Monti ransomware gang emerged during a July 2022 incident, encrypting 21 servers after exploiting Log4Shell in a VMware Horizon setup and leveraging both traditional Conti-like TTPs and new tooling. The operation highlighted Monti’s mimicry of Conti, its use of Action1 and AnyDesk for persistence, and its data exfiltration and encryption techniques, including a ChaCha8-based encryptor and a .PUUUK extension.
Keypoints
- The Monti group gained access via Log4Shell (CVE-2021-44228) to a VMware Horizon Connection Broker and encrypted 18 desktops plus a 3-server ESXi cluster (21 servers total).
- Monti appears to imitate Conti’s tactics, techniques, and even some tooling, leveraging leaked Conti materials as a playbook.
- Monti introduced two remote monitoring and maintenance (RMM) tools, AnyDesk and Action1, for persistence and remote access, plus renamed executables like action1_agent.exe and action1_remote.exe.
- Credential access involved memory dumps (LSASS) and using Mimikatz to extract credentials, enabling lateral movement and authentication abuse.
- Data exfiltration included uploading lsass.DMP to DropMeFiles and using MEGA/MEGASync for cloud-based or other exfil channels, showing multiple exfiltration paths.
- The ransomware payload, locker.exe, encrypts files (adding .PUUUK) and uses a Conti-like ransom note, with analysis suggesting Monti’s use of Conti v2/v3 code and potential manual modification rather than a fresh build.
- BlackBerry’s analysis includes YARA rules to detect Monti patterns and discusses indicators such as specific SHA-256 hashes for the Monti payload and Veeam credential dumper alike.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The threat actor exploited Log4Shell vulnerability to gain access to the Horizon environment. Quote: “The threat actor initially obtained access to the client’s VMware Horizon Connection Broker server via Log4Shell exploitation on June 29, 2022.”
- [T1021.001] Remote Services – RDP – After access, attackers used RDP to connect to other servers and access data on network shares. Quote: “They used Microsoft® Windows® built-in Remote Desktop Protocol (RDP) to connect to other servers, access data files on network shares, and eventually to deploy the ‘MONTI’ strain of ransomware.”
- [T1105] Ingress Tool Transfer – The threat actor downloaded attack tools onto the infected server via Chrome. Quote: “The threat actor also downloaded and installed two remote monitoring and maintenance (RMM) agents… It used these agents to establish persistence within the network and to facilitate additional remote access.”
- [T1003.001] OS Credential Dumping – LSASS memory dumping to extract credentials. Quote: “the attacker dumped the process memory of the Local Security Authority Server Service (LSASS) on the Horizon Connection Broker server, to a file named ‘lsass.DMP’.”
- [T1003] Credential Dumping – Memory credential extraction and use of Mimikatz for pass-the-hash/token attacks. Quote: “dump credentials from memory and scan the network. They used Microsoft® Windows® built-in Remote Desktop Protocol… to deploy the ‘MONTI’ strain of ransomware.”
- [T1021.002] Remote Services – SMB/Windows Admin Shares – Use of PSEXEC and remote command execution to move laterally. Quote: “PSEXEC… Commonly used by threat actors to run processes remotely and to facilitate lateral movement.”
- [T1486] Data Encrypted for Impact – The ransomware encrypts files on disk and appends a .PUUUK extension; ransom note aligns with Conti variants. Quote: “The ransomware encrypts files on disk, adds a ‘.PUUUK’ extension to affected files’ names, and produces the following ransom note.”
- [T1567.002] Exfiltration to Web Service – DropMeFiles used to exfiltrate lsass.DMP. Quote: “the attacker dumped lsass.DMP file to the DropMeFiles site.”
- [T1567.001] Exfiltration to Cloud Storage – MEGA/MEGASync used to exfiltrate data to cloud storage. Quote: “MEGA.io’s proprietary file synchronization agent… Used by TAs to exfiltrate data from victim networks to cloud storage provider MEGA.”
Indicators of Compromise
- [Hash] Monti payload – b45fe91d2e2340939781d39daf606622e6d0b9ddacd8425cb8e49c56124c1d56, 158dcb26239a5db7a0eb67826178f1eaa0852d9d86e59afb86f04e88096a19bc, 702099b63cb2384e11f088d6bc33afbd43a4c91848f393581242a6a17f1b30a0
- [Hash] Imphash for Monti-related payloads – 5036747C069C42A5E12C38D94DB67FAD
- [Hash] Veeam Credential Dumper – 9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0cbe732, df492b4cc7f644ad3e795155926d1fc8ece7327c0c5c8ea45561f24f5110ce54, 78517fb07ee5292da627c234b26b555413a459f8d7a9641e4a9fcc1099f06a3d
- [File Name] lsass.DMP – memory dump file exfiltrated from LSASS on Horizon Connection Broker
- [File Name] action1_agent.exe, action1_remote.exe – Action1 RMM agent executables identified in the target environment
- [File Name] locker.exe – Monti ransomware payload downloaded from temp[.]sh and used to encrypt files
- [URL] DropMeFiles – used to exfiltrate lsass.DMP; example site encountered during incident
- [URL] dropmefiles.com.ua – drop-me files site used for exfiltration
- [URL] temp.sh – tool download site used to obtain the ransomware payload