Atomsilo

2/4 up parser RaaS

Compare Crypto

5posts (all time)

0last 30 days

0last 7 days

15% avg uptime 30d

Parsing: enabled Known RaaS

View crypto

Description

AtomSilo emerged in September 2021 and ceased operations by year-end 2021. It functioned with a double‑extortion model, combining file encryption with data exfiltration and leak threats. The malware uses a hybrid encryption scheme—AES‑256 for file encryption and RSA‑4096 to secure the AES key—and appends the extension .ATOMSILO to encrypted files. Ransom notes follow formats like README-FILE-{computer name}-{timestamp}.hta or ATOMSILO-README.hta. Structurally and operationally, AtomSilo closely resembles the LockFile ransomware and is attributed to the Chinese state-linked actor BRONZE STARLIGHT (aka Cinnamon Tempest, DEV‑0401, Emperor Dragonfly, SLIME34), likely serving as a smokescreen for espionage-driven data theft. Victims spanned multiple industries and countries, including notable high extortion demands up to $1 million USD. The group also exploited the Atlassian Confluence vulnerability (CVE‑2021‑26084) for initial access and used DLL side‑loading for stealthy deployment.

External Analysis9

External Analysis
https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/
https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/
https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/
https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/
https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/
https://twitter.com/siri_urz/status/1437664046556274694?s=20
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader
https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion

Ransom notes2

ATOMSILO-README.html html
atomsilo.hta txt

View all notes

Tox1

Tox
F3675A6D571BEAE0CA3F0C1E88A219915EC7E9D6B84F67A0A16989B4A17A7F1DD509997D91D3

Urls4

Url	Status	Uptime 30d
http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion	Down	0%
http://l5cjga2ksw6rxumu5l4xxn3cmahhi2irkbwg3amx6ajroyfmfgpfllid.onion/list.html	Down	0%
http://npmh5ahrgakbniuntyc7io4adm6ietbdbuejrfonowqtyqn24or556qd.onion/	Up	30%
http://npmh5ahrgakbniuntyc7io4adm6ietbdbuejrfonowqtyqn24or556qd.onion/leaks.html	Up	30%

Activity (interactive) 5

Posts5

Date	Title	Description
2026-02-24	A large bank in Asia	- employee_names - email_addresses - personal_information - sql_servers - service_accounts_credentials - ftp_credentials - routers_network_devices - senior_officers - related_third_parties - relationship_managers - budget_allocation - internal_policies_and_procedures - project_list - internal_memos - authorized_signatories - call_recordings - thousands more documents
2021-12-21	Tegra Vendas
2021-12-21	Eisai Co., Ltd
2021-12-21	LIGHT CONVERSION
2021-12-21	Cristália - Indústria Farmacêutica