Conti ransomware (Removal Guide) - Decryption Steps Included

by Ugnius Kiguolis - www - | Type: Ransomware

Conti virus Removal Guide

What is Conti ransomware?

Conti ransomware is the cryptovirus that uses AES and RSA encryption algorithms to lock files before asking ransom for the alleged recovery of them

Conti ransomwareConti ransomware is the virus that encourages people to pay for the alleged decryption tool.

Conti ransomware – a threat that encodes files and claims to publish stolen data, so the victim is encouraged to pay the ransom in Bitcoin cryptocurrency. This is why the threat can also be called a publisher since developers created a site[1] to publish stolen details from the infected machines. It is possibly related to Ryuk ransomware that, at one moment, was one of the most notorious crypto-extortion-based threats. Developers associated with TrickBot malware are the ones that deploy this ransomware.

Conti ransomware virus name is from the indication on the data leaking site and some of the variants in this family. .Conti is also a file extension that was the first to appear when the threat started to spread worldwide. The initial ransom note also appears in the text file named CONTI_README.txt, but there are various versions of this threat already. It is believable that this family can become more dangerous with each version.

Name Conti ransomware
Type Ranssomware-as-a-Service[2] or human-opearated ransomware
Versions .CONTI, .COSWH, .UAKXC, .RHMLM, .TJODT, .XNMMP
Issues The threat actors claim to publish data stolen from the device on the leak site to encourage victims to pay up and contact criminals as soon as possible. Stolen data can be used for more direct extortion purposes
Distribution The threat spreads around with other malware like trojans, worms, malicious applications, and hacked sites. It can also rely on malicious macros placed on spam email attachments
File marker The initial malware sample used .conti as the marker for encoded files. Later samples came with different randomly formed appendixes
Ransom notes CONTI_README.txt and R3ADM3.txt
Elimination To remove Conti ransomware properly, you should get an anti-malware tool that can detect the infection[3]
Repair Rely on tools that can help with file damage and corrupted programs or alterations made in the system like FortectIntego

Conti ransomware virus first came out at the end of 2019, but soon after that, new versions surfaced, and researchers found more samples of the threat. After the release of a few initial .CONTI variants, developers created a site for the information leakage.

At first, the ransom-demanding message in the text file encouraged people to stay away from decryption tools and third parties. Later variants directly claim to publish information obtained from the system.

The family has at least 6 versions of the file extensions that get formed randomly with 5 characters. R3ADM3.txt is the more recent file name used for money-demanding message distribution with the latest versions. The message is short and simple because developers explain that you either contact them and pay the ransom or experience a data leakage.

This virus tactic is borrowed from many threats like Snatch, Nemty, REvil, and others, that aim to profit from victims as much as it is possible. It only makes the process of Conti ransomware removal more difficult because people might not get the needed anti-malware or security tool in time and get their data leaked.

Even though the main targets of the virus are companies, you need to go straight to finding options helping to remove Conti ransomware. SpyHunter 5Combo Cleaner or Malwarebytes can scan the machine and find threats that trigger the encryption or further spreading of the cryptovirus.

Conti ransomware virusConti ransomware is the threat that claims to have the only possible solution for the encoded files.

.CONTI virus: started with a bang and not stopping

The initial Conti ransomware versions aimed to directly receive money from victims, so short ransom messages contained the email for contacting criminals and encouragement to avoid third-party decryption. For months, the threat relied on the general ransom notes and tactics aiming to get money from scared victims.

This Conti virus wave came right after when the Ryuk activities stopped, so operators could distribute Conti with a full force. With the release of Conti-2, ransomware developers managed to interfere with the system and victims' minds more. ransomware gang joined the movement of threats that deliver data publicly in August 2020.

Since Conti ransomware spreads around for a long time already and does this widely with the help of many versions, the list of contact emails gets bigger end bigger:

mantiticvi1976@protonmail.com fahydremu1981@protonmail.com, frosculandra1975@protonmail.com, trafyralhi1988@protonmail.com, sanctornopul1986@protonmail.com ringpawslanin1984@protonmail.com, liebupneoplan19@protonmail.com, stivobemun1979@protonmail.com, guifullcharti1970@protonmail.com, phrasitliter1981@protonmail.com, elsleepamlen1988@protonmail.com, southbvilolor1973@protonmail.com, glocadboysun1978@protonmail.com, carbedispgret1983@protonmail.com, listun@protonmail.com, mirtum@protonmail.com

Data leaking site revealed before the distribution of .TJODT virus

Conti 2 ransomware version of the particular ransomware was indicated at the end of August when developers started leaking sensitive data from users who refused to pay the demanded amount of cryptocurrency. This double-extortion technique became popular due to the usage in other cryptovirus attacks, so ransomware creators can make up to hundreds of thousands per victim.

