MONOLOCK: The new “silent” ransomware group that rejects leak sites and affiliate panels.

Luca Stivali : 21 November 2025 08:57

The ransomware landscape is changing. The most exposed actors—LockBit, Hunters International, and Trigona—have paid the price for overexposure, including international operations, infiltrations, deliberate leaks, and operational collapses.

After years dominated by quasi-industrial models—affiliate panels, leak sites, public chats, and aggressive marketing—groups are emerging that reject the “LockBit-style” logic and are moving toward a more opaque, minimal, almost “SIGINT operator” approach. Low-profile , technical, almost “professional,” they adopt strategies of operational invisibility .

The most recent case is MONOLOCK , a new ransomware group that appeared on DarkForums on October 19, 2025 with a manifesto that seems more like it was written by a senior red team than a traditional cybercriminal.

Their presentation is unusual, and above all, much more technical than the average emerging group. And the details offered deserve in-depth analysis.

An apolitical, technical, OPSEC-oriented group

MONOLOCK defines itself as an apolitical organization specialized in the development of toolkits for fully automated ransomware campaigns , with a modular structure based on BOF (Beacon Object File) and payloads loaded directly into memory.

So far, it might seem like just another group. But the turning point comes when it declares what it won’t do:

• No leak site
• No affiliate panel
• No public showcase of the victims
• No hosting of builders or decryptors via dedicated servers

The reason? Their priority is OPSEC, both for themselves and their affiliates. They openly criticize leak sites: according to MONOLOCK, publishing victims’ names reduces the likelihood of payment, destroys their reputation even if a ransom is paid, and draws excessive attention from law enforcement. It’s a counterintuitive approach—and precisely for this reason, much more sophisticated.

Their arsenal: BOF modules and advanced components

MONOLOCK features a whole suite of modules, all built as BOF (Beacon Object File) , Cobalt Strike’s native technology for executing code directly in memory without file drops.

• Privilege Escalation : Registry-less techniques, without LOLBins, avoiding patterns detectable by EDRs.
• Shadow Copy Wipe : Removal of VSS to prevent any local recovery attempts.
• Anti-Analysis : With advanced checks for: debugger, hypervisor, timing anomalies, suspicious processes, and cyclic CPU deltas. These are details typically handled by experienced malware developers, not script kiddies.
• Persistence : tasks scheduled with SYSTEM privileges and custom triggers.
• MonoSteal Exfiltration Engine : This is one of the most important modules, guaranteeing accelerated exfiltration, live compression, asynchronous I/O, and claimed speeds of up to 45 MB/s . This is a very high value, comparable—as they themselves say—to LockBit’s StealBit. Remarkable, considering that RClone-based exfiltrators rarely exceed 5–10 MB/s on real links.
• MonoLock | Locker : The actual ransomware, based on a hybrid ChaCha20–Salsa20 algorithm with asynchronous encryption up to a claimed 276 MB/s
• MonoLock | Decrypt : A decryptor controlled by a hex-encoded private key. This dramatically reduces the risk of forks or unauthorized copies. It’s almost like a “boutique ransomware” system.

No leak sites, no panels: a surgical strategy

To the question: “Do you have a TOR site? Have you already had victims?”
They answer like this:

“Hosting extortion updates adds unnecessary weight.
We want to give companies the ability to recover their data and reputation .”

And above all:

An affiliate panel exposes builders, decryptors, affiliate databases, and keys. The FBI, CERTs, and researchers love these infrastructures. We don’t want to make them an easy target.

It’s an almost “intelligence” philosophy.
Their posts reveal a rare awareness: they understand why the great RaaS companies failed. And they don’t want to make the same mistakes.

Recruitment and IAB: MONOLOCK enters the operational phase

MONOLOCK is looking for:

• Experienced Affiliates: Operators capable of navigating Active Directory
• initial access brokers (IAB)
• malware development

And above all: “We don’t accept script kiddies.” A message designed to filter out unprepared affiliates—a strategy also used by groups like Muliaka and former Team Two accounts.

Initial fee: $500
Revenue share: 20% fixed

Technical level: much higher than the average of emerging groups

The developers of the BOF modules have advanced skills:

• deep knowledge of Windows APIs
• red teaming
• advanced use of C2
• OPSEC
• modular fileless design

The team is likely to come from:

• pentesting environments
• groups defected from other RaaS
• former private loader developers
• Cobalt Strike / Sliver ecosystems

EDR Evasion: The MONOLOCK Philosophy

One of the most interesting — and rare — passages in MONOLOCK’s communication concerns the theme of EDR evasion .
Unlike many RaaS groups that boast “total UD,” MONOLOCK approaches the topic in a technical, almost professional manner, acknowledging limitations, execution chain, and weaknesses.

