Skip links

Got Conti? Here’s the ransomware cure to avoid paying up

Good news for ransomware victims: Kaspersky security researchers say they’ve cracked the Conti ransomware code and released a decryptor tool after uncovering leaked data belonging to the notorious Russian crime group.

This latest leak contained 258 private keys, source code and some pre-compiled decryptors, and the Kaspersky team used it to develop a new version of its public decryptor. The security shop’s analysts uncovered a newer Conti malware variant in December 2022, and the leaked keys unlock this strain of the ransomware.

The decryption code and all 258 keys have been added to the latest build of Kaspersky’s utility RakhniDecryptor. This and other decryption tools are available on the vendor’s No Ransom site

Conti, of course, is the notorious Russian-based group that first appeared on the cybercrime scene in late 2019 and became the most active ransomware group by 2021.

In February 2022, however, after Conti declared its full support of the Russian government” and the illegal invasion of Ukraine, a sunflower nation security researcher leaked hundreds of Conti’s internal files including its source code. 

This led to multiple modifications of the malware by various other criminal gangs, plus ex-Conti members moving on and working with other miscreants. And these different variants of Conti ransomware have since been used to infect computers over the last year.

According to Kaspersky, the strain its researchers spotted in December 2022 was used in “multiple attacks” against corporations and government agencies. And the keys to this particular variant were included in the new leaked Conti data.

Some of these folders also contained previously generated decryptors as well as documents and photos. Many of these are likely test files, we’re told, as some of them are files a victim sends to the crooks to make sure the files can be decrypted.

Additionally, 34 of the folders named specific companies and government agencies, according to the researchers.

“Assuming that one folder corresponds to one victim, and that the decryptors were generated for the victims who paid the ransom, it can be suggested that 14 victims out of the 257 paid the ransom to the attackers,” according to Kaspersky’s analysis.

The Conti decryption tool comes about a month after the US Cybersecurity and Infrastructure Security Agency (CISA) released a recovery script to help companies whose servers were scrambled in the recent ESXiArgs ransomware outbreak. That malware attack hit thousands of servers across the globe.

And in January, cybersecurity firm Avast unveiled a free decryptor for victims of BianLian — an emerging ransomware threat that came into the public eye over the last year.

But just as soon as code fixes are made, the attackers strike back. Get this sorted while you can, because the next build might not be so vulnerable. ®

Source