atomsilo details

Description

AtomSilo emerged in September 2021 and ceased operations by year-end 2021. It functioned with a double‑extortion model, combining file encryption with data exfiltration and leak threats. The malware uses a hybrid encryption scheme—AES‑256 for file encryption and RSA‑4096 to secure the AES key—and appends the extension .ATOMSILO to encrypted files. Ransom notes follow formats like README-FILE-{computer name}-{timestamp}.hta or ATOMSILO-README.hta. Structurally and operationally, AtomSilo closely resembles the LockFile ransomware and is attributed to the Chinese state-linked actor BRONZE STARLIGHT (aka Cinnamon Tempest, DEV‑0401, Emperor Dragonfly, SLIME34), likely serving as a smokescreen for espionage-driven data theft. Victims spanned multiple industries and countries, including notable high extortion demands up to $1 million USD. The group also exploited the Atlassian Confluence vulnerability (CVE‑2021‑26084) for initial access and used DLL side‑loading for stealthy deployment.

External Analysis
https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/
https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/
https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/
https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/
https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/
https://twitter.com/siri_urz/status/1437664046556274694?s=20
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader
https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion

External Analysis

https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/

https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/

https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/

https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

https://twitter.com/siri_urz/status/1437664046556274694?s=20

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader

https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion

Url	Status	Screen	Uptime 30d	Health
http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion	Down		—
http://l5cjga2ksw6rxumu5l4xxn3cmahhi2irkbwg3amx6ajroyfmfgpfllid.onion/list.html	Down		—

Url

Status

Screen

Uptime 30d

Health

http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion

Down

—

http://l5cjga2ksw6rxumu5l4xxn3cmahhi2irkbwg3amx6ajroyfmfgpfllid.onion/list.html

Down

—

Date	Title	Description	Screen
2021-12-30	Tegravendas
2021-12-29	Cristália - Indústria Farmacêutica
2021-12-21	Tegravendas
2021-12-21	Eisai Co., Ltd.
2021-12-21	LIGHT CONVERSION
2021-12-21	CristÃ¡lia - IndÃºstria FarmacÃªutica

Date

Title

Description

Screen

2021-12-30

Tegravendas

2021-12-29

Cristália - Indústria Farmacêutica

2021-12-21

Tegravendas

2021-12-21

Eisai Co., Ltd.

2021-12-21

LIGHT CONVERSION

2021-12-21

CristÃ¡lia - IndÃºstria FarmacÃªutica

Atomsilo

Description

Note