Ransomware Group Monti Attacks Welch Foods Inc.

Ransomware group Monti has attacked Welch Foods Inc. On Friday, a spokesperson from Welch’s, said a recent “system disruption” that brought their Erie, Pennsylvania operations to a halt was actually a cyberattack. They added that a team of more than 100 technology and cybersecurity experts have been working to restore the company’s systems and the company is working with law enforcement and an investigation is underway.

Welch Foods Inc., commonly known as Welch's, is an American company headquartered in Concord, Massachusetts. It has been owned by the National Grape Cooperative Association, a co-op of grape growers, since 1956.

Background on Monti Ransomware

Monti ransomware was discovered by researchers in June 2022. The group drew attention by operating like the now out-of-business Conti ransomware group. In September of the same year, Blackberry's Incident Response team investigated a security incident linked to Monti. The attackers had exploited the notorious Log4Shell vulnerability on a client's internet-facing VMware Horizon virtualization system.

Once the threat actors gained entry to the victim's VMware Horizon Connection Broker server through the Log4Shell exploit, they proceeded to install Google Chrome and used it to download attack tools onto the server.

Recent Developments

After taking a short break, Monti returned in August 2023 with a new Linux-based Monti variant (Ransom.Linux.MONTI.THGOCBC). Trend Micro researchers pointed out that there are significant differences from previous Linux-based versions. One is the use of the "--type=soft" parameter to shut down virtual machines on the system instead of the previous "--type=hard" option. Researchers speculate this was done to help the group evade detection.

Monti's code enhancements indicate its desire to enhance its evasion detection techniques and make it harder for security practitioners to detect and mitigate their actions.