The Curious Case of “Monti” Ransomware: A Real-World Doppelganger — September 7, 2022 BlackBerry Blog

Click to view a description of the Monti article

A ransomware victim called in the BlackBerry Incident Response (IR) team during this year’s 4th of July holiday weekend. We quickly realized we were investigating an attack by a previously unknown group, calling themselves “MONTI.” They encrypted nearly 20 user hosts along with a multi-host VMware ESXi cluster that brought down over 20 servers.

Threat research shows that the only credible reference of the “Monti” ransomware group prior to today was a tweet from security researchers at MalwareHunterTeam, posted on June 30, 2022. The Twitter post mentioned the possibility that Monti ransomware may have had “5-10 victims in the past months,” though no data is publicly available on these victims.

Most Indicators of Compromise (IOCs) identified by the BlackBerry IR team in the Monti attack were also seen in previous Conti ransomware cases — except one: Monti threat actors leveraged the Action1 Remote Monitoring and Maintenance (RMM) agent.

This article provides a general overview of the incident, denotes the unique characteristics of this “new” threat actor group, and includes malware analysis of the payload used. We also include a breakdown of “Veeamp,” a password stealer malware targeting the Veeam data backup application, which was identified during the incident.

REvil Under the Microscope — September 10, 2021 SC Media

Recommended Sources for Ransomware Information — July 2, 2021 SANS Blog

Incident Response: Details in the Data — June 2017, Pluralsight Security Professional Blog

Landing a Hands-On Security Gig – Part 1 — July 2015, Tripwire State of Security Blog

Landing a Hands-On Security Gig – Part 2 — July 2015, Tripwire State of Security Blog

Testing Network Forensics Skills: Challenge Accepted! — April 2015, Tripwire State of Security Blog

Quoted / Interviewed

So, you need to reset thousands of passwords… — October 13, 2022 IT Brew

LAUSD not out of woods with cyberattack, security experts say — September 8, 2022 Los Angeles Daily News

Rethinking the approach to health care’s reliance on IT as security leaders — September 3, 2021 SC Media

How to Prepare Your Windows Network for a Ransomware Attack — August 4, 2021 CSO Online

Ryan Chapman, SANS Certified Instructor Candidate: The Implications of the Kaseya Ransomware Attack — July 9, 2021 Enterprise Security Tech

Executives and Ransomware: Stop, Collaborate, and Listen! Webcast Q&A — July 6, 2021 SANS Webcast Q&A

Sitdown with a SOC Star: 11 Questions with SANS Instructor Ryan Chapman — November 2020, Siemplify Blog

International Articles

Kaseya-Angriff erinnert Unternehmen, sich vor Ransomware aus allen Richtungen zu schützen — July 7, 2021 InfoPoint Security (Germany)

Supply-Chain-Angriff bei Kaseya: Warnung für Unternehmen vor Ransomware aus allen Richtungen — July 7, 2021 (Germany)