A new ransomware strain dubbed “Contacto” has emerged, showcasing advanced evasion techniques and leveraging the Windows console for execution.

First detected in early January 2025, this ransomware variant demonstrates sophisticated capabilities designed to bypass antivirus detection and maximize its impact on victim systems.

The key features:-

Stealthy Execution: Contacto initiates by retrieving the console window handle and hiding it using ShowWindow(), preventing users from seeing a command prompt and keeping its execution discreet.

Single Instance Enforcement: The ransomware creates a mutex named “ContactoMutex” to ensure only one instance runs at a time, exiting if the mutex already exists.

Privilege Escalation: Contacto attempts to enable a range of Windows privileges, including SeDebugPrivilege, SeRestorePrivilege, and SeTakeOwnershipPrivilege, to gain extensive control over the system.

Flexible Encryption Modes: The ransomware supports multiple encryption modes, including “full,” “fast,” “split,” and “custom,” allowing attackers to tailor the encryption process based on their objectives.

System Manipulation: Contacto disables Windows Defender by manipulating registry keys, deletes Volume Shadow Copies, clears event logs, and empties the Recycle Bin to hinder recovery efforts.

Multi-threaded Encryption: The ransomware utilizes a multi-threaded approach, creating twice the number of threads as available processors to optimize encryption speed.

Besides this, security researcher, somedieyoungZZ noted that Contacto’s encryption process involves several sophisticated steps.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Persistence and Post-Encryption Actions

Here below we have mentioned all the encryption process of Contacto:-

1. Dynamic key generation using a hybrid Random Number Generator (RNG) that combines system entropy with a pseudo-random number generator.
2. Chunk-based data transformation with adaptive chunk sizes and multi-stage XOR operations.
3. Key evolution using iterative SHA-256 rounds and salt values embedded in the binary.
4. Layered obfuscation strategy incorporating key whitening and byte-level shuffling.
5. Pipeline optimization for concurrent processing of multiple files.

The ransomware also employs a unique approach to file encryption, targeting only specific parts of files (headers, footers, or random segments) even in “full” encryption mode. This technique renders files unusable while saving time during the encryption process.

To maintain persistence, Contacto creates a fake scheduled task named “Windows Update BETA” with SYSTEM privileges, set to run on every startup.

After encryption, the ransomware changes the desktop wallpaper to display a ransom note and performs self-deletion to cover its tracks.

While the researcher recommended:-

1. Keeping systems and antivirus software up-to-date
2. Implementing robust backup strategies
3. Educating users about phishing and social engineering tactics
4. Employing network segmentation and least privilege principles
5. Regularly monitoring systems for unusual activities

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar