Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · May 2021

How to remove Conti ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Ugnius Kiguolis · The mastermind

Conti ransomware is the cryptovirus that uses AES and RSA encryption algorithms to lock files before asking ransom for the alleged recovery of them

Conti ransomware

Conti ransomware – a threat that encodes files and claims to publish stolen data, so the victim is encouraged to pay the ransom in Bitcoin cryptocurrency. This is why the threat can also be called a publisher since developers created a site[1] to publish stolen details from the infected machines. It is possibly related to Ryuk ransomware that, at one moment, was one of the most notorious crypto-extortion-based threats. Developers associated with TrickBot malware are the ones that deploy this ransomware.

Conti ransomware virus name is from the indication on the data leaking site and some of the variants in this family. .Conti is also a file extension that was the first to appear when the threat started to spread worldwide. The initial ransom note also appears in the text file named CONTI_README.txt, but there are various versions of this threat already. It is believable that this family can become more dangerous with each version.

Name Conti ransomware
Type Ranssomware-as-a-Service[2] or human-opearated ransomware
Versions .CONTI, .COSWH, .UAKXC, .RHMLM, .TJODT, .XNMMP
Issues  The threat actors claim to publish data stolen from the device on the leak site to encourage victims to pay up and contact criminals as soon as possible. Stolen data can be used for more direct extortion purposes
Distribution  The threat spreads around with other malware like trojans, worms, malicious applications, and hacked sites. It can also rely on malicious macros placed on spam email attachments
File marker The initial malware sample used .conti as the marker for encoded files. Later samples came with different randomly formed appendixes
Ransom notes CONTI_README.txt and R3ADM3.txt
Elimination To remove Conti ransomware properly, you should get an anti-malware tool that can detect the infection[3]
Repair Rely on tools that can help with file damage and corrupted programs or alterations made in the system like FortectIntego

Conti ransomware virus first came out at the end of 2019, but soon after that, new versions surfaced, and researchers found more samples of the threat. After the release of a few initial .CONTI variants, developers created a site for the information leakage.

At first, the ransom-demanding message in the text file encouraged people to stay away from decryption tools and third parties. Later variants directly claim to publish information obtained from the system. 

The family has at least 6 versions of the file extensions that get formed randomly with 5 characters. R3ADM3.txt is the more recent file name used for money-demanding message distribution with the latest versions. The message is short and simple because developers explain that you either contact them and pay the ransom or experience a data leakage.

This virus tactic is borrowed from many threats like Snatch, Nemty, REvil, and others, that aim to profit from victims as much as it is possible. It only makes the process of Conti ransomware removal more difficult because people might not get the needed anti-malware or security tool in time and get their data leaked.

Even though the main targets of the virus are companies, you need to go straight to finding options helping to remove Conti ransomware. SpyHunterCombo Cleaner or MalwarebytesMalwarebytes can scan the machine and find threats that trigger the encryption or further spreading of the cryptovirus.

Conti ransomware virus

.CONTI virus: started with a bang and not stopping

The initial Conti ransomware versions aimed to directly receive money from victims, so short ransom messages contained the email for contacting criminals and encouragement to avoid third-party decryption. For months, the threat relied on the general ransom notes and tactics aiming to get money from scared victims.

This Conti virus wave came right after when the Ryuk activities stopped, so operators could distribute Conti with a full force. With the release of Conti-2, ransomware developers managed to interfere with the system and victims' minds more. ransomware gang joined the movement of threats that deliver data publicly in August 2020.

Since Conti ransomware spreads around for a long time already and does this widely with the help of many versions, the list of contact emails gets bigger end bigger:

mantiticvi1976@protonmail.com fahydremu1981@protonmail.com, frosculandra1975@protonmail.com, trafyralhi1988@protonmail.com, sanctornopul1986@protonmail.com ringpawslanin1984@protonmail.com, liebupneoplan19@protonmail.com, stivobemun1979@protonmail.com, guifullcharti1970@protonmail.com, phrasitliter1981@protonmail.com, elsleepamlen1988@protonmail.com, southbvilolor1973@protonmail.com, glocadboysun1978@protonmail.com, carbedispgret1983@protonmail.com, listun@protonmail.com, mirtum@protonmail.com 

Data leaking site revealed before the distribution of .TJODT virus

Conti 2 ransomware version of the particular ransomware was indicated at the end of August when developers started leaking sensitive data from users who refused to pay the demanded amount of cryptocurrency. This double-extortion technique became popular due to the usage in other cryptovirus attacks, so ransomware creators can make up to hundreds of thousands per victim.

.TJODT ransomware is one of the few versions in this family that deliver the ransom note with an additional line about file publication. Just before releasing this malware and .UAKXC or .RHMLM versions of the ransomware, site named Conti News got public. This page, at the time revealed data about at least 26 victims. These victims are companies from various industries.

.Conti file virus

Conti ransomware leak site pages contain samples of the stolen data from every system that this threat managed to get on. The ransomware operations show that creators may change accordingly to the popular tactics since ransom notes got changed with the newest variants in 2020.

The older version of the text placed in CONTI_README.txt:

Your system is LOCKED. Write us on the emails:

mantiticvi1976@protonmail.com
fahydremu1981@protonmail.com

DO NOT TRY to decrypt files using other software.

The more recent ransom note that is delivered via CONTI.txt or R3adm3.txt: 

Your system is locked down. Do not try to decrypt, otherwise you will damage fails. For decryption tool write on the email:

wellproxadsit1980@protonmail.com
mabuhyli1982@protonmail.com

If you do not pay, we will publish all private data on hxxp://conti.news/

The latest .XNMMP virus – one of the randomized file extensions 

Conti file virus started the distribution in 2019 and managed to affect many systems using the same.CONTI file extension, but tactics got changed, and randomized five-character extensions started to appear at the end of encrypted data. At the same time, news sites started to appear listed in the ransom note, so people get more eager to pay sooner.

The same ransom notes redirect the threat to CONTIRecovery pages that provide the options of paying and recovering affected files. It is not recommended because criminals might use these tactics to get your trust and provide nothing after the Bitcoin transfer. Even though Conti mainly targets large businesses, companies stay away from paying since this is less risky.

Remove Conti file virus instead and try to repair the machine functions with FortectIntego before searching for data recovery options. There are no decryption tools for this family, and researchers only analyzing the samples that are not easy to get, so it may take time. This threat aims for bigger targets, but everyday users should also be cautious.

.CONTI virus

Limited data recovery options and tips for .Conti ransomware termination

Conti ransomware virus is a dangerous threat that mimics other groups that adopt newer tactics and even encryption techniques. It already uses the double algorithm encryption method, so it can become more notorious and harmful in the future as Ryuk, another possibly similar ransomware.

If you think that the Conti ransomware removal is needed and you received the ransom note, spotted mentioned appendixes, make sure to get SpyHunterCombo Cleaner or MalwarebytesMalwarebytes as soon as possible. These or similar security tools can find and eliminate the malware from the machine.

To remove Conti ransomware properly, you need to run the full system scan using one of the security or anti-malware tools that can be trusted. A full check on the computer or the whole network indicates all threats, so you might find the malware that started the infection. If so, FortectIntego should be helpful when removing a trojan and other malware damage in the system.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.