Atomsilo
Compare
Description
AtomSilo emerged in September 2021 and ceased operations by year-end 2021. It functioned with a double‑extortion model, combining file encryption with data exfiltration and leak threats. The malware uses a hybrid encryption scheme—AES‑256 for file encryption and RSA‑4096 to secure the AES key—and appends the extension .ATOMSILO to encrypted files. Ransom notes follow formats like README-FILE-{computer name}-{timestamp}.hta or ATOMSILO-README.hta. Structurally and operationally, AtomSilo closely resembles the LockFile ransomware and is attributed to the Chinese state-linked actor BRONZE STARLIGHT (aka Cinnamon Tempest, DEV‑0401, Emperor Dragonfly, SLIME34), likely serving as a smokescreen for espionage-driven data theft. Victims spanned multiple industries and countries, including notable high extortion demands up to $1 million USD. The group also exploited the Atlassian Confluence vulnerability (CVE‑2021‑26084) for initial access and used DLL side‑loading for stealthy deployment.
External Analysis9
| External Analysis |
|---|
| https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/ |
| https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/ |
| https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/ |
| https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/ |
| https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ |
| https://twitter.com/siri_urz/status/1437664046556274694?s=20 |
| https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself |
| https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader |
| https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion |
Ransom notes2
Tox1
| Tox |
|---|
| F3675A6D571BEAE0CA3F0C1E88A219915EC7E9D6B84F67A0A16989B4A17A7F1DD509997D91D3 |
Urls4
| Url | ||||
|---|---|---|---|---|
| http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion | Down | |||
| http://l5cjga2ksw6rxumu5l4xxn3cmahhi2irkbwg3amx6ajroyfmfgpfllid.onion/list.html | Down | |||
| http://npmh5ahrgakbniuntyc7io4adm6ietbdbuejrfonowqtyqn24or556qd.onion/ | Down |
|
||
| http://npmh5ahrgakbniuntyc7io4adm6ietbdbuejrfonowqtyqn24or556qd.onion/leaks.html | Down |
|
Activity (interactive) 5
Posts5
| Date | Title | Description | Screen |
|---|---|---|---|
| A large bank in Asia | - employee_names - email_addresses - personal_information - sql_servers - service_accounts_credentials - ftp_credentials - routers_network_devices - senior_officers - related_third_parties - relationship_managers - budget_allocation - internal_policies_and_procedures - project_list - internal_memos - authorized_signatories - call_recordings - thousands more documents | Screen | |
| Tegra Vendas | |||
| Eisai Co., Ltd | |||
| LIGHT CONVERSION | |||
| Cristália - Indústria Farmacêutica |
