Kaspersky has unveiled an updated free decryptor tool to support victims of a modified strain of Conti ransomware.
The ransomware strain, tracked by some researchers as MeowCorp, is one of several modified strains based on Conti source code leaked in March 2022, and has been used to target a range of companies and state institutions.
This latest tool was developed following an investigation into a new portion of leaked Conti data published on forums. Analysis of the leak uncovered 258 private keys, source code, and some pre-compiled decryptors, researchers noted.
“The leaked private keys are located in 257 folders (only one of these folders contains two keys). Some of them contain previously generated decryptors and several ordinary files: documents, photos, etc,” the company said in a statement this week.
“Presumably the latter are test files – a couple of files that the victim sends to the attackers to make sure that the files can be decrypted.”
Kaspersky said the decryption code and all 258 keys were added to the latest build of its RakhniDecryptor utility. In addition, the tool has been added to Kaspersky’s long-running No Ransom site.
Hundreds of organisations impacted
First observed in 2019, Conti's eponymous ransomware strain was among the most prolific throughout 2020, accounting for more than 13% of all ransomware victims across that period.
When Conti source code was leaked last year, a slew of new modifications and strains emerged and were used to devastating effect by cyber criminal gangs.
Leaked keys for the MeowCorp variant were uncovered by Kaspersky researchers in December 2022. However, Fedor Sinitsyn, lead malware analyst at Kaspersky, told IT Pro that this strain could have been active for some time.
"Our research indicates that the private keys were operational between the 13th of November 2022 and the 5th of February 2023, and the last decryptor we identified was on the 9th of February," he said.
"It is vital that organisations take proactive measures to protect their systems against such attacks, including regular data backups and robust cybersecurity measures."
The analysis found that 34 folders “explicitly named companies and government agencies” impacted by the strain.
Sinitsyn said that 257 companies had fallen victim to the ransomware strain, the majority of which have not been disclosed by threat actors.
"Our analysis reveals that 257 companies have fallen prey to this malicious software, with 34 of the victims/organisations identified by name," he said. "The identities of the remaining 223 victims currently remain concealed by the threat actors."
The release of this decryptor tool follows a number of similar moves by cyber security companies and government agencies globally.
Earlier this month, Bitdefender released a free decryption tool for the MortalKombat ransomware strain which has risen to prominence over the last several months.
Similarly, in February CISA unveiled a recovery script for organisations that have fallen victim to the rampant ESXiArgs ransomware which emerged at the beginning of the month.
-
Everything we know about the Workday data breach so farNews HR technology firm Workday has confirmed a data breach after threat actors gained access to a third-party CRM platform.
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
-
Google cyber researchers were tracking the ShinyHunters group’s Salesforce attacks – then realized they’d also fallen victimNews In an update to an investigation on the ShinyHunters group, Google revealed it had also been affected
-
Nearly one-third of ransomware victims are hit multiple times, even after paying hackersNews Many ransomware victims are being hit more than once, largely thanks to fragmented security tactics
-
75% of UK business leaders are willing to risk criminal penalties to pay ransomsNews A ransom payment ban is a great idea - until you're the one being targeted...
-
The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employeesNews The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crimeNews A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
