SYMBOLCOMMON_NAMEaka. SYNONYMS
win.atomsilo (Back to overview)

ATOMSILO


According to PCrisk, AtomSilo is a type of malware that blocks access to files by encrypting them and renames every encrypted file by appending the ".ATOMSILO" to its filename. It renames "1.jpg" to "1.jpg.ATOMSILO", "2.jpg" to "2.jpg.ATOMSILO", and so on. As its ransom note, AtomSilo creates the "README-FILE-#COMPUTER-NAME#-#CREATION-TIME#.hta" file.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-09-20} } BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-10-27Avast DecodedAvast
@online{avast:20211027:avast:6b44ea1, author = {Avast}, title = {{Avast releases decryptor for AtomSilo and LockFile ransomware}}, date = {2021-10-27}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/}, language = {English}, urldate = {2021-11-08} } Avast releases decryptor for AtomSilo and LockFile ransomware
ATOMSILO LockFile
2021-10-15ZscalerRajdeepsinh Dodia
@online{dodia:20211015:atomsilo:81b4ff1, author = {Rajdeepsinh Dodia}, title = {{AtomSilo Ransomware Enters the League of Double Extortion}}, date = {2021-10-15}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion}, language = {English}, urldate = {2021-11-03} } AtomSilo Ransomware Enters the League of Double Extortion
ATOMSILO
2021-10-13Chuongdong blogChuong Dong
@online{dong:20211013:atomsilo:d3abf78, author = {Chuong Dong}, title = {{AtomSilo Ransomware}}, date = {2021-10-13}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/}, language = {English}, urldate = {2022-01-25} } AtomSilo Ransomware
ATOMSILO
2021-10-13Chuongdong blogChuong Dong
@online{dong:20211013:atomsilo:9d4ce80, author = {Chuong Dong}, title = {{AtomSilo Ransomware}}, date = {2021-10-13}, organization = {Chuongdong blog}, url = {https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/}, language = {English}, urldate = {2022-02-02} } AtomSilo Ransomware
ATOMSILO
2021-10-04SophosSean Gallagher, Vikas Singh, Krisztián Diriczi, Kajal Katiyar, Chaitanya Ghorpade, Rahil Shah
@online{gallagher:20211004:atom:782b979, author = {Sean Gallagher and Vikas Singh and Krisztián Diriczi and Kajal Katiyar and Chaitanya Ghorpade and Rahil Shah}, title = {{Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack}}, date = {2021-10-04}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/}, language = {English}, urldate = {2021-10-11} } Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack
ATOMSILO Cobalt Strike
2021-09-14Twitter (@siri_urz)S!Ri
@online{sri:20210914:atomsilo:7b746d4, author = {S!Ri}, title = {{Tweet on ATOMSILO ransomware}}, date = {2021-09-14}, organization = {Twitter (@siri_urz)}, url = {https://twitter.com/siri_urz/status/1437664046556274694?s=20}, language = {English}, urldate = {2021-10-11} } Tweet on ATOMSILO ransomware
ATOMSILO
Yara Rules
[TLP:WHITE] win_atomsilo_auto (20230715 | Detects win.atomsilo.)
rule win_atomsilo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.atomsilo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7418 498b3e 488d55e0 ff5720 4c8bc0 488bd3 498bce }
            // n = 7, score = 100
            //   7418                 | dec                 eax
            //   498b3e               | lea                 ecx, [0x85178]
            //   488d55e0             | dec                 eax
            //   ff5720               | lea                 ecx, [0x980b3]
            //   4c8bc0               | mov                 eax, dword ptr [ecx + eax + 3]
            //   488bd3               | mov                 ecx, dword ptr [esp + 0x44]
            //   498bce               | xor                 ecx, eax

        $sequence_1 = { 488bcb ff5738 90 488b8c2498000000 48398c2490000000 480f428c2490000000 488b9424a0000000 }
            // n = 7, score = 100
            //   488bcb               | or                  ecx, edi
            //   ff5738               | inc                 ecx
            //   90                   | and                 ecx, edx
            //   488b8c2498000000     | inc                 ecx
            //   48398c2490000000     | rol                 eax, 1
            //   480f428c2490000000     | or    ecx, eax
            //   488b9424a0000000     | inc                 esp

