Atom Silo Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 5 |
| First Seen: | October 19, 2021 |
| Last Seen: | October 21, 2021 |
| OS(es) Affected: | Windows |
The Atom Silo Ransomware is a malware threat designed to lock the victim's files with an uncrackable encryption algorithm. Functionally and code-wise, the Atom Silo Ransomware is virtually identical to another threat named LockFile, which itself shares multiple similarities to the ransomware threat used by the LockBit cybercrime group. The researchers at SophosLabs, who detected the current attacks, state that despite the overlaps in the final payloads, the Atom Silo threat belongs to a separate ransomware outfit that uses multiple stealth techniques, such as DLL side-loading, to keep its actions as hidden as possible.
The cybercriminals will then attempt to extort money from the affected users and organizations, in exchange for the decryption key that can potentially restore the data. The threat uses a unique file extension - '.ATOMSILO' that it appends to the original names of the encrypted files. Upon locking all suitable items, the threat will drop a file carrying a ransom note with instructions for the victims in every folder containing locked data. These message-bearing files will be named 'README-FILE-#COMPUTER-NAME#-#CREATION-TIME#.hta.'
AtomSilo's Demands
The ransom note reveals that the cybercriminals responsible for unleashing AtomSilo Ransomware are most likely targeting larger private or public organizations. After all, not many people can afford to pay the demanded ransom of 1 million dollars. The sum must be transferred using the Bitcoin cryptocurrency.
Although the hackers promise to cut down their price in half to half a million, if they receive contact from the affected users within the first 48 hours of the AtomSilo attack, that doesn't help much when it comes to individual victims. The note also warns that after a week the hackers will no longer be willing to cooperate, and will publish the files collected from the breached devices to the public.
To reach the cybercriminals, victims are provided with a single email address - 'arvato@atomsilo.com.' If any issues arise while contacting it, users are told to check for a more current email address that should be published on a dedicated site hosted on the TOR network.
The full text of AtomSilo's note is:
'Atom Slio
Instructions
WARNING! YOUR FILES ARE ENCRYPTED AND LEAKED!
We regret to inform you that your files were obtained and encrypted by us.
But don't worry, your files are safe as long as you're willing to pay the ransom.
Any forced shutdown or attempt to restore your files with third party software will permanently damage your files!
The only way to decrypt your files safely is to buy special decryption software from us.
The price of decryption software is $1,000,000. If you pay within 48 hours, you only need to pay $500,000. No price reduction is accepted.
We only accept payments in Bitcoin, you can buy it in bitpay, coinbase, binance or others.
You have five days to decide whether you want to pay or not. After a week, we will no longer provide decryption tools and will publish your files
Time starts at - at -
Survival time:
You can contact us with the following email:
Email: arvato@atomsilo.com
If this email cannot be reached, you can find the most recent email address on the following website:
hxxp://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion
If you don't know how to open this dark site, please follow the steps below to install and use TorBrowser:
run your internet browser
insert or copy the address hxxps://www.torproject.org/download/download-easy.html.en into your browser's address bar and press ENTER
wait for the site to load on the website, you can download TorBrowser; download and run it, follow the installation instructions, wait for the installation to complete
run TorBrowser connect with the "Connect" button (if you use the English version) a normal internet browser window will open after startup type or copy the address into this browser address bar and press ENTER
the site must be loaded; if for some reason the site is not loading, wait a moment and try again.
If you have any problems installing or using TorBrowser, visit hxxps://www.youtube.com and type the request in the search bar "Install TorBrowser Windows" and you will find many training videos on installing and using TorBrowser TorBrowser.
Additional Information:
You will find instructions ("README-FILE-#COMPUTER# #TIME .hta") to restore your files in any folder with your encrypted files.
The instructions "README-FILE-#COMPUTER#- #TIME#.hta" on the folders with their encrypted files are not viruses! The instructions "README-FILE-#COMPUTER#-#TIME#.hta" will help you decrypt your files.
Remember if! The worst situation has already happened and now the future of your files depends on your determination and the speed of your actions.'
Update [09/05/2021]: Atom Silo Abuses Confluence Vulnerability
The Atom Silo ransomware group is actively exploiting the recently disclosed Confluence vulnerability. Confluence is a popular web-based corporate workspace for remote collaboration on projects developed by the Australian software company Atlassian. The company released a patch addressing the vulnerability (CVE-2021-26084) back on August 25, 2021, but numerous hacker groups are relying on targets who are slow to deploy the patch and thus remain open for attacks.
After the successful breach, the exploit allows threat actors to remotely execute commands on the compromised servers. Atom Silo abuses this to install an initial backdoor on the machines. Then, a second-stage backdoor with more robust stealth capabilities is deployed and launched via DLL side-loading. The final ransomware payloads also come with a nasty kernel driver that is tasked with disrupting endpoint protection solutions that might be running on the infected systems.
