The Monti ransomware has been in the news for some months now, thanks to targeted cyberattacks and a sophisticated infiltration strategy. Although relatively new to the scene, the ransomware has already caused significant damage to several organizations, notably in France. What is the origin of Monti ransomware? What are its attack tactics, and how can we best protect ourselves against this growing threat? We’ll also look at the particular case of Veeam-based backup attacks analyzed by Blackberry researchers.
Origins and history of the Monti ransomware
Appearance and first sightings of Monti
The first credible reference to the Monti ransomware group dates back to a tweet by MalwareHunterTeam security researchers published on June 30, 2022. However, at that precise moment very little information was publicly available about these specific incidents.
Initial methods of intrusion
On June 29, 2022, the Monti group penetrated a BlackBerry client’s VMware Horizon Connection Broker server by exploiting the Log4Shell vulnerability. Following this intrusion, they installed two remote monitoring and maintenance agents: AnyDesk and Action1, which enabled them to maintain persistent access and remote control of the infected systems, as analyzed by BlackBerry IR team researchers (see diagram below). An analysis we can only recommend you read to learn more in detail.
Monti, a dangerous successor to the Conti ransomware
Monti closely mimics the methods and tools used by the infamous Conti group. BlackBerry researchers discovered that Monti replicates Conti’s strategies, techniques and procedures (TTPs), including specific ransomware encryption features and tools. This imitation was facilitated by a massive data leak from Conti in 2022, including internal communications, training guides and source code.
The similarity between Monti and Conti raises the question of whether Monti is simply an evolution or a branch of the Conti group. Both groups share similar techniques for executing malicious commands and maintaining a persistent presence on compromised networks.
This faithful replication of Conti’s techniques by Monti shows a worrying trend in the threat landscape, where emerging ransomware groups can quickly adopt and adapt proven methods from leaks of sensitive information.
A detailed analysis of similarities with the Conti ransomware and variations on the Monti ransomware is available on the Trend Micro website.
Unique features of Monti ransomware
Monti is distinguished by a number of unique features. For example, Monti’s ransomware messages are almost identical to those of Conti, with the exception of the specific contact name and URLs. What’s more, unlike other ransomwares that use tools like AnyDesk to remotely access systems, Monti exploits the Action1 RMM monitoring and maintenance platform to remotely access and manage systems. This technique enables them to remain less detectable while retaining full control over compromised machines.
Using monitoring agents like Action1 RMM
Action1 RMM (Remote Monitoring and Management) is a cloud-based solution used by managed IT service providers (MSPs) and enterprises to remotely manage and monitor computers and other endpoints on a network. Administrators can use it to perform a variety of tasks, such as software updates, application deployment, IT asset monitoring and user support.
Because of its extensive capabilities, Action1 RMM has become a target for cybercriminals. Like others before them, hackers from the MONTI group have targeted this solution to distribute ransomware, exploiting loopholes such as control panel access via stolen credentials or brute force. Security researchers noted that tools like Action1 RMM have become popular attack vectors for cybercriminals, enabling them to ensure their presence on compromised networks and execute malicious commands, often to deploy ransomware or maintain a persistent presence on compromised networks.
Data encryption: the case of Veeam backups
The Blackberry team also presented an analysis of “Veeamp”, a password-stealing malware targeting the Veeam data backup application, which was identified during the incident on their customer’s VMware Horizon server.
Veeam Backup & Replication is widely used for data backup, recovery and replication. It is designed to ensure that businesses can quickly recover their data in the event of data loss, cyber-attacks or other incidents. Attackers often target these backup systems to make it more difficult to recover data without paying ransom.
Details of Monti’s attack on Veeam
- Initial access:
- The Monti group exploited the well-known Log4Shell vulnerability (CVE-2021-44228) to gain access to the customer’s VMware Horizon server.
- Once inside, the attackers used various tools to establish and maintain their network access, including installing remote monitoring and maintenance (RMM) agents such as AnyDesk and Action1.
