Threat Actors Allegedly Selling Monolock Ransomware on Dark Web Forums

Monolock ransomware has surfaced in underground forums, with threat actors advertising version 1.0 for sale alongside stolen corporate credentials.

First detected in late September, the malware exploits phishing emails containing malicious Word documents.

Upon opening, the embedded macro downloads the ransomware binary from a compromised server. Victims report file encryption using a mix of AES-256 for file payloads and RSA-2048 for key exchange, rendering data inaccessible without the private key.

Dark Web Informer analysts noted that Monolock’s initial deployments targeted small to mid-sized organizations in healthcare and manufacturing sectors.

The operators demand payment in cryptocurrency, instructing victims to access a Tor-hosted payment portal. This portal automatically verifies the transaction and supplies the decryption key.

Early samples reveal a ransom note that offers a 10 percent discount if paid within 48 hours.

In controlled environments, researchers identified that Monolock terminates processes associated with common backup and security software before encryption begins.

It scans running services for patterns matching “backup,” “sql,” and “vss,” then kills them to prevent snapshot restores.

After encryption, it appends the extension “.monolock” to filenames and leaves a ransom note named “README_RECOVER.txt” in each directory.

Persistence and Evasion

Monolock’s infection mechanism embeds itself into the Windows registry under the Run key, ensuring execution at boot.

The malware binary disguises as a legitimate DLL and injects into explorer.exe to evade detection.

It uses API hashing to locate required Windows functions dynamically, complicating static signature matching.

A snippet of the API-hashing routine demonstrates this tactic:-

DWORD hash = 0xA1B2C3D4;
for (char* p = moduleName; *p; ++p) {
    hash = ((hash << 7) | (hash >> (32 - 7))) ^ *p;
}

By leveraging this routine, Monolock avoids importing functions by name, hindering many endpoint detection tools.

This advanced evasion underscores the need for behavior-based monitoring to detect such threats.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.