A new decryption tool that aids victims of a ransomware version that was based on previously released Conti source code has been published. Ransomware gangs like Conti have dominated the criminal landscape since 2019. Conti’s data, including its source code, were exposed in March 2022 after an internal struggle that was sparked by a geopolitical crisis in Europe. The identified version was disseminated by an unknown ransomware gang and has been used against corporations and public entities. The malware known as Conti first surfaced before the end of 2019 and continued to be quite active throughout the whole of 2020. It was responsible for more than 13 percent of all ransomware victims during this time. Nevertheless, after the disclosure of the source code for Conti ransomware a year ago, several variants of the ransomware were generated by a variety of criminal groups and employed in the attacks they carried out.
Fedor Sinitsyn, the chief malware analyst at Kaspersky, said that ransomware has continued to be a primary weapon used by cybercriminals for a number of years in a row. “But, since we have researched the tactics, techniques, and procedures (TTPs) of many ransomware gangs and identified that many of them work in similar ways, it is now simpler for us to avoid assaults. On our website titled “No Ransom,” you may already find the decryption tool that can be used against the latest Conti-based update. Yet, we would like to underline that the optimal approach is to increase defenses and stop the attackers at early stages of their incursion, therefore avoiding the deployment of ransomware and reducing the repercussions of the attack.
Late in the month of February 2023, specialists from Kaspersky discovered a fresh piece of stolen material that had been posted on online forums. A fresh version of the public decryptor was made available by Kaspersky after the company analyzed the material, which included 258 private keys, source code, and some pre-compiled decryptors. This was done in order to assist anyone who had their files encrypted by a variant of the Conti ransomware.
Specialists had found the form of the malware that had been compromised in December of 2022. The keys had been stolen. Several cyberattacks on private firms and government agencies were carried out using this strain.
The exposed private keys may be found in a total of 257 different files (only one of these folders contains two keys). Some of them include previously developed decryptors and various conventional files: papers, images, etc. Perhaps the latter are test files — a handful of files that the victim delivers to the attackers to make sure that the files can be decrypted.
34 of these categories specifically list businesses and government organizations. Considering that one folder refers to one victim, and that the decryptors were made for the victims who paid the ransom, it may be inferred that14 victims out of the 257 paid the money to the attackers.
After conducting an in-depth analysis of the data, the cybersecurity professionals have now made available an updated version of the public decryptor in order to assist anyone who have fallen victim to the latest iteration of the Conti ransomware. The decryption algorithm and all 258 keys have been included in the most recent build of the RakhniDecryptor program that Kaspersky offers, which is version 1.40.0.00. Moreover, the decryption tool may be found on Kaspersky’s “No Ransom” website, which can be accessed at https://noransom.kaspersky.com.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.