Ransomware

AtomSilo Ransomware Enters the League of Double Extortion

ransomware

Ransomware is used widely in cyberattacks to disrupt the victim's organization. Over the last two years, many attackers have evolved their ransomware tactics to include data exfiltration. This tactic is known as "double-extortion": attackers demand ransom for the data decryption in addition to the ransom to prevent public release of the stolen data. ThreatLabz monitors these threat actors and analyzes the attack sequences of double extortion attacks. AtomSilo is a new player on the scene, and in this blog, we'll break down the details of their attacks.

 

Introduction

AtomSilo ransomware emerged around September 2021, with their tactics including exfiltrating and publishing their first victim's data.

We'll break down one of their attacks, which started with initial access through exploiting a vulnerability in Atlassian’s Confluence collaboration software. The ransomware operators planted a back door using legitimate software via a dll side loading technique. The backdoor allowed remote code execution of Windows Shell commands through WMI (Windows Management Interface), which operators exploited using compromised administrative accounts before dropping AtomSilo.

 

Technical Analysis

The AtomSilo payload is 64-bit and packed with a modified UPX packer. Once executed, it enumerates each drive and drops a ransom note in each folder except the few listed in Table1. The ransom note is named “README-FILE-{COMPUTER_Name}-{DateTime}.hta”.

Figure 1: AtomSilo ransom note

 

It enumerates each file and encrypts all folders and files EXCEPT those that contain the below names:

 

Folder nameFile name
Bootautorun.inf
Windowsindex.html
Windows.oldboot.ini
Tor Browserbootfont.bin
Internet Explorerbootsect.bak
Googlebootmgr
Operabootmgr.efi
Opera Softwarebootmgfw.efi
Mozilladesktop.ini
Mozilla Firefoxiconcache.db
$recycle.Binntldr
ProgramDatantuser.dat
All Usersntuser.dat.log
 #recycle
 thumbs.db
 ntuser.ini

Table1: List of files and folders 

 

It also does not encrypt files with the following extensions:

 

.hta.idx
.hlp.ini
.html.sys
.icl.cab
.exe.spl
.icns.cur
.dll.ocx
.ico.cpl
.cpl.drv

Table2: List of extensions

 

File Encryption

Ransomware appends  “.atomsilo” extensions to files after encryption. Ransomware uses “CreateFileMappingA” and “MapViewOfFile” APIs to map the file in memory and moves the pointer to the start of the mapped file. AtomSilo uses XOR and AES Encryption algorithms to encrypt files. It generates AES round keys using the “AESKEYGENASSIST”  instruction as shown in the below figure.

 

Figure 2: AtomSilo generates encryption keys using AESKEYGENASSIST

The encryption key is 240 bytes. The first 32 bytes are randomly generated by the payload, and other 208 bytes are generated using the “AESKEYGENASSIST” instruction. In the file , it takes 16 bytes of plain text  and does XOR as a first stage encryption. Then, it encrypts it with 14 rounds of AES encryption. It uses “AESENC” instruction for the first 13 rounds and the last round uses  “AESENCLAST” instruction.

 

Figure 3: Encrypting data using AES algorithm

It encrypts chunks of the file, not the complete file. It encrypts the first 16 bytes, leaves the next 32 bytes as-is, encrypts the next 16 bytes, and so on. The below screenshot shows the comparison of the normal file and encrypted file, where we can see that chunks of files are not encrypted. The encryption key and other information are encrypted and appended at the end of the encrypted file.

 

Figure 4: Original vs Encrypted file

 

Data Leak site

According to their leak sites, AtomSilo actors won't attack the following types of organizations:

  • Hospitals.
  • Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities).
  • Oil and gas industry (pipelines, oil refineries).
  • Educational unit.
  • Non-profit companies.

They also promise to provide free decryption if the victim company is on the above list.

Figure 5: Data leak site

 

The first data leak was from a Brazilian Pharmaceutical company. AtomSilo published around 900 GB data as shown in the below screenshot:

Figure 6: Victim data published on data leak site

 

Cloud Sandbox Detection

Figure 7: Zscaler Cloud Sandbox detection of AtomSilo ransomware

In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels.

Win64.Ransom.AtomSilo

 

IOC

Md5

04a8307259478245cbae49940b6d655a

 

Stay up to date with the latest digital transformation tips and news.

By submitting the form, you are agreeing to our privacy policy.