FortiGard has shared a great technical report on Monti, BlackHunt and Putin Ransomware.
Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files and demands ransom for file decryption
Severity level: High
Monti Ransomware: Monti is a relatively new ransomware designed to encrypt files on Linux systems. Files encrypted by Monti ransomware have a ".puuuk” file extension. We are also aware of reports of potential Monti variants that work on Windows systems.
Figure 1. Files encrypted by Monti
Monti ransomware
Monti drops a ransom note titled “README.txt”. This ransom note resembles that of the infamous Conti ransomware. Unlike typical ransomware, the Monti threat actor operates two separate TOR sites: one for hosting data stolen from victims and another for ransom negotiation. At the time of writing, the ransom negotiation site was not accessible. The data leak site has a “wall of shame,” which the Monti operator may have copied from other ransomware gangs such as Ragnar Locker. Currently, the leak site does not list any victims but has a provocative message that may indicate that many victims of Monti ransomware were “cooperative” and paid ransom, except for one victim in Argentina.[1]
Figure 2. Ransom note dropped by Monti Ransomware
Figure 3. Monti ransomware’s data leak site
Figure 4. Monti ransomware’s data leak site
The ransomware also drops a text file titled “result.txt”, which shows how many files it has encrypted in the compromised machine.
Figure 5. result.txt showing the number of affected files
BlackHunt Ransomware: FortiGuard Labs recently came across new variants of the BlackHunt ransomware. This ransomware is relatively new and reportedly accesses victims’ networks through vulnerable Remote Desktop Protocol (RDP) configurations.
Files encrypted by BlackHunt ransomware can be identified with the following filename pattern: [unique ID assigned to each compromised machine].[contact email address].Black. The ransomware also deletes shadow copies, which makes file recovery difficult. The ransomware also drops two ransom notes: one is titled “#BlackHunt_ReadMe.hta” and the other is “#BlackHunt_ReadMe.txt”.
Figure 6. Files encrypted by BlackHunt ransomware
Although both ransom notes belong to BlackHunt ransomware, the notes not only include different contact email addresses but the different IDs assigned to each victim as well. The ransom note in HTA format also has a link to a TOR site, which was no longer accessible at the time of the investigation.
Figure 7. BlackHunt’s ransom note titled ““#BlackHunt_ReadMe.hta”
Figure 8. BlackHunt’s ransom note in a text file
Figure 9. BlackHunt ransomware logo
Putin Ransomware: Putin is a recent ransomware that encrypts files on victims’ machines. It then tries to extort money for decrypting those files and not leaking stolen data to the public. Files encrypted by Putin ransomware have a “.PUTIN” file extension.
The ransomware drops a ransom note titled “README.txt”, which states that victims have only two days to make a ransom payment. Otherwise, their encrypted files will not be recovered. This is a common tactic used by many ransomware variants to put pressure on victims to pay a ransom as fast as possible.
Figure 10. Files encrypted by PUTIN ransomware
Figure 11. Ransom note dropped by Putin ransomware
The ransom note includes two Telegram channels: one for negotiating ransom payment with the Putin ransomware gang and another for releasing data stolen from the victims. At the time of the investigation, the channel used for data leaks lists a Singapore and a Spanish company. However, the dates of the posts only go back to late November 2022, indicating that the Putin ransomware is likely not yet widespread.
Figure 12. Putin ransomware’s Telegram channel
Figure 13. Putin ransomware’s Telegram channel used for posting stolen data
FortiGuard Labs detects known Monti, BlackHunt and Putin ransomware variants with the following AV signatures:
Monti ransomware:
- Linux/Filecoder_Conti.A!tr
BlackHunt ransomware:
- W32/Conti.F!tr.ransom
Putin ransomware:
- W32/Conti.F!tr.ransom
IOCs:
Monti ransomware:
- edfe81babf50c2506853fd8375f1be0b7bebbefb2e5e9a33eff95ec23e867de1
BlackHunt ransomware:
- f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f
- 977083fc01e2982258eac0a13e56cd697d9f6941f5a365e9d02d544fc3e15000
Putin ransomware:
- 7f624cfb74685effcb325206b428db2be8ac6cce7b72b3edebbe8e310a645099
- 62f9c48b218c4cdb08ed76729539a8b6a6aaf2a558d80b441e7e79e4074d622c
- 7d1ccac64445547908dc1678479919c9bd063bceac5d214857d2758828f1c60b
- 80394d4c8680cda921b4fdd63441a8cfdca25eb2ad082149d582bbb5619b0155
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.fortinet.com/blog/threat-research/ransomware-roundup-monti-blackhunt-and-more?lctg=141970831
Comments