Operator dossier

Monti is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 110 public victims claimed by this operator between December 7, 2022 and May 8, 2025. Monti is a ransomware group that emerged in December 2022, operating with primarily financial motivations through targeted encryption attacks against organizations across multiple sectors. The group's origin and specific affiliations remain largely undocumented in public threat intelligence reports, though their operational patterns suggest they function as an independent ransomware operation rather than a established Ransomware-as-a-Service model. Monti's attack methodology and specific technical details regarding initial access vectors, encryption methods, and data exfiltration practices have not been extensively documented in publicly available threat intelligence from major security firms or government agencies. The group has reportedly compromised approximately 110 victims since their emergence, with their targeting primarily focused on organizations in the United States, Canada, Germany, France, and Italy, showing a particular preference for business services, healthcare, manufacturing, and technology sectors. Limited public documentation exists regarding specific notable campaigns or high-profile attacks attributed to Monti, reflecting the group's relatively recent emergence and lower profile compared to more established ransomware operations. As of current reporting, Monti appears to remain an active threat, though comprehensive intelligence on their current operational status is limited in publicly available sources from major cybersecurity organizations and law enforcement agencies.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

Monti

110 victims indexed · first seen 4 years ago · last activity 1 year ago

110

Victims indexed

#69 of 356 tracked operators

2y 5m

Active period

Dec 2022 → May 2025

Countries hit

top United States · 24

At a glance

Status: inactive
First seen: 4 years ago
Last activity: 1 year ago
Onion sites: 3 known endpoints
Primary sector: Not Found · 16 hits

About

Monti is a ransomware group that emerged in December 2022, operating with primarily financial motivations through targeted encryption attacks against organizations across multiple sectors. The group's origin and specific affiliations remain largely undocumented in public threat intelligence reports, though their operational patterns suggest they function as an independent ransomware operation rather than a established Ransomware-as-a-Service model. Monti's attack methodology and specific technical details regarding initial access vectors, encryption methods, and data exfiltration practices have not been extensively documented in publicly available threat intelligence from major security firms or government agencies. The group has reportedly compromised approximately 110 victims since their emergence, with their targeting primarily focused on organizations in the United States, Canada, Germany, France, and Italy, showing a particular preference for business services, healthcare, manufacturing, and technology sectors. Limited public documentation exists regarding specific notable campaigns or high-profile attacks attributed to Monti, reflecting the group's relatively recent emergence and lower profile compared to more established ransomware operations. As of current reporting, Monti appears to remain an active threat, though comprehensive intelligence on their current operational status is limited in publicly available sources from major cybersecurity organizations and law enforcement agencies.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/monti

Timeline

23 months

2022-12-01T00:00:00+00:002025-05-01T00:00:00+00:00

Top countries

🇺🇸 United States

🇨🇦 Canada

🇩🇪 Germany

🇫🇷 France

🇮🇹 Italy

🇬🇧 United Kingdom

🇵🇭 Philippines

🇹🇷 Turkey

United States dossier →Canada dossier →Germany dossier →France dossier →

Top sectors

Not Found

Business Services

Healthcare

Manufacturing

Technology

Transportation/Logistics

Financial

Government

Not Found dossier →Business Services dossier →Healthcare dossier →Manufacturing dossier →

MITRE ATT&CK

5 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1204User Execution
T1027Obfuscated Files or Information
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

3 known

http://4s4lnfeujzo67fy2jebz2dxskez2gsqj2jeb35m75ktufxensdicqxad.onion
http://4s4lnfeujzo67fy2jebz2dxskez2gsqj2jeb35m75ktufxensdicqxad.onion/
http://mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid.onion

Source

Updated 1 year ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Monti posts a victim.

Add Monti to your watchlist — Pro pings you within 5 minutes of any new Monti leak-site post, Telegram callout, or affiliate-rebrand inference.