Monti ransomware is back. The first version was discovered in June 2022, and it targeted Windows and Linux machines. The new version, which this article is about, is a fresh and improved Monti ransomware variant targeting Linux distributions. This is a serious matter because Linux powers more than 95% of web servers on a global level.

Based on the analysis conducted by security researchers, several legal and government sectors have already been infected.

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

This article will provide you with information about Monti ransomware and offer preventive measures for securing your Linux machines.

What is Monti Ransomware

Monti ransomware is developed by the Monti hacker group. As of August 2023, only three security vendors have identified Ransom.Linux.MONTI.THGOCBC as malicious. Also, according to leaked information on the Monti dark web, they have targeted 13 organizations so far, including 3 legal, 2 financial, 2 healthcare, and 6 others.

Many security researchers compare it to Conti ransomware because Monti ransomware was developed based on the Conti toolkit, including source code. It also uses the same tactics to spread and execute ransomware.

Download Banner

How it is Spread

Monti ransomware is mostly spread via phishing and social engineering. However, it can also be distributed through exploited vulnerabilities on unpatched Linux systems.

When Monti ransomware gets into Linux systems, it encrypts data and adds the ‘.monti’ extension. Here is an example of files encrypted on a Linux system.

Protect your Linux Machines

Several Linux files encrypted by Monti ransomware

Ransom note

In the same location, Monti ransomware creates a ‘.txt’ ransom note with instructions on how to make a payment in order to get the files decrypted. They claim that whatever you try to do to decrypt them, you will not succeed, and you may even damage your files if you attempt decryption with decryption tools. The only way to decrypt files is to reach out to the Monti group.

They also state that if you contact the police, you will face consequences, including them publicly releasing all of your data. To prove that they are telling the truth, they offer a free decryption key for random files.

Protect your Linux Machines

Part of the ransom note created by Monti ransomware

Note: This is a standard approach for groups behind ransomware attacks: don’t engage with them, don’t make any payments; instead, focus on strengthening your infrastructure.

How to secure your Linux machines

There are several ways to strengthen your Linux distribution and prevent Monti from infecting your system. In this article, we will explore some of them.

Keep your systems updated

Numerous systems have been compromised because they failed to keep up with the latest updates. Security fixes are regularly delivered by Linux through updates, and missing even one can leave you vulnerable. Hackers often exploit vulnerabilities in products before vendors release updates. As a Linux users, it’s crucial to promptly download and install these updates.

Protect your Linux Machines

Pop-up about new available updates

One effective approach is enabling automatic synchronization of Linux updates with the update server and receiving reminders about new updates. You can configure Software & Updates in Linux and subscribe to all updates on a daily basis. This was you mitigate the risk and stay secured.

Protect your Linux Machines

Software and update configuration in Linux

Implement Strong Passwords

Please avoid using default credentials that can be found online. Additionally, refrain from using simple passwords that include personal information. Never reuse the same password for different accounts or targets. We strongly recommend implementing a password policy with a minimum of 10 characters, including a combination of uppercase and lowercase letters, numbers, and special characters.

There are several services, such as Pwndb, that assist malicious individuals in finding leaked credentials. You should implement a policy where you change your password every 6 months.

As you can see, there are several crucial policies you can implement. We strongly urge you to do so on your Linux machines and throughout your infrastructure.

Implement Multi-factor authentication (MFA)

Relying solely on a username and strong password for connecting to your Linux machines, is no longer considered a secure practice. We strongly recommend the implementation of Multi-factor authentication (MFA) on your Linux, and throughout your infrastructure, spanning from the physical to the application layer.
MFA entails the use of multiple authentication factors to access a system. For instance, this could involve combining your username and password with a unique PIN.

There are three primary options for MFA: something you know (your password), something you have (such as a USB key), and something you are (biometric data).

Access control

Implementing strong passwords and multi-factor authentication (MFA) is crucial. However, they do not address all security concerns. In addition to this, you must establish clear access controls and practice the principle of least privilege. It’s essential to define who can access specific resources and adopt a granular permission approach. Conduct regular audits of the resources and user access privileges.

It is also strongly advisable to disable or lock inactive user accounts.

Disable unused ports and services

If you don’t use SSH, you should definitely disable it. This is just one example; there are many more. It’s essential to identify which services and ports are active, determine what you need, and deactivate what you don’t. You can configure your main network firewall and Linux firewall by filtering incoming and outgoing traffic, and opening only necessary ports and services.

