Monti represents a relatively new form of ransomware that targets Linux systems, encrypting their files and appending a ".puuuk" extension to them. There have been indications of potential Monti variations that are effective on Windows systems as well.
Upon infection, Monti deploys a ransom note labeled as "README.txt." Strikingly similar to the ransom notes employed by the infamous
Conti ransomware, this note exhibits a resemblance. Setting it apart from the norm within the realm of ransomware, the Monti threat actor manages two distinct TOR sites: the first serves as a repository for data illicitly acquired from victims, while the second pertains to ransom negotiations. Presently, the ransom negotiation site remains inaccessible. The data leak site features a section termed the "wall of shame," a concept possibly emulated from other ransomware collectives like
Ragnar Locker.
As an additional element of its operation, the ransomware deposits a text file named result.txt. This file provides insight into the number of files subjected to encryption within the compromised system.
Monti Ransomware Signatures
Family: ELF.Monti.Ransom.47391.GC
MD5: 486bd1fe562ce0c339a6c0ec8df68284
SHA256: edfe81babf50c2506853fd8375f1be0b7bebbefb2e5e9a33eff95ec23e867de1
Monti Ransomware Download