Monti Ransomware Attack on Aéroport de Pau

Company Profile and Industry Standout

Aéroport de Pau, also known as Pau-Pyrénées Airport, is a regional airport located in Pau, France. The airport serves both passengers and professionals, offering various services such as meeting rooms, aeronautic freight, advertising, and professional services. It is dedicated to providing high-quality services to its users and has a significant role in regional transportation and logistics.

Vulnerabilities and Targeted Attack

The reliance on digital infrastructure for airport operations, including flight scheduling, passenger management, and professional services, makes airports like Pau-Pyrénées particularly vulnerable to cyberattacks. The extensive handling of sensitive data and critical operational systems presents significant risks if compromised. These factors make airports attractive targets for ransomware groups seeking to exploit vulnerabilities for financial gain or data theft.

Attack Overview

On May 13, 2024, Pau-Pyrénées Airport fell victim to a ransomware attack orchestrated by the Monti group. The attackers managed to exfiltrate a substantial amount of sensitive data, including administrative documents, personal information of employees, and other critical operational data. The stolen data was subsequently published on Monti's dark web leak site, exposing the airport to significant reputational and operational risks.

Details of the Ransomware Group

Monti is a ransomware group that emerged after the dissolution of the infamous Conti group in 2022. Monti initially used leaked source code from Conti but has since developed its own distinct methods. The group's recent attacks have shown a shift towards targeting high-value sectors such as airports, legal, and government entities. Monti's new Linux-based ransomware variant employs advanced encryption techniques and customized backdoors to evade detection and maintain persistence within compromised networks.

Penetration and Persistence Tactics

Monti typically gains initial access through compromised Remote Desktop Protocol (RDP) credentials or phishing attacks. Once inside the network, the group uses sophisticated tactics to disable security measures and exfiltrate data. The new Linux variant of Monti ransomware features AES-256-CTR encryption and advanced file encryption methods, making it challenging for traditional security measures to detect and mitigate the attack. These tactics allow Monti to move laterally within the network and maintain control over the compromised systems.

Implications and Recommendations

The attack on Pau-Pyrénées Airport highlights the urgent need for robust cybersecurity measures within the aviation sector. Airports must implement stringent access controls, conduct regular security audits, and deploy comprehensive endpoint detection and response solutions to mitigate the risks posed by ransomware groups like Monti. Ensuring proper data backup and recovery procedures is also crucial to minimize the impact of such attacks.

Sources

• Detected: Aéroport de Pau falls victim to MONTI ransomware - Marco Ramilli
• Flight grid, destinations, traveler guide, an airport dedicated to its passengers. Air'py aéroport Pau-Pyrénées
• Pau Pyrénées Airport - Wikipedia