Cyber Threat Actor: Monti ransomware

Monti ransomware, also known as Monti, operates as a Ransomware-as-a-Service (RaaS) entity first observed in mid-2022. The group has conducted multiple high-impact attacks since its emergence, primarily targeting organizations in Italy and Argentina. Its operations against Italian entities include a May 2023 breach of business services firm Servizi Omnia involving client contract data exfiltration and a May 2023 compromise of healthcare provider ASL1 dell'Aquila that exposed 522GB of sensitive patient records, including HIV-positive individuals' information. Between 2023-2025, Monti expanded operations to Argentina's defense sector, repeatedly attacking a state-owned military manufacturer during its privatization process, resulting in theft of 300GB of advanced weapons development data including tank upgrades and helicopter designs across three separate incidents. The group employs financial extortion through double-extortion tactics, combining data encryption with threats to publish stolen information on their leak site while publicly mocking victims' security postures during negotiations.

Technical analysis reveals Monti's operations heavily leverage code from the Conti ransomware strain, utilizing leaked Conti infrastructure and encryption methodologies from March 2022. The group modifies this foundation with operational innovations including integration of Acrion 1 Remote Monitoring and Maintenance (RMM) tools for persistence and exploitation of critical vulnerabilities like Log4Shell. Their ransomware implements hybrid encryption combining symmetric algorithms with RSA, rendering decryption impossible without the attackers' private key. Monti's public persona portrays themselves as "cyberpunk" security auditors testing corporate network defenses, though their leak site communications directly adapt Conti's ransom notes with minor modifications. While researchers note technical parallels to Conti operations, no confirmed organizational affiliation or state sponsorship has been established. The group strategically times attacks to maximize impact, including holiday periods like Independence Day weekends and during organizational transitions such as corporate privatizations, with demonstrated focus on critical infrastructure sectors including healthcare, defense contracting, and professional services across European and South American targets.