Monti Ransomware Attack on CNPC Sport

Incident Date:

May 26, 2024

World map



Monti Ransomware Attack on CNPC Sport


CNPC Sport




Bizanos, France

, France

First Reported

May 26, 2024

Monti Ransomware Attack on CNPC Sport

Company Profile and Industry Standout

CNPC Sport, known as CNPC SPORT Business Campus, is a prominent French institution specializing in the education and training of professionals in the sports industry. The organization offers a comprehensive range of programs, from BAC to BAC+5 levels, across various campuses in France, including Pau, Grenoble, Paris, Vitrolles, and Nantes. CNPC Sport is renowned for its practical training approach and strong partnerships with major sports brands like BOARDRIDERS INC. The institution has been recognized with the "Label Apprentissage en Nouvelle-Aquitaine" for its innovative and high-quality practices.

Vulnerabilities and Targeted Attack

The educational sector, particularly institutions like CNPC Sport that manage extensive personal and administrative data, is increasingly vulnerable to ransomware attacks. The reliance on digital platforms for course delivery and data management makes these institutions attractive targets for cybercriminals. CNPC Sport's extensive data handling, including student records, administrative documents, and internal communications, poses significant risks if compromised.

Attack Overview

In May 2024, CNPC Sport became a victim of the Monti ransomware group. The attackers managed to exfiltrate a substantial amount of data, which included administrative documents, personal information of employees, HR reports, and other sensitive data. The stolen data was subsequently published on Monti's dark web leak site. This breach highlights the growing trend of ransomware groups focusing on data exfiltration as a primary means of extortion.

Details of the Ransomware Group

Monti, a ransomware group that emerged after the dissolution of the infamous Conti group, has been active since June 2022. The group initially replicated Conti's attack strategies using leaked source code but has since developed its own distinct methods. Monti's recent activities have shown a shift towards targeting high-value sectors such as education, legal, and government entities, using a new Linux-based ransomware variant. This variant employs advanced encryption techniques, making it more difficult for security measures to detect and mitigate their attacks.

Penetration and Persistence Tactics

Monti ransomware operators typically gain initial access through compromised Remote Desktop Protocol (RDP) credentials or phishing attacks. Once inside the network, they use customized backdoors and disable security software to maintain persistence. The new Linux variant of Monti ransomware features significant deviations from its predecessors, employing AES-256-CTR encryption and advanced file encryption methods to evade detection. These tactics ensure that the attackers can move laterally within the network and exfiltrate data without immediate detection.


Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.