Monti Ransomware Targets VMware ESXi Servers With New Linux Locker

Cyber Security Threat Summary:
“The Monti ransomware gang has returned, after a two-month break from publishing victims on their data leak site, using a new Linux locker to target VMware ESXi servers, legal, and government organizations. Researchers at Trend Micro analyzing the new encryption tool from Monti found that it has ‘significant deviations from its other Linux-based predecessors.’ Previous versions of the Monti locker were heavily based (99%) on the leaked code from Conti ransomware but the similarities in the new locker are just 29%” (Bleeping Computer, 2023).

Analyzing the new variant, researchers at Trend Micro observed the following modifications :

  • Removal of the ‘size,’ ‘log,’ and ‘vmlist’ parameters and addition of a new ‘type = soft’ parameter to terminate ESXi virtual machines (VMs) in a subtler manner that is more likely to evade detection.
  • Addition of a 'whitelist' parameter to instruct the locker to skip specific ESXi virtual machines (VMs) on the host.
  • Modification of ‘etc motd’ and ‘index[.]html’ files to display the ransom note content upon user login (Message of the Day).
  • Now appends the byte signature “MONTI” along with an additional 256 bytes related to the encryption key to the encrypted files.
  • Checks if the file size is below or over 261 bytes, encrypts smaller files, and checks for the presence of the “MONTI” string on larger. If the string is missing, it encrypts the files.
  • The new variant uses the AES-256-CTR encryption method from the OpenSSL library, unlike the previous variant, which used Salsa20.
  • Files of sizes between 1.048MB and 4.19MB will have only the first 100,000 bytes encrypted, while files smaller than 1.048MB are wholly encrypted.
  • Files exceeding the size of 4.19MB will have a portion of their content encrypted, calculated by a Shift Right operation.

Security Officer Comments:
Monti ransomware is the latest group to come out with a Linux variant. Linux encryptors have been released by a dozen of ransomware including Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, Hive, etc. Monti’s release of a Linux version aligns with the increase in enterprises transitioning to VMs as these offer improved device management and efficient resource handling. With vulnerabilities being identified in ESXi servers on a frequent basis and with some organizations running instances that have reached EOL support, this provides threat actors like Monti the opportunity to launch successful attacks where they are able to gain ahold of sensitive data that can be held for ransom.

Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.