More Ransomware Groups Targeting Linux Systems
A ransomware campaign by the recently emerged Monti ransomware group is targeting victims with a new Linux variant of its malware. The threat group is the latest in a growing number of ransomware groups finding profit in going after Linux infrastructure.
Researchers at Trend Micro said the threat group is now deploying a Linux encryptor to target victims in legal and government sectors. Although the group has previously deployed Linux variants, the new encryptor comes with advanced evasion capabilities that make it harder to detect, the researchers said.
Monti was first identified in 2022. Its techniques and procedures largely mirror the now-defunct Conti ransomware group. Trend Micro researchers said this is because the group may have developed its toolkit based on Conti’s leaked source code (see: Conti Ransomware Group Retires Name After Creating Spinoffs).
Capabilities of the new Linux encryptor include intermittent encryption based on the file size and ability to terminate virtual machines on the system, allowing the hackers to evade detection.
“It’s likely that the threat actors behind Monti still employed parts of the Conti source code,” the TrendMicro researchers said. “By altering the code, Monti’s operators made their malicious activities even more challenging to identify and mitigate.”
Monti is among an increasing number of ransomware groups that tweaked its malware infrastructure to target Linux servers and operating systems. Eight in 10 web servers run on Linux. While the number of ransomware groups using Linux variants stood at 118 in the first half quarter of 2022, it increased by fourfold in 2023, a recent report from security firm Recorded Future found.