The Curious Case of “Monti” Ransomware: A Real-World Doppelganger
https://for528.com/monti — September 7, 2022 BlackBerry BlogClick to view a description of the Monti article
A ransomware victim called in the BlackBerry Incident Response (IR) team during this year’s 4th of July holiday weekend. We quickly realized we were investigating an attack by a previously unknown group, calling themselves “MONTI.” They encrypted nearly 20 user hosts along with a multi-host VMware ESXi cluster that brought down over 20 servers.
Threat research shows that the only credible reference of the “Monti” ransomware group prior to today was a tweet from security researchers at MalwareHunterTeam, posted on June 30, 2022. The Twitter post mentioned the possibility that Monti ransomware may have had “5-10 victims in the past months,” though no data is publicly available on these victims.
Most Indicators of Compromise (IOCs) identified by the BlackBerry IR team in the Monti attack were also seen in previous Conti ransomware cases — except one: Monti threat actors leveraged the Action1 Remote Monitoring and Maintenance (RMM) agent.
This article provides a general overview of the incident, denotes the unique characteristics of this “new” threat actor group, and includes malware analysis of the payload used. We also include a breakdown of “Veeamp,” a password stealer malware targeting the Veeam data backup application, which was identified during the incident.
REvil Under the Microscope
https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope — September 10, 2021 SC Media
Recommended Sources for Ransomware Information
https://www.sans.org/blog/recommended-sources-for-ransomware-information/ — July 2, 2021 SANS Blog
Incident Response: Details in the Data
https://www.pluralsight.com/blog/security-professional/incident-response-prep — June 2017, Pluralsight Security Professional Blog
Landing a Hands-On Security Gig – Part 1
https://www.tripwire.com/state-of-security/risk-based-security-for-executives/connecting-security-to-the-business/landing-a-hands-on-security-gig-part-1/ — July 2015, Tripwire State of Security Blog
Landing a Hands-On Security Gig – Part 2
https://www.tripwire.com/state-of-security/risk-based-security-for-executives/connecting-security-to-the-business/landing-a-hands-on-security-gig-part-2/ — July 2015, Tripwire State of Security Blog
Testing Network Forensics Skills: Challenge Accepted!
https://www.tripwire.com/state-of-security/security-data-protection/security-controls/testing-network-forensics-skills-challenge-accepted/ — April 2015, Tripwire State of Security Blog
Quoted / Interviewed
So, you need to reset thousands of passwords…
https://www.itbrew.com/stories/2022/10/13/so-you-need-to-reset-thousands-of-passwords — October 13, 2022 IT Brew
LAUSD not out of woods with cyberattack, security experts say
https://www.dailynews.com/2022/09/08/lausd-not-out-of-woods-with-cyberattack-security-experts-say — September 8, 2022 Los Angeles Daily News
Rethinking the approach to health care’s reliance on IT as security leaders
How to Prepare Your Windows Network for a Ransomware Attack
https://www.csoonline.com/article/3627390/how-to-prepare-your-windows-network-for-a-ransomware-attack.html — August 4, 2021 CSO Online
Ryan Chapman, SANS Certified Instructor Candidate: The Implications of the Kaseya Ransomware Attack
https://www.enterprisesecuritytech.com/post/ryan-chapman-sans-certified-instructor-the-implications-of-the-kaseya-ransomware-attack — July 9, 2021 Enterprise Security Tech
Executives and Ransomware: Stop, Collaborate, and Listen! Webcast Q&A
https://www.sans.org/blog/executives-and-ransomware-stop-collaborate-and-listen/ — July 6, 2021 SANS Webcast Q&A
Sitdown with a SOC Star: 11 Questions with SANS Instructor Ryan Chapman
https://www.siemplify.co/blog/sitdown-with-a-soc-star-11-questions-with-sans-instructor-ryan-chapman/ — November 2020, Siemplify Blog
Kaseya-Angriff erinnert Unternehmen, sich vor Ransomware aus allen Richtungen zu schützen
https://www.infopoint-security.de/kaseya-angriff-erinnert-unternehmen-sich-vor-ransomware-aus-allen-richtungen-zu-schuetzen/a28094/ — July 7, 2021 InfoPoint Security (Germany)
Supply-Chain-Angriff bei Kaseya: Warnung für Unternehmen vor Ransomware aus allen Richtungen
https://www.datensicherheit.de/kaseya-supply-chain-warnung-ransomware — July 7, 2021 datensicherheit.de (Germany)