After a few months, the authors of this ransomware (named Monti) are there come back alive to attack governmental and non-governmental organizations, however although in the collective imagination ransomware is closely linked to Windows, this is absolutely not the case, since the variant of this ransomware also attacks Linux systems, but you will see this shortly.

Monti ransomware is not exactly new

In reality, however, this ransomware is not exactly new as already mentioned; Monti is emerged in June 2022, weeks after the Conti ransomware group stopped its hacking operations by deliberately mimicking the tactics and tools associated with it, the authors even mimicked Conti’s source code.

The new version, according to Trend Micro, represents in a certain sense a “break with the past”, showing significant changes compared to its previous versions oriented towards Linux-based operating systems.

“Contrary to the previous variant, which is mostly based on Conti’s leaked source code, this new version uses a different encryptor with additional distinct behaviors“, they have declared Trend Micro researchers Nathaniel Morales and Joshua Paul Ignacio.

According to aanalyses BinDiff, it was revealed that while the older iterations had a 99% similarity to Conti, the latest version has a similarity of only 29%, suggesting that Monti is nothing more than an upgrade of the Conti ransomware, to be precise.

Some of the crucial changes include adding a ‘–whitelist’ parameter to instruct the locker to skip a list of virtual machines and removing the –size, –log and –vmlist command line arguments.

The Linux variant is also designed to manipulate the file mod (also known as message of the day) to show ransom note, use AES-256-CTR encryption instead of Salsa20 and rely solely on file size for its encryption process.

In other words, files larger than 1.048 MB but smaller than 4.19 MB will have only the first 100,000 (0xFFFFF) bytes of the file encrypted, while those larger than 4.19 MB will have a portion of their contents locked depending on of the outcome of a Shift Right operation.

Files under 1.048MB in size will have all of their contents encrypted and nearly impossible to recover except by paying the loan sharks on the other side.

“It is likely that the bad guys behind Monti still employed parts of Conti’s source code as the basis for the new variant, as evidenced by some similar functions, but they made significant changes to the code, especially to the encryption algorithm“, said the researchers.

“Also, by changing the code, Monti’s operators are enhancing its ability to evade detection, making their malicious activities even harder to identify and stop.“.

“If you use Linux you can do whatever you want because it’s safe anyway”

On social media you’ve probably heard of memorable “legendary” feats of GNU/Linux systems, because they are immune to malware, ransomware and so on, but unfortunately these “legends” don’t last long.

However, a secure operating system does not protect against bad habits, since ransomware is usually sent via email and downloaded by someone; computer problems (except developer bugs) they don’t happen by pure chance, the majority are caused by the end user.

The use of Linux in itself does not protect against Monti or other ransomware just because “you are using Linux” and it is a concept that must be dealt with sooner or later: security starts from the man-machine relationship, and man is the best antivirus and anti ransomware in the end.