{
	"id": "4edb0ad6-c87d-4fe5-80f8-a4b04595ccd0",
	"created_at": "2026-04-06T00:11:25.120873Z",
	"updated_at": "2026-04-10T03:23:51.798105Z",
	"deleted_at": null,
	"sha1_hash": "105e6ac40bd9893abe3a79498459d750307ef724",
	"title": "Kaspersky releases tool for decrypting Conti-based ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41984,
	"plain_text": "Kaspersky releases tool for decrypting Conti-based ransomware\r\nBy Kaspersky\r\nPublished: 2023-03-16 · Archived: 2026-04-05 20:04:52 UTC\r\nWoburn, MA – March 16, 2023 – Kaspersky has published a new decryption tool that helps victims of a\r\nransomware modification based on previously leaked Conti source code. Conti is a ransomware gang that has\r\ndominated the cybercrime scene since 2019, and whose data, including source code, was leaked in March 2022,\r\nfollowing an internal conflict caused by geopolitical crisis in Europe. The discovered modification was distributed\r\nby an unknown ransomware group and has been used against companies and state institutions.\r\nIn late February 2023, Kaspersky experts uncovered a new portion of leaked data published on forums. After\r\nanalyzing the data, which contained 258 private keys, source code and some pre-compiled decryptors, Kaspersky\r\nreleased a new version of the public decryptor to help victims of this modification of Conti ransomware.\r\nConti appeared in late 2019 and was very active throughout 2020, accounting for more than 13 percent of all\r\nransomware victims during this period. However, a year ago, once the source code was leaked, multiple\r\nmodifications of Conti ransomware were created by various criminal gangs and used in their attacks.\r\nThe malware variant whose keys were leaked had been discovered by Kaspersky specialists in December 2022.\r\nThis strain was used in multiple attacks against companies and state institutions.\r\nThe leaked private keys are located in 257 folders (only one of these folders contains two keys). Some of them\r\ncontain previously generated decryptors and several ordinary files: documents, photos, etc. Presumably the latter\r\nare test files – a couple of files that the victim sends to the attackers to make sure that the files can be decrypted.\r\nThirty-four of these folders have explicitly named companies and government agencies. Assuming that one folder\r\ncorresponds to one victim, and that the decryptors were generated for the victims who paid the ransom, it can be\r\nsuggested that14 victims out of the 257 paid the ransom to the attackers.\r\nAfter analyzing the data, the experts released a new version of the public decryptor to help victims of this\r\nmodification of the Conti ransomware. The decryption code and all 258 keys were added to the latest build of\r\nKaspersky’s utility RakhniDecryptor 1.40.0.00. Moreover, the decryption tool has been added to Kaspersky’s “No\r\nRansom” site (https://noransom.kaspersky.com).\r\n“For many consecutive years, ransomware has remained a major tool used by cybercrooks,” said Fedor Sinitsyn,\r\nlead malware analyst at Kaspersky. “However, because we have studied the TTPs of various ransomware gangs\r\nand found out that many of them operate in similar ways, preventing attacks becomes easier. The decryption tool\r\nagainst a new Conti-based modification is already available on our 'No Ransom' webpage. However, we would\r\nlike to emphasize that the best strategy is to strengthen defenses and stop the attackers at early stages of their\r\nintrusion, preventing ransomware deployment and minimizing the consequences of the attack.”\r\nhttps://usa.kaspersky.com/about/press-releases/2023_kaspersky-releases-tool-for-decrypting-conti-based-ransomware\r\nPage 1 of 2\n\nTo protect yourself and your business from ransomware attacks, consider following the rules proposed by\r\nKaspersky:\r\nDo not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and\r\nalways use strong passwords for them.\r\nPromptly install available patches for commercial VPN solutions providing access for remote employees\r\nand acting as gateways in your network.\r\nFocus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay\r\nspecial attention to the outgoing traffic to detect cybercriminals' connections.\r\nBack up data regularly. Make sure you can quickly access it in an emergency when needed. \r\nUse solutions like Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection\r\nand Response service, which help to identify and stop the attack on early stages, before attackers reach\r\ntheir final goals.\r\nUse the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors. The\r\nKaspersky Threat Intelligence Portal is a single point of access for Kaspersky’s TI, providing cyberattack\r\ndata and insights gathered by our team for 25 years. To help businesses enable effective defenses in these\r\nturbulent times, Kaspersky has announced access to independent, continuously updated and globally\r\nsourced information on ongoing cyberattacks and threats, at no charge. Request access to this offer here.\r\nAbout Kaspersky\r\nKaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat\r\nintelligence and security expertise is constantly transforming into innovative security solutions and services to\r\nprotect businesses, critical infrastructure, governments, and consumers around the globe. The company’s\r\ncomprehensive security portfolio includes leading endpoint protection and a number of specialized security\r\nsolutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by\r\nKaspersky technologies, and we help 240,000 corporate clients protect what matters most to them. Learn more at\r\nusa.kaspersky.com.\r\nMedia Contact\r\nSawyer Van Horn\r\nsawyer.vanhorn@Kaspersky.com\r\n(781) 503-1866\r\nSource: https://usa.kaspersky.com/about/press-releases/2023_kaspersky-releases-tool-for-decrypting-conti-based-ransomware\r\nhttps://usa.kaspersky.com/about/press-releases/2023_kaspersky-releases-tool-for-decrypting-conti-based-ransomware\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://usa.kaspersky.com/about/press-releases/2023_kaspersky-releases-tool-for-decrypting-conti-based-ransomware"
	],
	"report_names": [
		"2023_kaspersky-releases-tool-for-decrypting-conti-based-ransomware"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434285,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/105e6ac40bd9893abe3a79498459d750307ef724.pdf",
		"text": "https://archive.orkl.eu/105e6ac40bd9893abe3a79498459d750307ef724.txt",
		"img": "https://archive.orkl.eu/105e6ac40bd9893abe3a79498459d750307ef724.jpg"
	}
}