Keypoints
- Monti resumed targeting legal and government organizations and introduced a new Linux variant with low code similarity (29%) to prior Monti/Conti samples.
- The new binary accepts modified command-line options, notably adding –whitelist (VMs to skip) and using –vmkill with a soft VM termination mode (-type=soft).
- Encryption algorithm changed from Salsa20 to AES-256-CTR using OpenSSL’s evp_enc implementation.
- The ransomware appends an infection marker: the ASCII “MONTI” plus 256 bytes linked to the encryption key and uses that marker to skip already-encrypted files.
- File-selection logic: fully encrypts files <1.048MB, encrypts first 100,000 bytes for files between ~1.048MB and ~4.19MB, and computes a shift-right based size for larger files.
- Encrypted files receive a .monti extension and the malware drops readme.txt ransom notes in every directory; a decryption routine exists in the sample but is nonfunctional without the private key.
MITRE Techniques
- [T1486] Data Encrypted for Impact – Encrypts files with AES-256-CTR, appends marker and renames files (‘.monti’) and drops ransom notes (‘…appends the .monti file extension to the encrypted files and drops its ransom note readme.txt to every directory.’)
- [T1497] Virtualization/Sandbox Evasion – Detects/acts on virtual machine presence and can terminate VMs, with options to skip VMs via whitelist (‘–whitelist ‘ ‘List of VMs to be skipped’, and ‘–vmkill’ / ‘-type=soft’ to terminate virtual machines’).
- [T1491] Defacement – Modifies system-visible files to display ransom notice by replacing /etc/motd and index.html (‘replacing their contents with a ransom note announcing that the server has been successfully infiltrated.’)
- [T1083] File and Directory Discovery – Examines file sizes and file tails to determine encryption eligibility, checking for the infection marker in the last 261 bytes (‘checks whether the file size is 261 bytes or below’ and ‘check the last 261 bytes of the file to verify the presence of the string “MONTI.”‘)
- [T1562] Impair Defenses / Defense Evasion – Alters encryption algorithm and code to reduce detection (29% similarity vs prior 99%), indicating deliberate code changes to evade signature-based detection (‘it only showed a similarity rate of 29% … implemented significant changes to the code — especially to the encryption algorithm’).
Indicators of Compromise
- [SHA1] sample binaries – f1c0054bc76e8753d4331a881cdf9156dd8b812a, a0c9dd3f3e3d0e2cd5d1da06b3aac019cdbc74ef
- [URLs] Monti leak sites (onion) – hxxp://monti5o7lvyrpyk26lqofnfvajtyqruwatlfaazgm3zskt3xiktudwid[.]onion, hxxp://mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid[.]onion
- [File names] modified/dropped artifacts – /etc/motd (overwritten), index.html (overwritten), readme.txt (ransom note)
- [File extension] Encrypted file suffix – .monti (appended to encrypted files)
The new Monti Linux variant replaces the prior Salsa20-based encryptor with AES-256-CTR via OpenSSL’s evp_enc API and significantly diverges in code (about 29% similarity to older Monti/Conti samples). It introduces new CLI options—most notably –whitelist to skip specified VMs, and –vmkill with a soft termination mode (-type=soft)—indicating VM-aware behavior that aims to reduce immediate detection. The binary also tampers with system files such as /etc/motd and index.html to display ransom messages.
Before encrypting a file, Monti evaluates file size and content: if file size ≤261 bytes it proceeds (marker size), otherwise it checks the last 261 bytes for the “MONTI” marker and skips files already containing it. Encryption behavior depends on file size: files 4.19MB have an encryption size derived via a shift-right calculation based on total file size. Encrypted files receive a .monti extension and a readme.txt ransom note is dropped in each directory.
The sample appends the ASCII string “MONTI” followed by 256 bytes tied to the encryption key to each encrypted file, and while the analyst found embedded decryption code, it is ineffective without the author’s private key. These algorithmic and behavioral changes—plus VM handling and file-check logic—appear designed to evade detection and operationally control the ransomware’s scope of impact.