The Monti ransomware group [1] [2] [3], previously thought to have disappeared, has recently resurfaced with an upgraded encryptor and new features [4]. This Linux variant specifically targets legal and governmental institutions, as well as VMware ESXi servers.


The new version of Monti ransomware shows significant differences from previous versions. It has a similarity rate of only 29% to the leaked source code of the Conti ransomware group. Unlike earlier versions that heavily relied on Conti [4], this new variant shares similarities with Conti in less than a third of its code [4].

The upgraded version includes a ‘–whitelist’ parameter to skip virtual machines [1], removes certain command-line arguments [1] [3], and employs AES-256-CTR encryption instead of Salsa20 [1] [3]. Additionally, the ransomware alters the motd file to display the ransom note and uses file size as a basis for encryption [3]. These changes have been implemented to enhance the ransomware’s ability to evade detection and make mitigation more challenging [1].

Initially observed in June 2022 [4], the Monti ransomware was initially thought to be a rebrand of Conti due to similar network access methods [4]. However, it was not as active as its predecessors [4], leading to less attention from researchers [4]. The only detailed report on the variant was published in January 2023 by Fortinet [4].


The resurgence of the Monti ransomware group with an upgraded encryptor and new features poses a significant threat to legal and governmental institutions, as well as VMware ESXi servers. The changes in this new variant, such as the use of AES-256-CTR encryption and alterations to the motd file, make it more difficult to detect and mitigate. It is crucial for organizations to stay vigilant and implement robust security measures to protect against this evolving ransomware threat.