        $sequence_2 = { 33742428 44336c2418 44336c2414 89842498000000 8bc2 8bbc2498000000 4133c1 }
            // n = 7, score = 100
            //   33742428             | mov                 ecx, esi
            //   44336c2418           | inc                 ecx
            //   44336c2414           | mov                 edx, dword ptr [ebp + 0x90]
            //   89842498000000       | nop                 
            //   8bc2                 | dec                 ecx
            //   8bbc2498000000       | mov                 edx, esp
            //   4133c1               | dec                 eax

        $sequence_3 = { 4883ec60 49c743b8feffffff 49895b10 49897318 488bd9 488b4110 488b5018 }
            // n = 7, score = 100
            //   4883ec60             | rol                 ecx, 1
            //   49c743b8feffffff     | inc                 ecx
            //   49895b10             | add                 edx, eax
            //   49897318             | inc                 ecx
            //   488bd9               | ror                 edx, 2
            //   488b4110             | inc                 esp
            //   488b5018             | mov                 eax, dword ptr [esp + 0x24]

        $sequence_4 = { 488bd9 4533f6 448970a8 443835???????? 750c e8???????? }
            // n = 6, score = 100
            //   488bd9               | mov                 ecx, edi
            //   4533f6               | dec                 eax
            //   448970a8             | mov                 dword ptr [eax + 8], ebp
            //   443835????????       |                     
            //   750c                 | dec                 eax
            //   e8????????           |                     

        $sequence_5 = { 488d4d07 e8???????? 0f57c0 f30f7f45f7 0f1000 0f1145e7 0f104810 }
            // n = 7, score = 100
            //   488d4d07             | call                dword ptr [eax]
            //   e8????????           |                     
            //   0f57c0               | nop                 
            //   f30f7f45f7           | dec                 eax
            //   0f1000               | lea                 eax, [0x8160]
            //   0f1145e7             | dec                 eax
            //   0f104810             | test                ecx, ecx

        $sequence_6 = { 488d4f48 488d542428 e8???????? 488bd8 488b4c2440 48394c2438 480f424c2438 }
            // n = 7, score = 100
            //   488d4f48             | dec                 eax
            //   488d542428           | mov                 esi, dword ptr [esp + 0x60]
            //   e8????????           |                     
            //   488bd8               | dec                 eax
            //   488b4c2440           | add                 esp, 0x30
            //   48394c2438           | xor                 edx, edx
            //   480f424c2438         | inc                 ecx

        $sequence_7 = { 488d0da4f70300 e8???????? c705????????02000000 eb08 40b601 4088742420 }
            // n = 6, score = 100
            //   488d0da4f70300       | mov                 ecx, dword ptr [edi + 0x70]
            //   e8????????           |                     
            //   c705????????02000000     |     
            //   eb08                 | mov                 edx, 0x10
            //   40b601               | dec                 eax
            //   4088742420           | lea                 ecx, [edi + 0x20]

        $sequence_8 = { 488d0529010800 48894308 488b4310 48634804 488d0526010800 4889441910 488d4b18 }
            // n = 7, score = 100
            //   488d0529010800       | dec                 eax
            //   48894308             | test                edx, edx
            //   488b4310             | je                  0x768
            //   48634804             | dec                 eax
            //   488d0526010800       | mov                 edi, edx
            //   4889441910           | xor                 eax, eax
            //   488d4b18             | dec                 eax

        $sequence_9 = { 7419 32c0 eb60 488b03 440fb6c6 400fb6d5 488bcb }
            // n = 7, score = 100
            //   7419                 | lea                 ecx, [0x850be]
            //   32c0                 | test                eax, eax
            //   eb60                 | dec                 eax
            //   488b03               | lea                 ecx, [0x63fb7]
            //   440fb6c6             | inc                 ecx
            //   400fb6d5             | lea                 edx, [eax + 0x10]
            //   488bcb               | dec                 esp

    condition:
        7 of them and filesize < 1785856
}
Download all Yara Rules