Monti Ransomware Attack on Aéroport de Pau

Incident Date:

May 26, 2024

World map

Overview

Title

Monti Ransomware Attack on Aéroport de Pau

Victim

Aéroport de Pau

Attacker

Monti

Location

Uzein, France

, France

First Reported

May 26, 2024

Monti Ransomware Attack on Aéroport de Pau

Company Profile and Industry Standout

Aéroport de Pau, also known as Pau-Pyrénées Airport, is a regional airport located in Pau, France. The airport serves both passengers and professionals, offering various services such as meeting rooms, aeronautic freight, advertising, and professional services. It is dedicated to providing high-quality services to its users and has a significant role in regional transportation and logistics.

Vulnerabilities and Targeted Attack

The reliance on digital infrastructure for airport operations, including flight scheduling, passenger management, and professional services, makes airports like Pau-Pyrénées particularly vulnerable to cyberattacks. The extensive handling of sensitive data and critical operational systems presents significant risks if compromised. These factors make airports attractive targets for ransomware groups seeking to exploit vulnerabilities for financial gain or data theft.

Attack Overview

On May 13, 2024, Pau-Pyrénées Airport fell victim to a ransomware attack orchestrated by the Monti group. The attackers managed to exfiltrate a substantial amount of sensitive data, including administrative documents, personal information of employees, and other critical operational data. The stolen data was subsequently published on Monti's dark web leak site, exposing the airport to significant reputational and operational risks.

Details of the Ransomware Group

Monti is a ransomware group that emerged after the dissolution of the infamous Conti group in 2022. Monti initially used leaked source code from Conti but has since developed its own distinct methods. The group's recent attacks have shown a shift towards targeting high-value sectors such as airports, legal, and government entities. Monti's new Linux-based ransomware variant employs advanced encryption techniques and customized backdoors to evade detection and maintain persistence within compromised networks.

Penetration and Persistence Tactics

Monti typically gains initial access through compromised Remote Desktop Protocol (RDP) credentials or phishing attacks. Once inside the network, the group uses sophisticated tactics to disable security measures and exfiltrate data. The new Linux variant of Monti ransomware features AES-256-CTR encryption and advanced file encryption methods, making it challenging for traditional security measures to detect and mitigate the attack. These tactics allow Monti to move laterally within the network and maintain control over the compromised systems.

Implications and Recommendations

The attack on Pau-Pyrénées Airport highlights the urgent need for robust cybersecurity measures within the aviation sector. Airports must implement stringent access controls, conduct regular security audits, and deploy comprehensive endpoint detection and response solutions to mitigate the risks posed by ransomware groups like Monti. Ensuring proper data backup and recovery procedures is also crucial to minimize the impact of such attacks.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.