Kaspersky releases decryptor for ransomware based on Conti source code

Cybersecurity firm Kaspersky on Thursday released a decryptor that could help victims who had their data locked down by a version of the Conti ransomware.

Kaspersky said the tool can be used on a malware strain that infected dozens of “companies and state institutions” throughout December 2022. Kaspersky did not name the strain, but experts say it’s tracked as the Meow ransomware, which was based on Conti’s leaked code.

Conti’s source code was publicly exposed in March 2022 after a disgruntled affiliate took issue with the group’s support of Russia’s invasion of Ukraine. Kaspersky, which is based in Russia, did not respond to requests for comment about where most of the victims are based.

Experts with the company managed to obtain the ransomware’s private keys – tools given to ransomware victims that allow them to unlock their files.

“In late February 2023, Kaspersky experts uncovered a new portion of leaked data published on forums,” the company said. “After analyzing the data, which contained 258 private keys, source code and some pre-compiled decryptors, Kaspersky released a new version of the public decryptor to help victims of this modification of Conti ransomware.”

A ransomware researcher told BleepingComputer that members of the Meow ransomware group posted in a Russian cybercriminal forum that they were “ceasing” their activities and provided a link to all of the private keys and decryptors.

The analysts found the private keys in 257 different folders – one of the folders had two keys. Several of the folders had decryptors and files used to test the decryptor.

At least 34 of the folders had the names of companies or government agencies and Kaspersky officials said that considering the number of folders with decryptors, they believe 14 victims of the 257 paid a ransom.

Fedor Sinitsyn, lead malware analyst at Kaspersky, said that using the data in the folders, they were able to release a version of a public decryptor and added it to their “No Ransom” catalog of free decryptors.

“For many consecutive years, ransomware has remained a major tool used by cybercrooks. However, because we have studied the TTPs of various ransomware gangs and found out that many of them operate in similar ways, preventing attacks becomes easier,” Sinitsyn said.

Recorded Future ransomware expert Allan Liska said based on the numbers released by Kaspersky, there were a surprisingly low number of victims who paid the ransom. He added that Kaspersky’s work was evidence that ransomware groups themselves typically have lackluster security.

“For all the scolding by ransomware groups of victim organizations we continue to see that ransomware groups themselves are really bad at security. I think poor OPSEC has done in almost as many ransomware groups as government intervention,” he said.

“This is great work by Kaspersky and hopefully we will continue to see more of this type of activity by the public and private sectors. It looks like Kaspersky may have had access to their infrastructure, at least enough to be able to identify victims.”

At its peak, Conti was one of the most prolific ransomware groups operating, attacking dozens of high profile targets including the government of Costa Rica before shutting down in May 2022.

Kaspersky noted that after the Conti source code was leaked, several different variants were created by various criminal gangs.