Free decryptor released for Conti ransomware variant infecting hundreds of organisations
Hundreds of organisations and state institutions are believed to have been impacted by the strain
Kaspersky has unveiled an updated free decryptor tool to support victims of a modified strain of Conti ransomware.
The ransomware strain, tracked by some researchers as MeowCorp, is one of several modified strains based on Conti source code leaked in March 2022, and has been used to target a range of companies and state institutions.
This latest tool was developed following an investigation into a new portion of leaked Conti data published on forums. Analysis of the leak uncovered 258 private keys, source code, and some pre-compiled decryptors, researchers noted.
“The leaked private keys are located in 257 folders (only one of these folders contains two keys). Some of them contain previously generated decryptors and several ordinary files: documents, photos, etc,” the company said in a statement this week.
“Presumably the latter are test files – a couple of files that the victim sends to the attackers to make sure that the files can be decrypted.”
Kaspersky said the decryption code and all 258 keys were added to the latest build of its RakhniDecryptor utility. In addition, the tool has been added to Kaspersky’s long-running No Ransom site.
Hundreds of organisations impacted
First observed in 2019, Conti's eponymous ransomware strain was among the most prolific throughout 2020, accounting for more than 13% of all ransomware victims across that period.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
When Conti source code was leaked last year, a slew of new modifications and strains emerged and were used to devastating effect by cyber criminal gangs.
Leaked keys for the MeowCorp variant were uncovered by Kaspersky researchers in December 2022. However, Fedor Sinitsyn, lead malware analyst at Kaspersky, told IT Pro that this strain could have been active for some time.
"Our research indicates that the private keys were operational between the 13th of November 2022 and the 5th of February 2023, and the last decryptor we identified was on the 9th of February," he said.
"It is vital that organisations take proactive measures to protect their systems against such attacks, including regular data backups and robust cybersecurity measures."
The analysis found that 34 folders “explicitly named companies and government agencies” impacted by the strain.
Sinitsyn said that 257 companies had fallen victim to the ransomware strain, the majority of which have not been disclosed by threat actors.
"Our analysis reveals that 257 companies have fallen prey to this malicious software, with 34 of the victims/organisations identified by name," he said. "The identities of the remaining 223 victims currently remain concealed by the threat actors."
The release of this decryptor tool follows a number of similar moves by cyber security companies and government agencies globally.
Earlier this month, Bitdefender released a free decryption tool for the MortalKombat ransomware strain which has risen to prominence over the last several months.
Similarly, in February CISA unveiled a recovery script for organisations that have fallen victim to the rampant ESXiArgs ransomware which emerged at the beginning of the month.
Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.