Ransom.Linux.MONTI.THGOCBC

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other Details

This Ransomware does the following:

• It encrypts all files except for the avoided filename and extension.
• It modifies the contents of the following and replaces the ransomnote text:
  • "/etc/motd"
  • "/usr/lib/vmware/hostd/docroot/index.html"

It accepts the following parameters:

• --path Path to file (required) [--path /vmfs/volumes]
• --whitelist List of VM's that i need to skip [--whitelist /wltxt]
• --vmkill Whether to kill the virtual machine
• --detach Detach from the screen

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• readme.txt

It appends the following extension to the file name of the encrypted files:

• .monti

It leaves text files that serve as ransom notes containing the following text:

• {Encrypted Directory}\readme.txt
  

It avoids encrypting files with the following file extensions:

• .monti
• .sf