Cybersecurity firm Kaspersky has published a new decryption tool that helps victims of a ransomware modification based on previously leaked Conti source code.
In late February 2023, Kaspersky experts uncovered a new portion of leaked data published on forums. After analyzing the data, which contained 258 private keys, source code and some pre-compiled decryptors, Kaspersky released a new version of the public decryptor to help victims of this modification of Conti ransomware.
Conti appeared in late 2019 and was very active throughout 2020, accounting for more than 13 percent of all ransomware victims during this period. However, a year ago, once the source code was leaked, multiple modifications of Conti ransomware were created by various criminal gangs and used in their attacks.
The leaked private keys are located in 257 folders (only one of these folders contains two keys). Some of them contain previously generated decryptors and several ordinary files: documents, photos, etc. Presumably the latter are test files – a couple of files that the victim sends to the attackers to make sure that the files can be decrypted.
Thirty-four of these folders have explicitly named companies and government agencies. Assuming that one folder corresponds to one victim and that the decryptors were generated for the victims who paid the ransom, it can be suggested that 14 victims out of the 257 paid the ransom to the attackers.
After analyzing the data, the experts released a new version of the public decryptor to help victims of this modification of the Conti ransomware. The decryption code and all 258 keys were added to the latest build of Kaspersky’s utility RakhniDecryptor 1.40.0.00. Moreover, the decryption tool has been added to Kaspersky’s “No Ransom” site (https://noransom.kaspersky.com).
“For many consecutive years, ransomware has remained a major tool used by cybercrooks,” said Fedor Sinitsyn, lead malware analyst at Kaspersky. “However, because we have studied the TTPs of various ransomware gangs and found out that many of them operate in similar ways, preventing attacks becomes easier. The decryption tool against a new Conti-based modification is already available on our ‘No Ransom’ webpage. However, we would like to emphasize that the best strategy is to strengthen defenses and stop the attackers at the early stages of their intrusion, preventing ransomware deployment and minimizing the consequences of the attack.”
