The notorious Conti ransomware gang has been fairly quiet since its source code, internal chats, and other sensitive information was leaked in February. Now security firms are wondering if the new Monti ransomware is a successor to Conti or is simply copying the group's playbook.
Intel471 and BlackBerry separately published their research into Monti on Sept. 7, but the ransomware was discovered and disclosed by MalwareHunterTeam on Twitter on June 30:
Intel471 says Monti "could be a rebrand of Conti or simply a new ransomware variant that has been developed using the leaked source code" published in February. It doesn't seem like Monti has been active enough for the security firm to determine its relationship to Conti.
BlackBerry seems more confident in its assessment that, because the Conti leaks in February "effectively gave Monti threat actors a step-by-step guide to emulating Conti’s notoriously successful activities," Monti is a copycat rather than a bona fide successor to its namesake.
"While the activity of the Monti group itself seems to have been short lived, there is more we can learn from its copycat techniques," BlackBerry says. "As additional Ransomware-as-a-Service (RaaS) solution builders and source code become leaked, either publicly or privately, we could continue to see these doppelganger-like ransomware groups proliferate."
Monti's relationship to Conti is curious, sure, but it might not mean all that much to organizations targeted by the ransomware gang. Most people don't ask to see a family tree when they're being punched in the face; those kinds of questions are typically asked when the attack is over.
It's not clear if Monti's done throwing punches. "Whether this is Conti being rebranded as Monti, in a bid to mock the former strain, or it is just another new ransomware variant on the block," Intel471 says, "it is likely we will continue to see this new variant impact businesses globally."