Cybersecurity researchers have discovered a decryption tool that could help hundreds of victims who have fallen prey to a modified version of the Conti ransomware. The ransomware, which emerged after the Conti source code was leaked in March 2022, has been used in attacks against both public and private organizations.
The MeowCorp ransomware group is believed to be behind the attacks, and they recently shared decryption keys on a Russian-speaking forum. The keys were analyzed by Kaspersky researchers and found to be associated with a Conti variant discovered in December 2022.
Folders with private keys for the Meow Conti-based encryptor targeted mainly Russian organizations. The folders contained decryptors and files such as photos and documents, showing victims that the decryption process works.
According to Kaspersky, based on the number of decryptors available in the leak, it can be assumed that the modified Conti strain was used to encrypt 257 victims, and 14 of them paid the attackers to recover locked data.
Kaspersky has added the decryption code and the 258 private keys to its RakhniDecryptor tool, which can recover files encrypted by more than two dozen ransomware strains.
The Demise of Conti Ransomware
Conti was one of the most lucrative ransomware-as-a-service operations, targeting big organizations and demanding large ransoms to decrypt the data they locked. It was considered the successor of Ryuk ransomware and became a dominant threat by July 2020, aided by TrickBot operators. However, in August 2021, a disgruntled Conti affiliate leaked information about some of the group members along with the gang’s attack method and training manuals.
The Russian invasion of Ukraine in February last year created more internal friction, leading to the leak of thousands of messages exchanged between Conti operators and affiliates.
The source code for the ransomware encryptor, decryptor, and builder, as well as the administrative panels, was also leaked. In May 2022, the Conti team leaders took offline the infrastructure and announced that the brand no longer existed.
The U.S. government offered a reward of up to $15 million for information that identified and located Conti leaders and affiliates.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.