The Monti Ransomware Attack on the Hungarian Investment Promotion Agency

The Monti ransomware gang has attacked the Hungarian Investment Promotion Agency. The Hungarian Investment Promotion Agency (HIPA), also known as Magyar Beruházási és Kereskedelmi Ügynökség in Hungarian, is a government agency responsible for promoting and facilitating foreign direct investment (FDI) in Hungary. The agency's primary objective is to attract international businesses and investors to establish or expand their operations within the country. HIPA operates under the Ministry of Foreign Affairs and Trade of Hungary.

Monti posted the Hungarian Investment Promotion Agency to its data leak site on July 30th, claiming to have stolen 60GB of data. Monti is a ransomware software engineered with the intention to encrypt data and solicit payment for the provision of decryption tools. Notably, Monti is an emerging iteration of the Conti ransomware. Moreover, the operational methods employed by Monti exhibit striking parallels to those utilized by Conti.

Background on the Conti Ransomware

In February 2022, the group responsible for Conti fell victim to a substantial breach that exposed and disseminated sensitive data, encompassing source codes, hacking utilities, and related materials. This divulged information effectively served as a comprehensive guide for potential cybercriminals interested in emulating Conti's methods. Consequently, it is plausible that Monti might not stand as the exclusive ransomware faction to base its activities on insights drawn from the aforementioned Conti breaches.

How Monti Operates

The Monti ransomware executes a process of file encryption, appending filenames with a distinct extension consisting of five randomly generated characters. For instance, our assessment of a Monti sample on a test system transformed a file named "1.jpg" into "1.jpg.PUUUK". Upon completing the encryption procedure, Monti establishes a ransom note titled "readme.txt".

The content of the ransom message closely mirrors that of Conti's communication. It notifies victims that their files have undergone encryption and that sensitive data has been procured. The ransom note cautions victims against any efforts to manually decrypt the compromised files, asserting that such endeavors would prove futile and may lead to irreparable decryption failure. The only viable avenue to regain access to the encrypted data is establishing communication with the attackers and fulfilling their financial demands. To substantiate this claim, a free decryption test is provided as evidence.

The note issues a stark ultimatum, indicating that the victims must either engage with the cybercriminals and meet their demands or risk the exposure of the pilfered data should they choose to ignore the communication or involve law enforcement authorities.