Threat Research

Ransomware Roundup – Monti, BlackHunt, and Putin | FortiGuard Labs

Securonix

FortiGuard Labs’ Ransomware Roundup analyzes Monti, BlackHunt, and Putin ransomware, detailing distinct methods from Linux file encryption to RDP-driven intrusions and data-leak strategies. The piece also outlines Fortinet protections and defense recommendations for preventing, detecting, and responding to these threats. #Monti #BlackHunt #Putin #Linux #RDP #Tor

Keypoints

  • Monti is a new ransomware designed to encrypt files on Linux systems and uses a “.puuuk” extension.
  • The Monti campaign employs a data-leak site with a wall of shame and operates two TOR sites for data hosting and ransom negotiation.
  • The ransom note for Monti is titled “README.txt,” and a “result.txt” file shows how many files were encrypted.
  • BlackHunt ransomware targets networks via vulnerable RDP configurations, encrypts files, deletes shadow copies, and drops two ransom notes: HTA and TXT.
  • Putin ransomware encrypts files and uses two Telegram channels for ransom negotiations and data leaks, with a “.PUTIN” extension and a tight two-day deadline.
  • Fortinet provides detections (AV signatures) for Monti, BlackHunt, and Putin and recommends up-to-date signatures, phishing defenses, and broader security controls (EDR, Zero Trust, backups).
  • Industry guidance emphasizes not paying ransoms, robust backups, phishing awareness, and Fortinet’s incident response and readiness services.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – Monti encrypts files on Linux systems. “Monti is a relatively new ransomware designed to encrypt files on Linux systems.”
  • [T1041] Exfiltration Over C2 Channel – Data leak site and “wall of shame” imply exfiltration of stolen data to a TOR-hosted site. “two separate TOR sites: one for hosting data stolen from victims and another for ransom negotiation.”
  • [T1133] External Remote Services – BlackHunt accesses victims’ networks through vulnerable Remote Desktop Protocol (RDP) configurations. “accesses victims’ networks through vulnerable Remote Desktop Protocol (RDP) configurations.”
  • [T1490] Inhibit System Recovery – BlackHunt deletes shadow copies to hinder recovery. “deletes shadow copies, which makes file recovery difficult.”
  • [T1486] Data Encrypted for Impact – Putin encrypts files on victims’ machines. “Putin is a recent ransomware that encrypts files on victims’ machines.”
  • [T1041] Exfiltration Over C2 Channel – Putin uses Telegram channels for data leaks and negotiations. “two Telegram channels: one for negotiating ransom payment… and another for releasing data stolen from the victims.”

Indicators of Compromise

  • [Hash] Monti ransomware – edfe81babf50c2506853fd8375f1be0b7bebbefb2e5e9a33eff95ec23e867de1
  • [Hash] BlackHunt ransomware – f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f, 977083fc01e2982258eac0a13e56cd697d9f6941f5a365e9d02d544fc3e15000
  • [Hash] Putin ransomware – 7f624cfb74685effcb325206b428db2be8ac6cce7b72b3edebbe8e310a645099, 62f9c48b218c4cdb08ed76729539a8b6a6aaf2a558d80b441e7e79e4074d622c, 7d1ccac64445547908dc1678479919c9bd063bceac5d214857d2758828f1c60b, 80394d4c8680cda921b4fdd63441a8cfdca25eb2ad082149d582bbb5619b0155
  • [File Name] Monti ransom note – README.txt
  • [File Name] BlackHunt ransom notes – #BlackHunt_ReadMe.hta, #BlackHunt_ReadMe.txt
  • [File Name] Putin ransom note – README.txt
  • [File Extension] Monti extension – .puuuk
  • [File Extension] BlackHunt extension – .Black
  • [File Extension] Putin extension – .PUTIN

Read more: https://www.fortinet.com/blog/threat-research/ransomware-roundup-monti-blackhunt-and-more

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint