Ransomware, Malware, Vulnerability Management

New VMware ESXi server attacks launched by Monti ransomware

Share

BleepingComputer reports that VMware ESXi servers have been targeted with a new Linux locker by the Monti ransomware operation, which has reemerged after a two-month hiatus.

Significant changes have been done to Monti ransomware's new Linux encryption tool, which has also become less similar to leaked Conti ransomware code than before, according to a Trend Micro report.

Aside from changing parameters to enable more subdued ESXi virtual machine termination, Monti ransomware has also updated its locker to skip certain ESXi VMs, as well as alter certain files. Researchers also found the new variant, which uses the OpenSSL library's AES-256-CTR encryption approach instead of Salsa20, has been encrypting the entirety of files smaller than 1.048 MB.

However, only the first 100,000 bytes are encrypted in files ranging from 1.048 MB to 4.19 MB, while Shift Right operation-based calculations are used in encrypting files larger than 4.19 MB.

Initially dubbed as a Conti ransomware clone after its identification in June 2022, Monti ransomware was later noted by Intel 471 to be a more likely Conti rebrand due to having the same initial network access approaches.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.