- Attack deployment:
- After gaining initial access, the attackers used tools to steal credentials, scan the network, and access other systems via Remote Desktop Protocol (RDP).
- They then deployed the Monti ransomware to encrypt several hosts within the network, including Veeam-based backups.
- Veeamp: a specific malware:
- During the incident, BlackBerry researchers identified a specific piece of malware, called “Veeamp”, designed to steal passwords from the Veeam backup application.
- Veeamp.exe is a piece of malware written in 32-bit .NET, capable of connecting to Veeam Backup’s SQL database and decrypting user passwords.
Impact and risks
- Encryption of backups: by encrypting backup data, attackers make it even more difficult to restore systems, increasing the pressure on victims to pay the ransom.
- Credential theft: stealing Veeam passwords enables attackers to disable or manipulate backups, further complicating recovery.
- Persistency: RMM tools such as AnyDesk and Action1 enable attackers to maintain persistent access to the network, facilitating new attacks or the deployment of ransomware at other times.
Blackberry provides the following indicators of compromise (IoCs) for Veeam:
Veeam Credential Dumper SHA-256 hashes:
- 9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0cbe732
- df492b4cc7f644ad3e795155926d1fc8ece7327c0c5c8ea45561f24f5110ce54
- 78517fb07ee5292da627c234b26b555413a459f8d7a9641e4a9fcc1099f06a3d
French highlight: the attack on the town of Pau
During the night of May 12 to 13, 2024, the Monti group attacked several important entities in the Pau region: the Pau-Pyrénées airport, the Eklore business school (ex-CNPC) and the Pau digital campus. The modus operandi was similar: after infiltrating, the group extracted sensitive data and paralyzed the affected systems. As revealed by the daily Sud-Ouest, this cyber attack affected three institutions linked to the CCI Pau Béarn, which immediately lodged a complaint with the relevant authorities.
Data published on the Dark Web
The data from these three institutions was finally published on Monti’s “wall of shame” on May 26. According to Zataz, thousands of documents, ranging from administrative documents and sensitive files from the Pau-Pyrenees airport to files containing the personal data of numerous students and staff at the ESC de Pau. All this data could potentially be used for phishing campaigns or identity theft for extortion purposes.
How does Monti ransomware spread?
Common propagation methods
Like many other ransomwares, Monti spreads via a variety of vectors. The most common methods include malicious drive-by downloads, infected e-mail attachments, online scams and fake software updates.
Tips for preventing infection
Prevention tips remain the same, and are more relevant than ever. It is strongly recommended to regularly scan your computer with updated antivirus software if you suspect a Monti infection. In addition, avoiding clicking on links or downloading attachments from unverified sources can significantly reduce the risk of infection.
Response and prevention against ransomware
Don’t pay the ransom
As with all other ransomware, paying a ransom to recover your data does not necessarily guarantee that the attackers will provide the necessary decryption tools. What’s more, giving in to the hackers’ demands financially supports their illegal activities.
Protection measures
Here again, the various measures that can be taken to protect against Monti are no different from the advice given for other ransomware. These include implementing regular backups, training employees to recognize phishing attempts and using advanced security tools to monitor and respond to network anomalies. Following strict security practices, such as two-factor authentication, restricting access by IP address, regularly changing passwords and monitoring for suspicious activity is still highly recommended in the face of the threats posed by ransomware to organizations, communities and businesses.
Monti ransomware represents a serious threat to organizations worldwide. Its sophistication and unique use of remote monitoring agents make it a formidable adversary. As this group’s methods continue to evolve, all businesses need to strengthen their defenses and remain vigilant in the face of this ever-growing threat.
References and analysis :
The Curious Case of “Monti” Ransomware: A Real-World Doppelganger (blackberry.com)
Monti Ransomware Unleashes a New Encryptor for Linux (trendmicro.com)
Hackers start abusing Action1 RMM in ransomware attacks (bleepingcomputer.com)
Cyberattack on CCI Béarn et Soule: Pau airport and business school affected (zataz.com)
