Ransomware - AtomSilo

AtomSilo
Aliases
Atom Silo
Decryptor Available
Yes
Description

AtomSilo was a ransomware group with activity only observed for a few months in 2021, beginning operations in September and ending activity towards the end of the year. Only four victims are known to have been infected with the AtomSilo ransomware. However, based on ransom notes and communication methods, there have been at least two more victims that we can't identify with certainty. The ransomware itself is very identical to LockFile, a ransomware group active a few months prior to the inception of AtomSilo. The reason for the parallels in methodology, without overlap in operations, is that AtomSilo, along with LockFile, are attributed to state-sponsored actors in China known as BRONZE STARLIGHT. The group is also known as Cinnamon Tempest, DEV-0401, Emperor Dragonfly, and SLIME34. Researchers speculate the use of ransomware attacks from this group are smokescreens for intellectual property theft. After AtomSilo seized operations, BRONZE STARLIGHT began operating the Rook ransomware, followed by Night Sky, Pandora, and others. A sign that any given ransomware is derived from BRONZE STARLIGHT is the use of HUI Loader, the group’s loader of choice.

The ransomware uses a well-established hybrid encryption approach that leverages AES-256 for file encryption and RSA-4096 for encrypting the AES-256 key. This ensures that the victim has little to no chance of recovering files without the decryption key (hopefully) provided by the attackers. The ransom note name is a long string that couples a hardcoded string "README-FILE-" with the victim's computer name and a timestamp. You can view the format of that string below. Thankfully, Avast and an independent researcher named Aypex have created a decryptor for AtomSilo, which likely led to the threat actors switching to new ransomware shortly after their releases. This possibly saved victims from a six-to-seven-figure ransom based on the ransom notes from AtomSilo samples that sought these sums. 

Ransomware Type
Crypto-Ransomware
Country of Origin
China
First Seen
Last Seen
Lineage
Threat Actors
Type
Actor
APT
BRONZE STARLIGHT
Extortion Types
Direct Extortion
Double Extortion
Extortion Price Increases
Free Data Leaks
Extortion Amounts
Amount
$100,000
$200,000
$500,000
$1,000,000
Communication
Encryption
Type
Hybrid
Files
AES-256
Key
RSA-4096
File Extension
<file name>.ATOMSILO
Ransom Note Name
ATOMSILO-README.hta
README-FILE-#COMPUTER#-#TIME#.hta
15ea46c22b2b5e06b4a8f4dd163b3f89975ca606432e0d79315b6513f1e1f550
5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4
5fa490668a9963e97d956f9a3b0c746b1d16eee9a73dfba875c9a3dc0e2c0d1b
62629512c435acc24b083de1e1d128e66118301cb7be92651d85a8af5fe5b834
7a5999c54f4588ff1581d03938b7dcbd874ee871254e2018b98ef911ae6c8dee
d9f7bb98ad01c4775ec71ec66f5546de131735e6dba8122474cc6eb62320e47b
Known Victims
Industry Sector Pays Extortion Date Amount (USD)
Healthcare & MedicineBrazil $500,000
ManufacturingLithuania
Healthcare & MedicineJapan
Real Estate & HousingBrazil