Monti Ransomware Attack on CNPC Sport

Company Profile and Industry Standout

CNPC Sport, known as CNPC SPORT Business Campus, is a prominent French institution specializing in the education and training of professionals in the sports industry. The organization offers a comprehensive range of programs, from BAC to BAC+5 levels, across various campuses in France, including Pau, Grenoble, Paris, Vitrolles, and Nantes. CNPC Sport is renowned for its practical training approach and strong partnerships with major sports brands like BOARDRIDERS INC. The institution has been recognized with the "Label Apprentissage en Nouvelle-Aquitaine" for its innovative and high-quality practices.

Vulnerabilities and Targeted Attack

The educational sector, particularly institutions like CNPC Sport that manage extensive personal and administrative data, is increasingly vulnerable to ransomware attacks. The reliance on digital platforms for course delivery and data management makes these institutions attractive targets for cybercriminals. CNPC Sport's extensive data handling, including student records, administrative documents, and internal communications, poses significant risks if compromised.

Attack Overview

In May 2024, CNPC Sport became a victim of the Monti ransomware group. The attackers managed to exfiltrate a substantial amount of data, which included administrative documents, personal information of employees, HR reports, and other sensitive data. The stolen data was subsequently published on Monti's dark web leak site. This breach highlights the growing trend of ransomware groups focusing on data exfiltration as a primary means of extortion.

Details of the Ransomware Group

Monti, a ransomware group that emerged after the dissolution of the infamous Conti group, has been active since June 2022. The group initially replicated Conti's attack strategies using leaked source code but has since developed its own distinct methods. Monti's recent activities have shown a shift towards targeting high-value sectors such as education, legal, and government entities, using a new Linux-based ransomware variant. This variant employs advanced encryption techniques, making it more difficult for security measures to detect and mitigate their attacks.

Penetration and Persistence Tactics

Monti ransomware operators typically gain initial access through compromised Remote Desktop Protocol (RDP) credentials or phishing attacks. Once inside the network, they use customized backdoors and disable security software to maintain persistence. The new Linux variant of Monti ransomware features significant deviations from its predecessors, employing AES-256-CTR encryption and advanced file encryption methods to evade detection. These tactics ensure that the attackers can move laterally within the network and exfiltrate data without immediate detection.

Sources

• Detected: CNPC Sport falls victim to MONTI Ransomware - Marco Ramilli
• Monti Ransomware’s New Linux Variant Enhanced Encryption - HivePro
• Cyberattack: data from the Pau airport and business school published by hackers - Get To Text
• Monti ransomware targets VMware ESXi servers with new Linux locker - BleepingComputer
• Monti Returns From 2-Month Break with Revamped Ransomware Variant - Security Boulevard