FortiGuard Labs Threat Research

Ransomware Roundup – Monti, BlackHunt, and Putin Ransomware

By Shunichi Imano and James Slaughter | January 05, 2023

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and across the OSINT community. The Ransomware Roundup report provides brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This latest edition of the Ransomware Roundup covers Monti, BlackHunt, and Putin ransomware.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High

Monti Ransomware

Monti is a relatively new ransomware designed to encrypt files on Linux systems. Files encrypted by Monti ransomware have a ".puuuk” file extension. We are also aware of reports of potential Monti variants that work on Windows systems. 

Figure 1. Files encrypted by Monti ransomware

Monti drops a ransom note titled “README.txt”. This ransom note resembles that of the infamous Conti ransomware. Unlike typical ransomware, the Monti threat actor operates two separate TOR sites: one for hosting data stolen from victims and another for ransom negotiation. At the time of writing, the ransom negotiation site was not accessible. The data leak site has a “wall of shame,” which the Monti operator may have copied from other ransomware gangs such as Ragnar Locker. Currently, the leak site does not list any victims but has a provocative message that may indicate that many victims of Monti ransomware were “cooperative” and paid ransom, except for one victim in Argentina.

Figure 2. Ransom note dropped by Monti ransomware

Figure 3. Monti ransomware’s data leak site

Figure 4. Monti ransomware’s data leak site

The ransomware also drops a text file titled “result.txt”, which shows how many files it has encrypted in the compromised machine.

Figure 5. result.txt showing the number of affected files.

BlackHunt Ransomware

FortiGuard Labs recently came across new variants of the BlackHunt ransomware. This ransomware is relatively new and reportedly accesses victims’ networks through vulnerable Remote Desktop Protocol (RDP) configurations.

Files encrypted by BlackHunt ransomware can be identified with the following filename pattern:  [unique ID assigned to each compromised machine].[contact email address].Black. The ransomware also deletes shadow copies, which makes file recovery difficult. The ransomware also drops two ransom notes: one is titled “#BlackHunt_ReadMe.hta” and the other is “#BlackHunt_ReadMe.txt”. 

Figure 6. Files encrypted by BlackHunt ransomware

Although both ransom notes belong to BlackHunt ransomware, the notes not only include different contact email addresses but the different IDs assigned to each victim as well. The ransom note in HTA format also has a link to a TOR site, which was no longer accessible at the time of the investigation.

Figure 7. BlackHunt’s ransom note titled ““#BlackHunt_ReadMe.hta”

Figure 8. BlackHunt’s ransom note in a text file

Figure 9. BlackHunt ransomware logo

Putin Ransomware

Putin is a recent ransomware that encrypts files on victims’ machines. It then tries to extort money for decrypting those files and not leaking stolen data to the public. Files encrypted by Putin ransomware have a “.PUTIN” file extension.

The ransomware drops a ransom note titled “README.txt”, which states that victims have only two days to make a ransom payment. Otherwise, their encrypted files will not be recovered. This is a common tactic used by many ransomware variants to put pressure on victims to pay a ransom as fast as possible. 

Figure 10. Files encrypted by PUTIN ransomware

Figure 11. Ransom note dropped by Putin ransomware

The ransom note includes two Telegram channels: one for negotiating ransom payment with the Putin ransomware gang and another for releasing data stolen from the victims. At the time of the investigation, the channel used for data leaks lists a Singapore and a Spanish company. However, the dates of the posts only go back to late November 2022, indicating that the Putin ransomware is likely not yet widespread.

Figure 12. Putin ransomware’s Telegram channel

Figure 13. Putin ransomware’s Telegram channel used for posting stolen data

Fortinet Protection

Fortinet customers are already protected from this malware variant through FortiGuard’s AntiVirus and FortiEDR services, as follows:

FortiGuard Labs detects known Monti, BlackHunt and Putin ransomware variants with the following AV signatures:

Monti ransomware

  • Linux/Filecoder_Conti.A!tr

BlackHunt ransomware

  • W32/Conti.F!tr.ransom

Putin ransomware

  • W32/Conti.F!tr.ransom

IOCs

Monti ransomware

  • edfe81babf50c2506853fd8375f1be0b7bebbefb2e5e9a33eff95ec23e867de1

BlackHunt ransomware

  • f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f
  • 977083fc01e2982258eac0a13e56cd697d9f6941f5a365e9d02d544fc3e15000

Putin ransomware

  • 7f624cfb74685effcb325206b428db2be8ac6cce7b72b3edebbe8e310a645099
  • 62f9c48b218c4cdb08ed76729539a8b6a6aaf2a558d80b441e7e79e4074d622c
  • 7d1ccac64445547908dc1678479919c9bd063bceac5d214857d2758828f1c60b
  • 80394d4c8680cda921b4fdd63441a8cfdca25eb2ad082149d582bbb5619b0155

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact to an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE trainingNSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

Best Practices include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.