Monti

Also known asMONTIStorm-1194

Monti is a ransomware group/family described as a Conti “doppelganger” that emerged after Conti’s shutdown and impersonated Conti’s TTPs and tools. Reporting cited in the source material links the operation at various times to Mikhail Matveev (aka Wazawaka), stating he operated and managed the Monti ransomware operation. Monti has been observed targeting healthcare at a disproportionate rate; one cited analysis states 20.8% of its attacks were against healthcare organizations, and reporting also describes it as focused on critical infrastructure. A reported victim listed on its dark web site in August 2024 was Excelsior Orthopedics. The group is associated with double-extortion style pressure tactics and public shaming. Source material states Monti claimed to have found evidence that an employee at a victim organization searched for child sexual abuse material and threatened to report it to authorities if the ransom was not paid. It also states Monti published a business owner’s Social Security number and an edited image intended to humiliate and intimidate them. Monti has also been linked to credential theft and defense evasion tooling. Symantec noted that malware used to steal credentials stored in Veeam backups has been used by Monti, alongside other ransomware groups. ESET reported detecting BlackSnufkin’s TfSysMon-Killer during a Monti ransomware attack in February 2025; the deployed variant had identical functionality to the original but was reimplemented from Rust to C++. Known aliases in the provided content are Monti and Storm-1194.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0040

Impact

1 technique

T1486×2

Data Encrypted for Impact

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

eset welivesecurity blogNews

Mar 19, 2026

EDR killers explained: Beyond the drivers

Ransomware group observed deploying a reimplemented TfSysMon-Killer EDR killer during an intrusion.

govinfosecurityNews

Sep 2, 2025

Hacks on Specialty Health Entities Affect Nearly 900,000

Ransomware operations leveraging victim shaming/leak-site posting on the dark web; cited here as claiming/advertising a healthcare victim (Excelsior Orthopedics) following a 2024 hack.

dragos blogNews

May 21, 2025

Dragos Industrial Ransomware Analysis: Q1 2025

Ransomware actor focusing on critical infrastructure; noted for stealthy encryption.

hipaa journalNews

Jan 24, 2025

The Ransomware Groups Targeting Healthcare Organizations

Ransomware operations with a notable portion of attacks against healthcare organizations.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.