A decryption tool for a modified version of Conti ransomware could help hundreds of victims get their files back for free.
The utility works with data encrypted with a strain of the ransomware that emerged after Conti’s source code was leaked last year in March. [1, 2].
Hundreds of encrypted victims
Researchers from cybersecurity company Kaspersky found the leak on a forum where threat actors posted a cache of 258 private keys for a modified version of Conti ransomware.
The variant was used in attacks against various public and private organizations over the past year by a ransomware group that some researchers track as MeowCorp.
ransomware researcher Friend-A told BleepingComputer that the threat actors posted the data on a Russian-speaking forum in February 2022, which contained a link to a file containing decryption keys, decryptor executables, and the decryptor source code.
Kaspersky analyzed the keys and found that they were associated with a Conti variant that they discovered in December 2022. However, the strain had been circulating since at least August.
“The leaked private keys are found in 257 folders (only one of these folders contains two keys),” Kaspersky says in a press release today.
BleepingComputer learned that the attacks using the Conti-based encryptor were primarily targeting Russian organizations.
The researchers add that some of the folders included pre-generated decryptors along with other files, i.e. photos and documents, which were likely used to show victims that the decryption works.
34 of the folders contained explicit names of victims’ organizations in the government sector in countries in Europe and Asia.
Fedor Sinitsyn, Kaspersky’s principal malware analyst, told BleepingComputer that the names in the rest of the folders were encrypted or encrypted.
Based on this and the number of decryptors available in the leak, Kaspersky says it can be assumed that the modified Conti strain was used to encrypt 257 victims and that 14 of them paid the attackers to recover the locked data.
The private keys were created between November 13, 2022 and February 5, 2023, which is a good indication of the timeline of the attacks. Sinitsyn told us that the infection dates of the victims who contacted Kaspersky for decryption fell within that time range.
Kaspersky added the decryption code and 258 private keys to its RakhniDecryptor, a tool that can recover files encrypted by more than two dozen ransomware strains.
According to Kaspersky, the decryptor can recover files encrypted by the modified Conti variant that used the following pattern of names and extensions:
.KREMLIN .RUSSIA .PUTIN
The demise of Conti ransomware
For about three years, the Conti gang ran one of the most active and lucrative ransomware-as-a-service operations, targeting large organizations and demanding large ransoms to decrypt the data they locked.
Considered the successor to Ryuk ransomware, Operation Conti began in December 2019 and, with the help of TrickBot operators, became a mainstream threat in July 2020.
The gang wreaked havoc non-stop for a year and adopted new tactics (eg data theft, jailbreak site) to force victims to pay the ransom.
In August 2021, a disgruntled Conti affiliate leaked information about some of the group’s members along with the gang’s method of attack and training manuals.
Russia’s invasion of Ukraine in February last year created further internal friction as core members sided with Russia.
This led an investigator who had been snooping on the operation to leak thousands of messages exchanged between Conti operators and affiliates.
The researcher’s revenge continued through March by leaking the source code of the ransomware’s encryptor, decryptor and builder, as well as administrative panels. [1, 2].
It didn’t take long for the operation to collapse and in May 2022 Conti’s team leaders pulled the plug on the infrastructure and announced that the brand was no more.
Conti’s leadership teamed up with other gangs in the extortion business and the other members migrated to other ransomware operations.
The US government assesses that Conti was one of the most lucrative ransomware operations, generating thousands of victims and racking up more than $150 million in ransom payments.
The damage caused to American companies prompted the US State Department to offer a reward of up to $15 million for information identifying and locating Conti leaders and affiliates.
Update [March 16, 16:39 EST]: Article updated with information from Kaspersky that we received after publication time.