A ransomware attack from a brand-new gang dubbed 'Monti,' which primarily exploits Conti code has come to the surface.
The Monti ransomware was found and revealed by MalwareHunterTeam on Twitter on June 30, but
Intel471 and BlackBerry independently announced their study into Monti on September 7th.
The malware's developers constitute a well-known ransomware group that has launched numerous attacks. They operate under "Wizard Spider" and could be linked with the global Trickbot cybercrime ring.
Reportedly, the cybercrime group that has a base in Russia, supports the Russian government's goals, particularly the Ukraine conflict.
In return for a portion of the ransom money collected, the Conti gang offers 'its members' access to its software. The group's ability to scale operations is a direct result of the aforementioned. The group resorts to the ransomware as a service (RaaS) approach to disseminate the infection.
According to Intel471, "Monti might be a rebranded version of Conti or even a new ransomware version that has been developed utilizing the disclosed source code," it was published on February. It really doesn't appear like Monti has been involved in enough activities for the security company to establish a connection to Conti."
Since the Conti disclosures in February effectively handed Monti malicious actors a step-by-step roadmap to mimicking Conti's notoriously successful actions, BlackBerry appears to be more certain that Monti is a copycat than a legitimate successor to its namesake.
Apart from one, Monti threat actors used the Action1 Remote Monitoring and Maintenance (RMM) agent, and the majority of Indicators of Compromise (IOCs) discovered by the BlackBerry IR team in the Monti attack were also detected in prior Conti ransomware attacks.
Experts want to highlight a useful technique that was made feasible by our awareness of the code repetition before Monti's reuse of Conti's encryptor code.
The BlackBerry IR team was aware that Conti encryptor payloads do not always completely encrypt each file because we were familiar with Conti v2 and v3 encryptor payloads. Source code research reveals that Conti payloads combine a file's location, type, and size to decide which encryption techniques to employ.
The BlackBerry IR team was able to recover completely, unencrypted strings from encrypted log files because of this information.
Conti's activities have slowed down recently, some experts have proposed that Conti's reduced activity is the consequence of a rebranding effort similar to those undertaken by various ransomware strains in the past, perhaps involving several members of the Conti gang. Other sources claim that other RaaS firms, like Karakurt and BlackByte, have engaged former Conti operators.
Whether Conti is being dubbed Monti to spoof the earlier strain or it is simply another new ransomware variety remains unclear, we will probably continue to see this new version have an impact on organizations all around the world. However, utilizing publicly accessible binaries to develop fresh ransomware or relaunch an old one would potentially offer defenders a head start as Monti develops.
