Free decryptor released for Conti ransomware variant infecting hundreds of organisations

Kaspersky has unveiled an updated free decryptor tool to support victims of a modified strain of Conti ransomware.

The ransomware strain, tracked by some researchers as MeowCorp, is one of several modified strains based on Conti source code leaked in March 2022, and has been used to target a range of companies and state institutions.

This latest tool was developed following an investigation into a new portion of leaked Conti data published on forums. Analysis of the leak uncovered 258 private keys, source code, and some pre-compiled decryptors, researchers noted.

“The leaked private keys are located in 257 folders (only one of these folders contains two keys). Some of them contain previously generated decryptors and several ordinary files: documents, photos, etc,” the company said in a statement this week.

“Presumably the latter are test files – a couple of files that the victim sends to the attackers to make sure that the files can be decrypted.”

Kaspersky said the decryption code and all 258 keys were added to the latest build of its RakhniDecryptor utility. In addition, the tool has been added to Kaspersky’s long-running No Ransom site.

Hundreds of organisations impacted

First observed in 2019, Conti's eponymous ransomware strain was among the most prolific throughout 2020, accounting for more than 13% of all ransomware victims across that period.

When Conti source code was leaked last year, a slew of new modifications and strains emerged and were used to devastating effect by cyber criminal gangs.

Leaked keys for the MeowCorp variant were uncovered by Kaspersky researchers in December 2022. However, Fedor Sinitsyn, lead malware analyst at Kaspersky, told IT Pro that this strain could have been active for some time.

"Our research indicates that the private keys were operational between the 13th of November 2022 and the 5th of February 2023, and the last decryptor we identified was on the 9th of February," he said.

"It is vital that organisations take proactive measures to protect their systems against such attacks, including regular data backups and robust cybersecurity measures."

The analysis found that 34 folders “explicitly named companies and government agencies” impacted by the strain.

Sinitsyn said that 257 companies had fallen victim to the ransomware strain, the majority of which have not been disclosed by threat actors.

"Our analysis reveals that 257 companies have fallen prey to this malicious software, with 34 of the victims/organisations identified by name," he said. "The identities of the remaining 223 victims currently remain concealed by the threat actors."

The release of this decryptor tool follows a number of similar moves by cyber security companies and government agencies globally.

Earlier this month, Bitdefender released a free decryption tool for the MortalKombat ransomware strain which has risen to prominence over the last several months.

Similarly, in February CISA unveiled a recovery script for organisations that have fallen victim to the rampant ESXiArgs ransomware which emerged at the beginning of the month.