Monti, BlackHunt and Putin

10928135874?profile=RESIZE_400xFortiGard has shared a great technical report on Monti, BlackHunt and Putin Ransomware. 

Affected platforms: Microsoft Windows
Impacted parties:   Microsoft Windows Users
Impact:                   Encrypts files and demands ransom for file decryption
Severity level:         High

Monti Ransomware:  Monti is a relatively new ransomware designed to encrypt files on Linux systems. Files encrypted by Monti ransomware have a ".puuuk” file extension. We are also aware of reports of potential Monti variants that work on Windows systems. 

10928136467?profile=RESIZE_584xFigure 1. Files encrypted by Monti

Monti ransomware

Monti drops a ransom note titled “README.txt”.  This ransom note resembles that of the infamous Conti ransomware.  Unlike typical ransomware, the Monti threat actor operates two separate TOR sites: one for hosting data stolen from victims and another for ransom negotiation.  At the time of writing, the ransom negotiation site was not accessible.  The data leak site has a “wall of shame,” which the Monti operator may have copied from other ransomware gangs such as Ragnar Locker.  Currently, the leak site does not list any victims but has a provocative message that may indicate that many victims of Monti ransomware were “cooperative” and paid ransom, except for one victim in Argentina.[1]

10928136658?profile=RESIZE_584x

Figure 2. Ransom note dropped by Monti Ransomware

10928136682?profile=RESIZE_584x

Figure 3. Monti ransomware’s data leak site

10928137459?profile=RESIZE_584xFigure 4. Monti ransomware’s data leak site

The ransomware also drops a text file titled “result.txt”, which shows how many files it has encrypted in the compromised machine.

10928137670?profile=RESIZE_400xFigure 5. result.txt showing the number of affected files

BlackHunt Ransomware:  FortiGuard Labs recently came across new variants of the BlackHunt ransomware.  This ransomware is relatively new and reportedly accesses victims’ networks through vulnerable Remote Desktop Protocol (RDP) configurations.

Files encrypted by BlackHunt ransomware can be identified with the following filename pattern:  [unique ID assigned to each compromised machine].[contact email address].Black.  The ransomware also deletes shadow copies, which makes file recovery difficult.  The ransomware also drops two ransom notes: one is titled “#BlackHunt_ReadMe.hta” and the other is “#BlackHunt_ReadMe.txt”. 

10928138058?profile=RESIZE_584xFigure 6. Files encrypted by BlackHunt ransomware

Although both ransom notes belong to BlackHunt ransomware, the notes not only include different contact email addresses but the different IDs assigned to each victim as well.  The ransom note in HTA format also has a link to a TOR site, which was no longer accessible at the time of the investigation.

10928137887?profile=RESIZE_584xFigure 7.  BlackHunt’s ransom note titled ““#BlackHunt_ReadMe.hta”

10928138262?profile=RESIZE_584xFigure 8.  BlackHunt’s ransom note in a text file

10928138493?profile=RESIZE_584xFigure 9.  BlackHunt ransomware logo

Putin Ransomware: Putin is a recent ransomware that encrypts files on victims’ machines. It then tries to extort money for decrypting those files and not leaking stolen data to the public.  Files encrypted by Putin ransomware have a “.PUTIN” file extension.

The ransomware drops a ransom note titled “README.txt”, which states that victims have only two days to make a ransom payment.  Otherwise, their encrypted files will not be recovered.  This is a common tactic used by many ransomware variants to put pressure on victims to pay a ransom as fast as possible. 

10928138858?profile=RESIZE_584xFigure 10.  Files encrypted by PUTIN ransomware

10928139297?profile=RESIZE_584xFigure 11.  Ransom note dropped by Putin ransomware

The ransom note includes two Telegram channels: one for negotiating ransom payment with the Putin ransomware gang and another for releasing data stolen from the victims.  At the time of the investigation, the channel used for data leaks lists a Singapore and a Spanish company.  However, the dates of the posts only go back to late November 2022, indicating that the Putin ransomware is likely not yet widespread.

10928140263?profile=RESIZE_584xFigure 12.  Putin ransomware’s Telegram channel

10928140654?profile=RESIZE_584xFigure 13.  Putin ransomware’s Telegram channel used for posting stolen data

 

FortiGuard Labs detects known Monti, BlackHunt and Putin ransomware variants with the following AV signatures:

Monti ransomware: 

  • Linux/Filecoder_Conti.A!tr

BlackHunt ransomware:

  • W32/Conti.F!tr.ransom

Putin ransomware:

  • W32/Conti.F!tr.ransom

IOCs:

Monti ransomware:

  • edfe81babf50c2506853fd8375f1be0b7bebbefb2e5e9a33eff95ec23e867de1

BlackHunt ransomware:

  • f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f
  • 977083fc01e2982258eac0a13e56cd697d9f6941f5a365e9d02d544fc3e15000

Putin ransomware:

  • 7f624cfb74685effcb325206b428db2be8ac6cce7b72b3edebbe8e310a645099
  • 62f9c48b218c4cdb08ed76729539a8b6a6aaf2a558d80b441e7e79e4074d622c
  • 7d1ccac64445547908dc1678479919c9bd063bceac5d214857d2758828f1c60b
  • 80394d4c8680cda921b4fdd63441a8cfdca25eb2ad082149d582bbb5619b0155

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com      

 

Weekly Cyber Intelligence Briefings:

 

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

 

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989  

 

 

 

[1] https://www.fortinet.com/blog/threat-research/ransomware-roundup-monti-blackhunt-and-more?lctg=141970831

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!