Monti attacks Bickel and Brewer

Incident Date:

July 27, 2023

World map



Monti attacks Bickel and Brewer


Bickel and Brewer




Dallas, USA

Texas, USA

First Reported

July 27, 2023

The Monti Ransomware Attack on Bickel and Brewer

The Monti ransomware gang has attacked Bickel and Brewer. Bickel & Brewer is a law firm established in 1984 by founders William H. "Bill" Brewer and William S. "Bill" Bickel. The firm is recognized for its unique approach to practicing law and its dedication to social responsibility and diversity. Bickel & Brewer has gained attention for its involvement in complex litigation, corporate law, and other legal fields. Monti posted Bickel and Brewer to its data leak site on July 27th but provided no further information.

About MONTI Ransomware

MONTI is a ransomware software engineered with the intention to encrypt data and solicit payment for the provision of decryption tools. Notably, MONTI is an emerging iteration of the CONTI ransomware. Moreover, the operational methods employed by MONTI exhibit striking parallels to those utilized by CONTI. During the course of February 2022, the group responsible for CONTI fell victim to a substantial breach that resulted in the exposure and dissemination of sensitive data, encompassing source codes, hacking utilities, and related materials. This divulged information effectively served as a comprehensive guide for potential cybercriminals interested in emulating CONTI's methods. Consequently, it is plausible that MONTI might not stand as the exclusive ransomware faction to base its activities on insights drawn from the aforementioned CONTI breaches.

How MONTI Operates

The MONTI ransomware executes a process of file encryption, appending filenames with a distinct extension consisting of five randomly generated characters. For instance, our assessment of a MONTI sample on a test system resulted in the transformation of a file named "1.jpg" into "1.jpg.PUUUK". Upon completion of the encryption procedure, MONTI proceeds to establish a ransom note titled "readme.txt". The content of the ransom message closely mirrors that of CONTI's communication. It notifies victims that their files have undergone encryption and that sensitive data has been procured. The ransom note cautions victims against any efforts to manually decrypt the compromised files, asserting that such endeavors would prove futile and may lead to irreparable decryption failure. The only viable avenue to regain access to the encrypted data is through establishing communication with the attackers and fulfilling their financial demands. To substantiate this claim, a free decryption test is provided as evidence. The note issues a stark ultimatum, indicating that the victims must either engage with the cybercriminals and meet their demands or risk the exposure of the pilfered data should they choose to ignore the communication or involve law enforcement authorities.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.