CERT-In Alerts Organizations to Monti Ransomware Threat; Urges Vigilance and Protective Measures


The Indian Computer Emergency Response Team (CERT-In) has issued a stark warning about a newly emerging ransomware strain named Monti, which has been targeting organizations with its malicious activities. This sophisticated variant is equipped with a Linux locking mechanism, making it capable of infiltrating VMware ESXi servers and various other entities.

What sets Monti ransomware apart is its resemblance to the Conti ransomware in terms of source code. It employs the AES-256-CTR encryption technique, which strategically factors in file size during the encryption process. Files ranging from 1.048 MB to 4.19 MB are subject to selective encryption, with only the initial 100,000 bytes being affected. For files exceeding 4.19 MB, the extent of content encryption is tailored according to specific criteria.

For files smaller than 1.048 MB, complete encryption is applied, and during this process, the ransomware appends “MONTI” along with 256 bytes associated with the attacker’s encryption key. Following encryption, Monti affixes the “.MONTI” extension to encrypted files and generates a ransom note (‘readme.txt’) in each affected directory.


CERT-In emphasizes that the tampering of the Conti ransomware’s source code adds a layer of complexity, making it challenging to detect and mitigate Monti ransomware effectively.

To counter this evolving threat, CERT-In prescribes an array of countermeasures and best practices:

Data Backup and Maintenance: Organizations are advised to maintain offline backups of critical data and routinely test restoration protocols.

Access and Authentication: Strengthen security by utilizing strong, unique passwords for all accounts. Implement multi-factor authentication (MFA), especially for webmail and essential systems. Minimize access to administrative shares and allow connections solely from specified machines using host-based firewalls.

System Security: Activate protected files in the Windows operating system, disable remote Desktop Connections or impose access constraints, regularly audit data integrity, and ensure the integrity of code/scripts for sensitive systems.

Email Security: Bolster email domain security by implementing DMARC, DKIM, and SPF protocols. Exercise caution when handling email attachments and links.

Software and OS Updates: Regularly update operating systems and applications, utilize application white-listing and Software Restriction Policies, and maintain up-to-date antivirus software.

Web Browsing: Exercise prudence when dealing with email attachments and links, and enhance web browsers with content controls.

Network Security: Segregate the network into distinct security zones, employ firewalls to restrict access, implement robust authentication protocols, consider disabling unnecessary services like PowerShell and scripts, and restrict software installation permissions.

By adhering to these prescribed measures, organizations can proactively fortify their defenses against the emerging Monti ransomware threat, safeguarding critical data and systems from potential compromise.