Pierluigi Paganini
March 18, 2023
Kaspersky has published a new version of a decryption tool for the Conti ransomware based on previously leaked source code for the Conti ransomware.
In March 2022, a Ukrainian security researcher has leaked the source code from the Conti ransomware operation to protest the gang’s position on the conflict.
After the leak of the source code, an unknown ransomware group started distributing a modified version of the Conti ransomware in attacks aimed at companies and state institutions.
In late February 2023, Kaspersky researchers uncovered a new portion of leaked data published on forums and noticed the presence of 258 private keys. The leak also included source code and some pre-compiled decryptors, which allowed the researchers to release new version of the public decryptor.
“The malware variant whose keys were leaked, had been discovered by Kaspersky specialists in December 2022. This strain was used in multiple attacks against companies and state institutions.” states Kaspersky.
“The leaked private keys are located in 257 folders (only one of these folders contains two keys). Some of them contain previously generated decryptors and several ordinary files: documents, photos, etc. Presumably the latter are test files – a couple of files that the victim sends to the attackers to make sure that the files can be decrypted.”
The researchers added all 258 keys to the latest build of Kaspersky’s utility RakhniDecryptor 1.40.0.00. Users can download the decryptor from the Kaspersky’s “No Ransom” site.
“For many consecutive years, ransomware has remained a major tool used by cybercrooks. However, because we have studied the TTPs of various ransomware gangs and found out that many of them operate in similar ways, preventing attacks becomes easier. The decryption tool against a new Conti-based modification is already available on our “No Ransom” webpage. However, we would like to emphasize that the best strategy is to strengthen defenses and stop the attackers at early stages of their intrusion, preventing ransomware deployment and minimizing the consequences of the attack,” said Fedor Sinitsyn, lead malware analyst at Kaspersky.
Below is the list of recommendations provided by the experts to protect organizations from ransomware attacks:
The Conti group has been active since 2019, the FBI estimated that between 2020 and 2022 the gang breached hundreds of organizations. The FBI estimated that as of January 2022, the gang obtained $150,000,000 in ransom payments from over 1,000 victims.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Conti)
