RANSOMWARE OPERATION💰 FINANCIAL

bidon

1
aliases

Intelligence Profile

BIDON is a variant of the Monti ransomware family, first observed around mid‑2023. It employs a double‑extortion strategy—encrypting victims’ files and simultaneously threatening to leak stolen data if the ransom isn’t paid. Notably, it appends the .PUUUK extension to encrypted files and drops a readme.txt ransom note outlining the extortion demands. The note offers a free decryption of two files as proof of capability and emphasizes that only authorized company personnel (e.g., top management) should engage. BIDON specifically targets corporate and enterprise organizations, not home users, and warns victims not to involve law enforcement or third-party recovery firms. It represents a shift toward more aggressive extortion tactics within the Monti lineage.

Threat Analysis

bidon is a ransomware operation that deploys encryption-based extortion against organizations globally. This group maintains a data leak site (DLS) to pressure victims into paying ransom demands.

Financially motivated threat actors like bidon prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

External References

Quick Facts

TypeRansomware Operation
Motivation💰 financial
Aliases1

Also Known As

bidon

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.