In their post they state:

“Our implants beat EDRs, we have tested Windows Defender Endpoint Detection, SentinelOne, Crowdstrike and all of the commercial AVs.”

A strong statement, but immediately accompanied by an explanation unusual for its transparency and technical precision.

Immediately afterwards, in fact, they specify:

“Since we utilize the BoF implant format, our implant execution is based on the C2 connection, meaning that if the shellcode is detected, there is no pipe through which the implants are being loaded . We offer a shellcode loader […] to mitigate precisely this.”

This sentence is crucial.
MONOLOCK is explicitly stating that:

• Their stealth does not depend on BOF modules , which run in memory and effectively evade many EDR techniques.
• the real point of detection is the loader , that is the shellcode that establishes the initial connection to the C2

And they add:

“Long story short, if the C2 gets a connection, implants will run no matter what .”

In other words: if the loader manages to get through even once, the beacon will load the BOFs and the entire tool chain will become extremely difficult to detect.

No promise of undetectable: an unusually realistic approach

And here’s the most surprising—and in some ways professional—part. When asked why they don’t advertise their toolset as “undetectable,” they reply:

“Why don’t we explicitly mention the ‘UD’ status? We will be straightforward: utilizing UD is a vague expression… it eventually bolds down to each company infrastructure.”

In summary:

• They don’t promise total undetectable
• They don’t push misleading marketing
• They don’t use typical RaaS slogans (“100% undetectable”)
• They recognize that detection depends on the victim’s infrastructure
• They confirm that the technical battle is on the loader, not on the BOFs

This is a level of self-awareness that is very rare in emerging groups.

Why MONOLOCK is extremely dangerous

• Much harder to detect attacks: BOFs reduce the detectable surface for EDR/XDR. Claims to be able to bypass: Defender, SentinelOne, and CrowdStrike .
• No leak site: victims lose “external signals”, researchers have no visibility, uncertainty increases and therefore the probability of payment increases .
• Ultra-fast exfiltration: 45 MB/s means they can steal tens of GB in minutes.
• High Performance Locker : On modern servers ChaCha20/Salsa20 is a perfect choice for speed and stealth.
• Above-average OPSec: no Tor, no panels, no centralization. A much more resilient model.

MONOLOCK isn’t just another ransomware clone. It’s an evolution of the model, a more silent, professional, decentralized, and technical form of ransomware.

It’s the archetype of “boutique ransomware”: small team, advanced code, minimal visibility, maximum efficiency.

We expect the first real campaigns to emerge soon, likely through Initial Access Brokers already active in the Western market. And when they do start, it won’t be easy to notice.

FULL-PACKAGE CTI

( Actor Profile , MITER ATT&CK, Expected TTPs, IOC )

Actor Profile – MONOLOCK

• Type: Ransomware as a Toolkit (RAaT)
• Model: No leak site, no panel
• Skill: Medium-high
• Technology: BOF, fileless loader, beacon-based C2
• Probable Origin: Eastern Europe (speculation based on language and patterns)
• Expected targets: companies with AD infrastructures, corporate environments, PA

MITRE ATT&CK (TTP forecast)

• Initial Access
  • T1078 – Valid Accounts
  • T1190 – Vulnerability Exploitation (via IAB)
• Execution
  • T1047 – WMI
  • T1620 – Reflective Code Loading / BOF Execution
• Privilege Escalation
  • T1548 – Token Abuse
  • T1068 – Exploitation for PrivEsc
• Persistence
  • T1053.005 – Scheduled Task SYSTEM
• Defense Evasion
  • T1027 – Obfuscation
  • T1497 – Sandbox Evasion
  • T1070.006 – Shadow Copy Deletion
  • T1112 – Defense Modification Avoidance
• Credential Access
  • T1003 – LSASS dump (probably dedicated BOF)
• Lateral Movement
  • T1021 – SMB/RDP
  • T1087 – AD Enumeration
• Exfiltration
  • T1041 – Exfil via C2
  • T1567.002 – Exfil Compressed
• Impact
  • T1490 – Stop Recovery
  • T1486 – Data Encryption

IOCs (behavioral, non-hash)

• Abnormal processes
  • tasksche.exe → scheduled tasks elevated
  • processes with injection reflective loader
  • high-speed threads in standard processes (e.g., svchost)
• Network
  • short and intermittent connections to offshore VPS
  • compressed and fragmented traffic patterns
• File system
  • sudden VSS cancellation
  • activity on custom path of ransom note

Luca Stivali
Cyber Security Enthusiast and entrepreneur in the IT industry for 25 years, expert in network design and management of complex IT systems. Passion for a proactive approach to cyber security: understanding how and what to protect yourself from is crucial.

Lista degli articoli