IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Free decryptor released for Conti ransomware variant infecting hundreds of organisations

Hundreds of organisations and state institutions are believed to have been impacted by the strain

Kaspersky has unveiled an updated free decryptor tool to support victims of a modified strain of Conti ransomware.  

The ransomware strain, tracked by some researchers as MeowCorp, is one of several modified strains based on Conti source code leaked in March 2022, and has been used to target a range of companies and state institutions.

This latest tool was developed following an investigation into a new portion of leaked Conti data published on forums. Analysis of the leak uncovered 258 private keys, source code, and some pre-compiled decryptors, researchers noted. 

“The leaked private keys are located in 257 folders (only one of these folders contains two keys). Some of them contain previously generated decryptors and several ordinary files: documents, photos, etc,” the company said in a statement this week.  

“Presumably the latter are test files – a couple of files that the victim sends to the attackers to make sure that the files can be decrypted.” 

Kaspersky said the decryption code and all 258 keys were added to the latest build of its RakhniDecryptor utility. In addition, the tool has been added to Kaspersky’s long-running No Ransom site. 

Hundreds of organisations impacted 

First observed in 2019, Conti's eponymous ransomware strain was among the most prolific throughout 2020, accounting for more than 13% of all ransomware victims across that period.  

When Conti source code was leaked last year, a slew of new modifications and strains emerged and were used to devastating effect by cyber criminal gangs.  

Leaked keys for the MeowCorp variant were uncovered by Kaspersky researchers in December 2022. However, Fedor Sinitsyn, lead malware analyst at Kaspersky, told IT Pro that this strain could have been active for some time. 

"Our research indicates that the private keys were operational between the 13th of November 2022 and the 5th of February 2023, and the last decryptor we identified was on the 9th of February," he said.

"It is vital that organisations take proactive measures to protect their systems against such attacks, including regular data backups and robust cybersecurity measures."

The analysis found that 34 folders “explicitly named companies and government agencies” impacted by the strain.  

Sinitsyn said that 257 companies had fallen victim to the ransomware strain, the majority of which have not been disclosed by threat actors.

"Our analysis reveals that 257 companies have fallen prey to this malicious software, with 34 of the victims/organisations identified by name," he said. "The identities of the remaining 223 victims currently remain concealed by the threat actors."

The release of this decryptor tool follows a number of similar moves by cyber security companies and government agencies globally.  

Earlier this month, Bitdefender released a free decryption tool for the MortalKombat ransomware strain which has risen to prominence over the last several months.  

Similarly, in February CISA unveiled a recovery script for organisations that have fallen victim to the rampant ESXiArgs ransomware which emerged at the beginning of the month.  

Featured Resources

Defending against malware attacks starts here

The ultimate guide to building your malware defence strategy

Free Download

Datto SMB cyber security for MSPs report

A world of opportunity for MSPs

Free Download

The essential guide to preventing ransomware attacks

Vital tips and guidelines to protect your business using ZTNA and SSE

Free Download

Medium businesses: Fuelling the UK’s economic engine

A Connected Thinking report

Free Download

Recommended

'CryWiper' trojan disguises as ransomware, says Kaspersky
malware

'CryWiper' trojan disguises as ransomware, says Kaspersky

2 Dec 2022
Ransomware now strikes one in 40 organisations per week, Check Point finds
ransomware

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
Kaspersky finds most effective phishing emails imitate corporate messages, delivery notifications
Security

Kaspersky finds most effective phishing emails imitate corporate messages, delivery notifications

27 Jun 2022
Kaspersky Free review: Effective and lightweight – everything you want from a free antivirus solution
antivirus

Kaspersky Free review: Effective and lightweight – everything you want from a free antivirus solution

8 Jun 2022

Most Popular

Getting the best value from your remote support software
Advertisement Feature

Getting the best value from your remote support software

13 Mar 2023
Microsoft set to block emails from unsupported Exchange servers
Security

Microsoft set to block emails from unsupported Exchange servers

28 Mar 2023
What the UK can learn from the rest of the world when it comes to the shift to IP
Sponsored

What the UK can learn from the rest of the world when it comes to the shift to IP

20 Mar 2023