In early July, researchers identified suspicious activity from a previously unknown, or not so unknown, ransomware, the Monti ransomware.
You could say it is almost new, as it is quite similar to the famous Conti ransomware. Some say they are “Doppelganger”, which means look-alike.
Some time ago the Conti group suffered a break-in and a major data leak, including source code, hacker tools, and other associated data.
This information was enough for other cybercriminals to spread and use the Conti ransomware tactics. The cybercriminals had in hand a step-by-step approach to carry out major attacks.
It is noticeable that the group behind the Monti ransomware, fully enjoyed the February data leak. The group follows the same line as Conti in their operations, which is:
- Searching for system vulnerabilities
- Breaking into the system
- Execution of ransomware
- Lateral movement for maximum damage
- Encryption of files
- Renaming of files to make them unopenable
- Generation of the ransom demand
The Monti ransomware operators often use the Windows vulnerability called “Log4Shell” (CVE-2021-44228). Once the system is hacked the operators release the Monti ransomware and begin encryption being sure to reach as much data as possible.
To do this they use the Remote Desktop Protocol (RDP). This way they can reach servers connected to the same network easily. This technique is called lateral movement.
Then the encrypted files are renamed and become inaccessible. The Monti ransomware uses a random five-character extension that is added to the original file name.
After the encryption is completed, Monti creates a ransom note called “readme.txt”. All the coordinates for the victim to contact those responsible for the attack are found in this text file.
Collaborating with hackers is not recommended and should only be considered as a last resort. In this situation, trusting competent data recovery professionals is the best choice.
Recover files encrypted by Monti ransomware
Digital Recovery has more than 23 years of experience in the data recovery market. In our history we have been able to help hundreds of companies that have suffered ransomware attacks.
Thanks to our proprietary technology, we can recover encrypted files from virtually any storage device such as databases, servers, RAID systems, virtual machines, among others.
We act remotely in the data recovery, maintaining the necessary secrecy because we know how sensitive a company’s data can be.
All our customers can also count on a confidentiality agreement (NDA)
Our support team is available 24/7 in the language of your choice: English, French, Portuguese and Spanish. Contact us and get your data back now.