Monti Ransomware Remerges with New Evasion and Linux Capabilities


September 7, 2023

World map

The Monti ransomware gang has resurfaced after a lull with a new Linux version and evasions techniques leveraging the leaked Conti code base.

"It's likely that the threat actors behind Monti still employed parts of the Conti source code as the base for the new variant, as evidenced by some similar functions, but implemented significant changes to the code — especially to the encryption algorithm," researchers said.

"Furthermore, by altering the code, Monti's operators are enhancing its ability to evade detection, making their malicious activities even more challenging to identify and mitigate."

Takeaway: Multiple ransomware gangs have developed Linux versions over the last year, but not much attention has been paid to what this trend means for the ransomware threat landscape. We should be concerned – very concerned.

With more than a dozen ransomware groups now targeting Linux environments, we can expect future attacks to potentially cause widespread disruptions across several key sectors that will impact a large number of collateral victims.

Like any business, ransomware attackers have finite resources and have to make strategic decisions on where to focus those resources based on anticipated ROI, so they traditionally targeted Windows systems because it has the most desktop market share.  

While Linux is lesser known to the average person, they may be surprised to learn that Linux runs approximately 80% of web servers, most smartphones, most supercomputers, and many embedded and IoT devices used in manufacturing.  

Linux is also favored for large network applications, and data centers and drives most of the U.S. government and military networks, our financial systems, and the backbone of the internet.

Attacks on Linux systems are potentially devastating. These attacks could have a broad impact like the disruption experienced from the Colonial Pipeline attack.  

The "always on" nature of Linux systems not only provides a strategic beachhead for moving laterally throughout the network, but attacks on Linux systems would also disrupt the most critical parts of an organization's network which allows attackers to demand even higher ransoms.

While attacks on Windows systems can be extremely disruptive to business operations, attacks on Linux systems could produce disruptions to critical systems on a level we have not even come close to experiencing, so we should all be monitoring this trend closely. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.