June 2022, attracted the attention of cybersecurity experts because of its similarity to the well-known Conti software . The similarity is expressed not only in the name, but also in the tactics used by the attackers.
The group operating under the pseudonym "Monti" actively used tactics and tools similar to Conti. Criminals even exploited the leak of Conti source code in their program, which caused justified concerns among cybersecurity experts.
Recently, hackers released an update, after which their new target was government and legal institutions. This raised the alarm level even higher.
The new version of Monti for Linux showed a similarity with the old one by only 29%. For comparison, the early versions were 99% identical.
The updated ransomware accepts new commands and contains a modified cryptographer. The innovations are probably aimed at avoiding security systems and antivirus programs.
A special feature of the new Monti variant is the infection marker used to mark infected files. The software adds the "MONTI" label to objects and an additional 256 bytes associated with the encryption key.
If the file size is less than or equal to 261 bytes, the malware starts encoding. If the string "MONTI" is found in the last 261 bytes, the file is skipped.
Based on the analysis, it turned out that the program uses AES-256-CTR encryption instead of the previously used Salsa20.
The researchers also found that the new option determines which part of a file to encode based on its size. This tactic is not similar to the previous version, which defined the goal using an additional argument.
All compromised files receive the .monti extension. In addition, there is a note with a ransom demand in each catalog.
When analyzing the samples, experts found the decryption code. It may indicate that attackers tested their product before it was released. Despite the changes, Monti still uses parts of the Conti source code.
Trend Micro offers solutions to protect organizations from such threats. Recommendations provide multi-level protection against potential attacks.
Despite all this evidence, there is no definitive proof that Monti and Conti have the same developer or that they belong to the same group. The conclusions are based on analysis and comparison of software samples and their behavior, so more research will be needed to make more convincing conclusions.
The Monti ransomware program, discovered in June 2022, attracted the attention of cybersecurity experts because of its similarity to the well-known Conti software . The similarity is expressed not only in the name, but also in the tactics used by the attackers.
The group operating under the pseudonym "Monti" actively used tactics and tools similar to Conti. Criminals even exploited the leak of Conti source code in their program, which caused justified concerns among cybersecurity experts.
Recently, hackers released an update, after which their new target was government and legal institutions. This raised the alarm level even higher.
The new version of Monti for Linux showed a similarity with the old one by only 29%. For comparison, the early versions were 99% identical.
The updated ransomware accepts new commands and contains a modified cryptographer. The innovations are probably aimed at avoiding security systems and antivirus programs.
A special feature of the new Monti variant is the infection marker used to mark infected files. The software adds the "MONTI" label to objects and an additional 256 bytes associated with the encryption key.
If the file size is less than or equal to 261 bytes, the malware starts encoding. If the string "MONTI" is found in the last 261 bytes, the file is skipped.
Based on the analysis, it turned out that the program uses AES-256-CTR encryption instead of the previously used Salsa20.
The researchers also found that the new option determines which part of a file to encode based on its size. This tactic is not similar to the previous version, which defined the goal using an additional argument.
All compromised files receive the .monti extension. In addition, there is a note with a ransom demand in each catalog.
When analyzing the samples, experts found the decryption code. It may indicate that attackers tested their product before it was released. Despite the changes, Monti still uses parts of the Conti source code.
Trend Micro offers solutions to protect organizations from such threats. Recommendations provide multi-level protection against potential attacks.
Despite all this evidence, there is no definitive proof that Monti and Conti have the same developer or that they belong to the same group. The conclusions are based on analysis and comparison of software samples and their behavior, so more research will be needed to make more convincing conclusions.
