Pierluigi Paganini March 18, 2023

Kaspersky released a new version of the decryptor for the Conti ransomware that is based on the previously leaked source code of the malware.

Kaspersky has published a new version of a decryption tool for the Conti ransomware based on previously leaked source code for the Conti ransomware.

In March 2022, a Ukrainian security researcher has leaked the source code from the Conti ransomware operation to protest the gang’s position on the conflict.

After the leak of the source code, an unknown ransomware group started distributing a modified version of the Conti ransomware in attacks aimed at companies and state institutions.

In late February 2023, Kaspersky researchers uncovered a new portion of leaked data published on forums and noticed the presence of 258 private keys. The leak also included source code and some pre-compiled decryptors, which allowed the researchers to release new version of the public decryptor.

“The malware variant whose keys were leaked, had been discovered by Kaspersky specialists in December 2022. This strain was used in multiple attacks against companies and state institutions.” states Kaspersky.

“The leaked private keys are located in 257 folders (only one of these folders contains two keys). Some of them contain previously generated decryptors and several ordinary files: documents, photos, etc. Presumably the latter are test files – a couple of files that the victim sends to the attackers to make sure that the files can be decrypted.”

The researchers added all 258 keys to the latest build of Kaspersky’s utility RakhniDecryptor 1.40.0.00. Users can download the decryptor from the Kaspersky’s “No Ransom” site.

 “For many consecutive years, ransomware has remained a major tool used by cybercrooks. However, because we have studied the TTPs of various ransomware gangs and found out that many of them operate in similar ways, preventing attacks becomes easier. The decryption tool against a new Conti-based modification is already available on our “No Ransom” webpage. However, we would like to emphasize that the best strategy is to strengthen defenses and stop the attackers at early stages of their intrusion, preventing ransomware deployment and minimizing the consequences of the attack,” said Fedor Sinitsyn, lead malware analyst at Kaspersky.

Below is the list of recommendations provided by the experts to protect organizations from ransomware attacks:

• Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.
• Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network.
• Focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to the outgoing traffic to detect cybercriminals’ connections.
• Back up data regularly. Make sure you can quickly access it in an emergency when needed. 
• Use solutions like Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection and Response service which help to identify and stop the attack on early stages, before attackers reach their final goals.
• Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors. The Kaspersky Threat Intelligence Portal is a single point of access for Kaspersky’s TI, providing cyberattack data and insights gathered by our team for 25 years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats, at no charge. Request access to this offer here.

The Conti group has been active since 2019, the FBI estimated that between 2020 and 2022 the gang breached hundreds of organizations. The FBI estimated that as of January 2022, the gang obtained $150,000,000 in ransom payments from over 1,000 victims.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Conti)