SYMBOLCOMMON_NAMEaka. SYNONYMS
win.atomsilo (Back to overview)

ATOMSILO

VTCollection    

According to PCrisk, AtomSilo is a type of malware that blocks access to files by encrypting them and renames every encrypted file by appending the ".ATOMSILO" to its filename. It renames "1.jpg" to "1.jpg.ATOMSILO", "2.jpg" to "2.jpg.ATOMSILO", and so on. As its ransom note, AtomSilo creates the "README-FILE-#COMPUTER-NAME#-#CREATION-TIME#.hta" file.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster BRONZE STARLIGHT
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-10-27Avast DecodedAvast
Avast releases decryptor for AtomSilo and LockFile ransomware
ATOMSILO LockFile
2021-10-15ZscalerRajdeepsinh Dodia
AtomSilo Ransomware Enters the League of Double Extortion
ATOMSILO
2021-10-13Chuongdong blogChuong Dong
AtomSilo Ransomware
ATOMSILO
2021-10-13Chuongdong blogChuong Dong
AtomSilo Ransomware
ATOMSILO
2021-10-04SophosChaitanya Ghorpade, Kajal Katiyar, Krisztián Diriczi, Rahil Shah, Sean Gallagher, Vikas Singh
Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack
ATOMSILO Cobalt Strike
2021-09-14Twitter (@siri_urz)S!Ri
Tweet on ATOMSILO ransomware
ATOMSILO
Yara Rules
[TLP:WHITE] win_atomsilo_auto (20230808 | Detects win.atomsilo.)
rule win_atomsilo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.atomsilo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 90 488d054b810900 488903 488d0571780900 48894308 48c74338ffffffff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   90                   | mov                 esi, dword ptr [edi]
            //   488d054b810900       | dec                 eax
            //   488903               | mov                 edx, dword ptr [eax]
            //   488d0571780900       | dec                 eax
            //   48894308             | mov                 ecx, eax
            //   48c74338ffffffff     | call                dword ptr [edx + 0x40]

        $sequence_1 = { 4403e8 498b17 48638c24a0000000 4803ca 49890f 483bca 731c }
            // n = 7, score = 100
            //   4403e8               | or                  ecx, ebx
            //   498b17               | mov                 dword ptr [esp + 0x20], ebp
            //   48638c24a0000000     | inc                 ecx
            //   4803ca               | cmp                 dword ptr [eax + 0x28], 1
            //   49890f               | je                  0x181
            //   483bca               | inc                 ecx
            //   731c                 | cmp                 dword ptr [ecx + 0x28], 1

        $sequence_2 = { 4d8bc4 488bd7 488d8d50010000 e8???????? b930000000 e8???????? 488bd8 }
            // n = 7, score = 100
            //   4d8bc4               | mov                 ecx, dword ptr [eax]
            //   488bd7               | dec                 esp
            //   488d8d50010000       | mov                 edx, dword ptr [ecx + 0x128]
            //   e8????????           |                     
            //   b930000000           | movzx               ecx, byte ptr [esp + 0xf0]
            //   e8????????           |                     
            //   488bd8               | mov                 byte ptr [esp + 0xf0], cl

        $sequence_3 = { 488b7dd0 4885c9 741d 488d51ff 488d14d7 0f1f440000 48833a00 }
            // n = 7, score = 100
            //   488b7dd0             | dec                 eax
            //   4885c9               | mov                 dword ptr [ebp + 0x38], esi
            //   741d                 | dec                 eax
            //   488d51ff             | mov                 dword ptr [ebp + 0x40], esi
            //   488d14d7             | cmovne              eax, ecx
            //   0f1f440000           | test                eax, eax
            //   48833a00             | je                  0x2ff

        $sequence_4 = { 0409 83f052 8844245d 8b442450 040a 83f045 8844245e }
            // n = 7, score = 100
            //   0409                 | lea                 edi, [0x66240]
            //   83f052               | jmp                 0x26d
            //   8844245d             | dec                 eax
            //   8b442450             | mov                 eax, dword ptr [ebx]
            //   040a                 | push                edi
            //   83f045               | dec                 eax
            //   8844245e             | sub                 esp, 0x20

        $sequence_5 = { 488d05dd6c0700 488907 488bc7 0f104318 488b5c2430 f30f7f4718 4883c420 }
            // n = 7, score = 100
            //   488d05dd6c0700       | mov                 eax, dword ptr [esi + ebx*4]
            //   488907               | inc                 ecx
            //   488bc7               | mov                 eax, dword ptr [edi]
            //   0f104318             | mov                 dword ptr [ecx + esi*4], eax
            //   488b5c2430           | dec                 eax
            //   f30f7f4718           | inc                 dword ptr [ebx + 0x20]
            //   4883c420             | dec                 eax

        $sequence_6 = { 4156 4883ec50 488b5830 498bf9 498bf0 4c8bf2 4c8be1 }
            // n = 7, score = 100
            //   4156                 | mov                 byte ptr [esp + 0x6f], al
            //   4883ec50             | xor                 eax, 0x4f
            //   488b5830             | mov                 byte ptr [esp + 0x73], al
            //   498bf9               | mov                 eax, dword ptr [esp + 0x68]
            //   498bf0               | add                 al, 8
            //   4c8bf2               | xor                 eax, 0x2d
            //   4c8be1               | mov                 byte ptr [esp + 0x74], al

        $sequence_7 = { 488d15e7b60500 0fb60c0a c1e103 4863c9 488d1546720900 33440a03 8944243c }
            // n = 7, score = 100
            //   488d15e7b60500       | ror                 edx, 2
            //   0fb60c0a             | inc                 esp
            //   c1e103               | add                 ecx, eax
            //   4863c9               | inc                 esp
            //   488d1546720900       | add                 ecx, ecx
            //   33440a03             | mov                 ecx, ebx
            //   8944243c             | inc                 ecx

        $sequence_8 = { 0f94c0 480106 ebc0 488b7c2438 4c8b8424f0000000 4c8b9c24c8000000 4c8b9424d0000000 }
            // n = 7, score = 100
            //   0f94c0               | mov                 edi, dword ptr [eax]
            //   480106               | dec                 ebx
            //   ebc0                 | lea                 ecx, [eax + ebx]
            //   488b7c2438           | xorps               xmm0, xmm0
            //   4c8b8424f0000000     | movdqu              xmmword ptr [esp + 0x60], xmm0
            //   4c8b9c24c8000000     | dec                 eax
            //   4c8b9424d0000000     | test                edi, edi

        $sequence_9 = { 4883ec28 83792801 8b4228 7423 83f801 740f e8???????? }
            // n = 7, score = 100
            //   4883ec28             | push                ebp
            //   83792801             | dec                 eax
            //   8b4228               | sub                 esp, 0x20
            //   7423                 | dec                 eax
            //   83f801               | mov                 ebp, edx
            //   740f                 | mov                 edx, 0x98
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1785856
}
Download all Yara Rules