Monti Ransomware Targets VMware ESXi Servers with Linux Version


August 15, 2023

World map

The Monti ransomware gang has been observed deploying a new version with "significant deviations from other Linux-based predecessors" that is designed to target VMware ESXi servers.

Analysis of the payload reveals it also has improved security evasion capabilities and leverages AES-256-CTR encryption where the previous variant used Salsa20.

“Members of the gang do not consider themselves cybercriminals or their software malicious. They refer to the tools they use as utilities that reveal security problems in corporate networks, and call their attacks penetration testing, for which they want to get paid,” Bleeping Computer Reports.

“If the victim company does not pay, they publish the name of their victims on their data leak site, under a section called Wall of Shame."

Takeaway: Most people aren't familiar with Linux or don't fully understand how critical the systems are that are running it. Linux unifies the IT stack and makes the network more easily managed. So, if an attacker gains access to a Linux environment, it has access to an organization's most critical systems and data.

Linux runs approximately 80% of Web servers and is the most common operating system for constrained, embedded, and IoT devices used in sectors such as energy and manufacturing. Linux also drives most of the U.S. government and military networks, financial and banking systems, and runs the backbone of the Internet.

Attackers are increasing their attention on Linux servers for a few reasons — namely, disrupting Linux servers holds the potential to inflict a lot of pain, and attackers know that more pain translates to more dollars in their pockets from higher ransom demands. Given the lack of visibility and small market share on desktops and laptops, Linux defense tends to be an afterthought. This makes defending Linux systems a major challenge.

The "always on, always available" nature of Linux systems paints a huge target for threat actors, and compromising Linux systems provides a strategic beachhead for moving laterally throughout a targeted organization's network.

Linux is also highly customizable, which is why it is the preferred operating system for large network environments. This means threat actors have a considerable level of control over the network once they have achieved persistence and access to the Linux Terminal.

The targeting of Linux systems has the potential to cause serious disruptions far beyond the scale of what we have seen in any attacks to date. The consequences of not redoubling our efforts to defend Linux systems could prove catastrophic, but we can reduce the threat of a major disruption and its potential impact by preparing now. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.