.TJODT ransomware is one of the few versions in this family that deliver the ransom note with an additional line about file publication. Just before releasing this malware and .UAKXC or .RHMLM versions of the ransomware, site named Conti News got public. This page, at the time revealed data about at least 26 victims. These victims are companies from various industries.

.Conti file virusConti ransomware is a threat that has many versions released already.

Conti ransomware leak site pages contain samples of the stolen data from every system that this threat managed to get on. The ransomware operations show that creators may change accordingly to the popular tactics since ransom notes got changed with the newest variants in 2020.

The older version of the text placed in CONTI_README.txt:

Your system is LOCKED. Write us on the emails:

mantiticvi1976@protonmail.com
fahydremu1981@protonmail.com

DO NOT TRY to decrypt files using other software.

The more recent ransom note that is delivered via CONTI.txt or R3adm3.txt:

Your system is locked down. Do not try to decrypt, otherwise you will damage fails. For decryption tool write on the email:

wellproxadsit1980@protonmail.com
mabuhyli1982@protonmail.com

If you do not pay, we will publish all private data on hxxp://conti.news/

The latest .XNMMP virus – one of the randomized file extensions

Conti file virus started the distribution in 2019 and managed to affect many systems using the same.CONTI file extension, but tactics got changed, and randomized five-character extensions started to appear at the end of encrypted data. At the same time, news sites started to appear listed in the ransom note, so people get more eager to pay sooner.

The same ransom notes redirect the threat to CONTIRecovery pages that provide the options of paying and recovering affected files. It is not recommended because criminals might use these tactics to get your trust and provide nothing after the Bitcoin transfer. Even though Conti mainly targets large businesses, companies stay away from paying since this is less risky.

Remove Conti file virus instead and try to repair the machine functions with FortectIntego before searching for data recovery options. There are no decryption tools for this family, and researchers only analyzing the samples that are not easy to get, so it may take time. This threat aims for bigger targets, but everyday users should also be cautious.

.CONTI virusConti ransomware virus is the one that marks data using randomized extensions after the encryption procedure.

Limited data recovery options and tips for .Conti ransomware termination

Conti ransomware virus is a dangerous threat that mimics other groups that adopt newer tactics and even encryption techniques. It already uses the double algorithm encryption method, so it can become more notorious and harmful in the future as Ryuk, another possibly similar ransomware.

If you think that the Conti ransomware removal is needed and you received the ransom note, spotted mentioned appendixes, make sure to get SpyHunter 5Combo Cleaner or Malwarebytes as soon as possible. These or similar security tools can find and eliminate the malware from the machine.

To remove Conti ransomware properly, you need to run the full system scan using one of the security or anti-malware tools that can be trusted. A full check on the computer or the whole network indicates all threats, so you might find the malware that started the infection. If so, FortectIntego should be helpful when removing a trojan and other malware damage in the system.

Offer
do it now!
Download
Fortect Happiness
Guarantee Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Fortect review | Terms of Use | Privacy policy | Refund Policy | Uninstall guide
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Download SpyHunter 5 Review »
Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions
Malwarebytes
Download | Review | Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.
Download Combo Cleaner Review »
Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions

Getting rid of Conti virus. Follow these steps

Manual removal using Safe Mode

The machine can be cleared with the help of Safe Mode with Networking

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove Conti using System Restore

Get rid of the Conti ransomware virus with the help from the System Restore feature

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Conti. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Conti removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Conti from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Conti, you can use several methods to restore them:

Recover your data
Recover your data

Data Recovery Pro can help with some of the encrypted files

If you managed to accidentally delete files or got your device encrypted, you can rely on Data Recovery Pro

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Conti ransomware;
  • Restore them.

Try to restore Conti ransomware encoded files with Windows Previous Versions

System Restore got enabled before? You can then rely on this Windows Previous Versions feature and recover individual data yourself

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer feature – a possible way to restore affected files

When Shadow Volume Copies are not affected, you can't store files affected by the Conti ransomware virus

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Conti ransomware is not decryptable

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Conti and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Ugnius Kiguolis
About the company Esolutions

References