Kaspersky has released a new version of a decryption tool that assists victims of a ransomware modification based on previously leaked Conti source code. Conti is a ransomware gang that emerged in 2019 and has been active in the cybercrime scene since, with its source code being leaked in March 2022 following an internal conflict triggered by geopolitical tensions in Europe. The discovered modification was distributed by an unknown ransomware group and used against companies and government institutions.

In late February 2023, Kaspersky experts uncovered a new section of leaked data posted on forums. After analyzing the data, which included 258 private keys, source code, and precompiled decryptors, Kaspersky released a new version of its decryption tool to help victims of this Conti ransomware modification.

Conti ransomware initially emerged in late 2019 and was highly active throughout 2020, affecting over 13% of all ransomware victims during that period. However, after the source code was leaked a year ago, various criminal groups created different modifications of Conti ransomware and utilized them in their attacks.

The leaked private keys for this malicious software variant were discovered by Kaspersky experts in December 2022. This type of ransomware has been used in numerous attacks against businesses and government institutions.

Among the 257 folders containing the leaked private keys, 14 specify the names of specific companies and government agencies. Assuming each folder represents a victim and the decryptors were created for paying victims, it can be inferred that 14 of the 257 folders belong to victims who paid the attackers.

After analyzing the data, experts released a new version of the decryption tool to assist victims of this Conti ransomware variation. The decryption code and all 258 keys were incorporated into Kaspersky’s RakhniDecryptor 1.40.0.00 tool. Additionally, the decryption tool was added to Kaspersky’s No Ransom website (https://noransom.kaspersky.com).

Fedor Sinitsyn, Chief Malware Analyst at Kaspersky, stated, “Ransomware has remained a significant tool used by cybercriminals for several years in a row. However, as we’ve examined the tactics, techniques, and procedures (TTPs) of different ransomware gangs and found that many operate in similar ways, it becomes easier to prevent these attacks. A decryption tool for a new Conti-based variation is already available on our No Ransom website. Nonetheless, we emphasize that the best strategy is to strengthen defense, stop attackers in the early stages of an attack, prevent ransomware distribution, and minimize the consequences of an attack.”

To protect yourself and your business from ransomware attacks, Kaspersky experts offer the following recommendations:

1. Avoid opening remote desktop services (such as RDP) to the public internet unless absolutely necessary, and always use strong passwords for them.
2. Immediately apply available patches for commercial VPN solutions that provide remote access for remote workers and serve as gateways in your network.
3. Focus your defense strategy on detecting lateral movements and data leakage to the internet. Pay particular attention to outbound traffic to identify connections made by cybercriminals.
4. Regularly back up your data, ensuring quick access in case of an emergency.
5. Use solutions like Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection and Response to detect and stop attacks in their early stages before threat actors achieve their ultimate goals.
6. Stay informed about real TTPs (Tactics, Techniques, and Procedures) used by threat actors by using the latest Threat Intelligence information. Kaspersky Threat Intelligence Portal provides a single access point to 25 years of cyberattack data and insights collected by their team. Kaspersky offers free access to independent, continuously updated, and globally sourced information to help businesses defend against ongoing cyberattacks and threats.

About Kaspersky:

Kaspersky is a global cybersecurity and digital privacy company established in 1997. Kaspersky’s deep threat intelligence and security expertise continuously evolve to provide innovative solutions and services for protecting businesses, critical infrastructure, governments, and consumers worldwide. The company’s comprehensive security portfolio includes leading-edge endpoint protection, specialized security products and services, and Cyber Immunity solutions to combat advanced and emerging digital threats. Kaspersky technology protects over 400 million users and helps more than 220,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.