Monti Ransomware Operators Resurface with New Linux Variant, Improved Evasion Tactics

The Monti ransomware operators have returned after a two-month break, this time with a new Linux encryptor. The new version is a significant departure from previous versions, exhibiting new features and behaviors that make it more difficult to detect and mitigate.

One of the most notable changes in the new version is the addition of a ‘–whitelist’ parameter. This parameter allows the operators to specify a list of virtual machines that the ransomware will not encrypt. This is a significant change from previous versions, which would encrypt all files on a system, regardless of whether they were located on a virtual machine or not.

Another change is that the command-line arguments –size, –log, and –vmlist have been removed. These arguments were used to control the behavior of the ransomware, such as the size of files that were encrypted, whether or not a log file was created, and a list of virtual machines that were not to be encrypted. The removal of these arguments suggests that the operators are no longer interested in controlling the behavior of the ransomware in this way.

The new Linux variant also modifies the motd (message of the day) file to display the ransom note. This is a common tactic used by ransomware operators to make it more difficult for victims to remove the ransomware.

In addition, the new version employs AES-256-CTR encryption instead of Salsa20. AES-256 is a more secure encryption algorithm than Salsa20, making it more difficult for victims to decrypt their files without paying the ransom.

Finally, the new version of Monti only encrypts a portion of files larger than 1.048 MB, depending on the size of the file. This is a new technique that has not been seen in other ransomware variants. It makes it more difficult for victims to recover their files even if they are able to decrypt the encrypted portion of the file.

The changes in the new Linux variant of Monti make it a more dangerous threat than previous versions. The new features and behaviors make it more difficult to detect and mitigate, and the new encryption algorithm makes it more difficult for victims to recover their files without paying the ransom.