Protect your Linux Machines

Check open ports on Linux

Any opened service or open port that is unnecessary could potentially become a target for unauthorized access to your Linux systems.

Monitoring and logging

How can you identify potential issues before they become critical? By monitoring. Actively monitoring all the resources and services on your Linux, ensuring data integrity, aggregating logs from various sources, and setting up alerts for deviations from the expected behavior can help you detect and respond to issues before they escalate.

Implement IDS, IPS and host-antivirus

When it comes to your infrastructure, it’s highly recommended to implement both IDS (Intrusion Detection System) and IPS (Intrusion Prevention System). These systems play a crucial role in detecting and preventing security attacks within your infrastructure.

Additionally, on your Linux machines, it’s important to have antivirus software with real-time protection in place.

Educate your employees

Your employees should receive training on how to handle phishing and social engineering attacks, as these are among the most common ways ransomware spreads today. Implementing continuous education and regularly evaluating employees’ security awareness is crucial.

Only educated employees, combined with strong security mechanisms, can help prevent infections. They go hand in hand and are essential for strong cybersecurity.

Stay informed

If you work in IT, it’s essential to stay informed about developments in the cyber world. This knowledge is invaluable for implementing preventive measures and warding off potential attacks. You can stay updated by following diverse cybersecurity communities.

Additionally, we strongly recommend subscribing to our blog, where we analyze emerging ransomware threats and offer protective measures.

Read any random blog article and you will find the pop-up to subscribe to our Blog.

Backup and recovery are a must!

You may not realize the importance of backups until you’ve lost your data. Have you ever heard of or experienced this situation? I hope not. The underlying idea is to take a proactive approach to safeguard against potential issues.

One of the innovative features that helps fight against ransomware is called immutable backup. Immutable backup is a technology that prevents any changes to backup files. In other words, if Monti ransomware were to try to encrypt any Linux backups, and change extension, it would not work. Why? Immutable backup protects backups from any modifications.

In case the main files are encrypted, you can easily restore the latest copy of them in just a few clicks.

BDRSuite: A Powerful Solution Against Monti Ransomware

With BDRSuite, you can create a 3-2-1 backup policy and generate multiple copies of your data in different locations. This can include your network storage, the cloud, or even a combination of both. BDRSuite also would be supporting immutable backups.

BDRSuite supports instant boot, which helps you recover your Linux machines in just a few minutes. The same machine can be migrated to a production environment using live migration technology without shutting down your VM.

Additionally, if you don’t want to restore the entire Linux VM, you can use granular recovery to only restore files that are encrypted by Monti ransomware and can’t be used.

There are several other features that make BDRSuite a reliable backup solution. You can read more here 9 Key Features that Make BDRSuite the Ideal Backup Solution.

If your environment consists solely of Linux, you can install BDRsuite to back up all your workloads. Moreover, it’s also compatible with Windows.

Protect your Linux Machines

Protect your Linux workloads with BDRSuite

We highly encourage you to give it a try for free, and test how well it works. Our free version supports backup for up to 10 machines with the full feature set.

You can download it here Backup for File Servers – BDRSuite.

Here are two relevant articles for Linux backups:

Conclusion

A new version of Monti ransomware, developed by the Monti group, is specifically designed to target Linux machines and encrypt their data. Encrypted files receive a new extension, .monti. Monti ransomware creates a ransom note with instructions on how to contact the Monti group and what to do. They offer different options, but we highly recommend against making any payments and instead strengthening your infrastructure.

Monti ransomware spreads through phishing and social engineering attacks, as well as through unpatched Linux systems. This highlights the need for proactive measures. You should enforce continuous security awareness training within your company to ensure that employees know how to handle phishing and social engineering attacks.

Additionally, it’s crucial to keep your systems updated, implement strong authentication and authorization measures, IDS (Intrusion Detection System), IPS (Intrusion Prevention System), security software, access control, and monitoring. In the event of issues, the ability to bring your workloads back online depends on having backup and recovery processes in place.

This article addresses the details about it.

Learn More about Other popular Ransomware below:

How to Protect your VMware workloads against Abyss Locker Ransomware (with BDRSuite)
Rhysida Ransomware: Exploring the Latest Cyber Threat and Effective Defense Strategies
Use 3-2-1 Backup Strategy to Recover from Ransomware
The Annabelle Ransomware – A true horror story?
Bad Rabbit Ransomware – What you need to Know?
Ransomware – A Must Read Infographic

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

5/5 - (1 vote)