SYMBOLCOMMON_NAMEaka. SYNONYMS
win.atomsilo (Back to overview)

ATOMSILO

VTCollection    

According to PCrisk, AtomSilo is a type of malware that blocks access to files by encrypting them and renames every encrypted file by appending the ".ATOMSILO" to its filename. It renames "1.jpg" to "1.jpg.ATOMSILO", "2.jpg" to "2.jpg.ATOMSILO", and so on. As its ransom note, AtomSilo creates the "README-FILE-#COMPUTER-NAME#-#CREATION-TIME#.hta" file.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster BRONZE STARLIGHT
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-10-27Avast DecodedAvast
Avast releases decryptor for AtomSilo and LockFile ransomware
ATOMSILO LockFile
2021-10-15ZscalerRajdeepsinh Dodia
AtomSilo Ransomware Enters the League of Double Extortion
ATOMSILO
2021-10-13Chuongdong blogChuong Dong
AtomSilo Ransomware
ATOMSILO
2021-10-13Chuongdong blogChuong Dong
AtomSilo Ransomware
ATOMSILO
2021-10-04SophosChaitanya Ghorpade, Kajal Katiyar, KrisztiƔn Diriczi, Rahil Shah, Sean Gallagher, Vikas Singh
Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack
ATOMSILO Cobalt Strike
2021-09-14Twitter (@siri_urz)S!Ri
Tweet on ATOMSILO ransomware
ATOMSILO
Yara Rules
[TLP:WHITE] win_atomsilo_auto (20260504 | Detects win.atomsilo.)
rule win_atomsilo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.atomsilo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 90 84db 0f84e3000000 ba01000000 488d4de0 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   90                   | mov                 byte ptr [ebp - 0x68], 0x28
            //   84db                 | mov                 byte ptr [ebp - 0x67], 0x22
            //   0f84e3000000         | mov                 byte ptr [ebp - 0x66], al
            //   ba01000000           | movzx               eax, byte ptr [ebp - 0x6c]
            //   488d4de0             | nop                 

        $sequence_1 = { 33ed 896808 40382d???????? 750c e8???????? c605????????01 488d05824c0600 }
            // n = 7, score = 100
            //   33ed                 | or                  edx, 0x80070000
            //   896808               | test                eax, eax
            //   40382d????????       |                     
            //   750c                 | cmovle              edx, eax
            //   e8????????           |                     
            //   c605????????01       |                     
            //   488d05824c0600       | dec                 eax

        $sequence_2 = { 4889442458 33c9 894c2460 48c70001000000 48894808 c744243004000000 488b4e18 }
            // n = 7, score = 100
            //   4889442458           | mov                 dword ptr [eax], ebp
            //   33c9                 | dec                 esp
            //   894c2460             | mov                 ecx, edi
            //   48c70001000000       | dec                 esp
            //   48894808             | mov                 eax, esi
            //   c744243004000000     | dec                 eax
            //   488b4e18             | lea                 edx, [esp + 0x30]

        $sequence_3 = { 498bc3 49f7e9 4c8bfa 49c1ff05 498bc7 48c1e83f 4c03f8 }
            // n = 7, score = 100
            //   498bc3               | dec                 eax
            //   49f7e9               | mov                 ebx, eax
            //   4c8bfa               | dec                 ecx
            //   49c1ff05             | mov                 edi, dword ptr [esi]
            //   498bc7               | dec                 eax
            //   48c1e83f             | lea                 edx, [esp + 0x28]
            //   4c03f8               | dec                 ecx

        $sequence_4 = { 90 488bd0 488d4e60 e8???????? 90 488b4d60 48394d58 }
            // n = 7, score = 100
            //   90                   | mov                 dword ptr [ebp + 0xf0], eax
            //   488bd0               | nop                 
            //   488d4e60             | inc                 ecx
            //   e8????????           |                     
            //   90                   | mov                 eax, 1
            //   488b4d60             | dec                 eax
            //   48394d58             | mov                 edx, eax

        $sequence_5 = { 8844245a 8b442450 0407 83f04f 8844245b 8b442450 }
            // n = 6, score = 100
            //   8844245a             | dec                 eax
            //   8b442450             | lea                 ecx, [esp + 0x48]
            //   0407                 | dec                 eax
            //   83f04f               | lea                 edx, [0x6cc89]
            //   8844245b             | or                  edx, 0x80070000
            //   8b442450             | test                eax, eax

        $sequence_6 = { 7235 488b8990000000 48ffc2 4881fa00100000 721c 4883c227 488b79f8 }
            // n = 7, score = 100
            //   7235                 | shr                 ecx, 1
            //   488b8990000000       | movdqa              xmmword ptr [esp + 0x20], xmm0
            //   48ffc2               | dec                 esp
            //   4881fa00100000       | lea                 eax, [esp + 0x30]
            //   721c                 | dec                 eax
            //   4883c227             | lea                 edx, [0x614df]
            //   488b79f8             | dec                 eax

        $sequence_7 = { e8???????? 90 4584ff 7454 488bce e8???????? 8bf8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   90                   | add                 ecx, edi
            //   4584ff               | call                dword ptr [ebx + 0x20]
            //   7454                 | dec                 eax
            //   488bce               | lea                 eax, [0x6003d]
            //   e8????????           |                     
            //   8bf8                 | dec                 eax

        $sequence_8 = { ba01000000 e9???????? 837dd801 0f84c8000000 833d????????01 0f8485010000 488b45c8 }
            // n = 7, score = 100
            //   ba01000000           | mov                 esp, dword ptr [esp + 0x50]
            //   e9????????           |                     
            //   837dd801             | dec                 ebp
            //   0f84c8000000         | mov                 eax, esp
            //   833d????????01       |                     
            //   0f8485010000         | dec                 eax
            //   488b45c8             | lea                 edx, [ebp + 0xe0]

        $sequence_9 = { 4c2b5c2438 498d7d01 4c8b9424d0000000 488d3cfe 4c8b642430 4c2beb 4c2bde }
            // n = 7, score = 100
            //   4c2b5c2438           | lea                 eax, [ebx + edi]
            //   498d7d01             | dec                 ecx
            //   4c8b9424d0000000     | cmp                 eax, esi
            //   488d3cfe             | jbe                 0x376
            //   4c8b642430           | dec                 ebx
            //   4c2beb               | lea                 eax, [esi + eax]
            //   4c2bde               | dec                 esp

    condition:
        7 of them and filesize < 1785856
}
Download all Yara Rules