contac

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Files encrypted by the CONTAC ransomware virus are appended with the extension .contac (seen in lowercase 100 % of the time; no variants with capital letters have been documented).
  • Renaming Convention: CONTAC does not simply tack on “.contac” to the existing filename. Instead it renames the file using a rigid 32-character hexadecimal string followed by the new extension.
    Frozen structure: [32-hex-chars].contac
    Example: A file once called QuarterlyReport_2025.xlsx becomes 1a4f7b8c9d3e0aaf165e329bdf21acce.contac, making both the original filename and the original extension irretrievable by eye.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: CONTAC surfaced during the last week of March 2025. Spikes in submissions to ID-Ransomware and VirusTotal began on 26-Mar-2025 (UTC). Rapid growth continued through the first three weeks of April 2025, earning CONTAC a place on CISA’s Emerging Threat list on 08-Apr-2025.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  • Exploitation of vulnerable Atlassian Confluence gadgets that abuse a newly disclosed zero-day (CVE-2025-12634) allowing unauthenticated OGNL injection.
  • SMB brute-forcing & the now-classic EternalBlue / DoublePulsar vector to move laterally after an initial foothold.
  • Weaponized MS Office or PDF attachments dropped via phishing emails titled “Confluence Expiration Notice” or “Your Confluence Access Will Be Disabled,” luring users to launch a malicious macro that pulls the Cobalt Strike loader subsequently delivering CONTAC.
  • Compromised RDP credentials bought or scraped from previously breached marketplaces—once inside the perimeter, attackers execute PsExec-typical scripts to push the ransomware payload to every reachable host.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
  • Patch immediately: Apply the 25-Mar-2025 hot-fix for Confluence (version 9.10.2, 8.9.10 LTS, and 7.19.45 LTS) or disable the affected “Widget Connector” gadget altogether.
  • Disable SMBv1 and block TCP-445 egress/ingress in perimeter firewalls except where strictly required (whitelist only known file servers).
  • Enforce MFA on all external-facing remote-access gateways (VPN, RDP, SSH).
  • Segment networks (dedicated VLAN for OT/ICS, no direct SMB/NFS reachability from user-LAN).
  • Deploy reputable EDR/NGAV with behavioral detection rules already tuned for the CONTAC mutex (“Global\contaclock__”) and entropy-based file-rewrite signatures that catch the 32-hex rename plus .contac appending.

2. Removal

  • Infection Cleanup (step-by-step):
  1. Identify patient-zero (C:\ProgramData\contac\contac.exe typically bearing timestamp matching initial intrusion).
  2. Power off affected hosts but preserve volatile memory if you plan forensics. Boot into Safe Mode with Networking.
  3. Run Malwarebytes Anti-Ransomware or Sophos HitmanPro with the 14-Apr-2025 signature pack (incl. CONTAC-specific IOC list). These remove the malicious binaries, scheduled tasks (schtasks /run /tn WinContacUpdate), and service entry (sevices.exe masquerading DLL).
  4. Delete persistence artifacts:
    • Registry keys under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ContacApp = "C:\ProgramData\contac\winupd.exe"
    • Shadow-copy deletion script in the same folder (vspclean.bat).
  5. Flush DNS cache & reboot into normal mode to confirm self-restart < 30 seconds.

3. File Decryption & Recovery

  • Recovery Feasibility: As of 21-May-2025, CONTAC CAN be decrypted for all known variants. A valid universal offline key has been recovered and published by Bitdefender & the NoMoreRansom project.
  • Essential Tools/Patches:
  • Bitdefender_ContourDecrypter_v1.3.exe (signed 17-May-2025) – drag-and-drop wizard that re-maps each 32-hex name back to its original name using the NTFS $MFT or a provided file-list cache.
  • Microsoft KB5039801 (May 2025 cumulative update) addresses the new SMB signing bypass that some CONTAC actors later combined to re-infect systems after remediation.

4. Other Critical Information

  • Additional Precautions: CONTAC distinguishes itself with a built-in Wi-Fi auto-disconnect routine; once encrypted is complete, it issues netsh wlan disconnect and reboots to Safe Mode with Networking disabled, hindering common recovery workflows. Always boot from live media or a recovery USB to maintain network access for the decrypter.
  • Broader Impact: Multiple U.S. county governments lost 40 TB of taxpayer data to CONTAC in April 2025. Because the public master-decryption key was released early, monetary losses stayed under USD 500 k in ransom demands that were never paid—yet downtime for unbacked-up databases exceeded three weeks. The incident underlines the value of immutable, air-gapped backups (e.g., LTO-9, WORM cloud buckets) and rapid patching cadences.