AtomSilo Ransomware Enters the League of Double Extortion

Ransomware is used widely in cyberattacks to disrupt the victim’s organization. Over the last two years, many attackers have evolved their ransomware tactics to include data exfiltration. This tactic is known as “double-extortion”: attackers demand ransom for the data decryption in addition to the ransom to prevent public release of the stolen data. ThreatLabz monitors these threat actors and analyzes the attack sequences of double extortion attacks. AtomSilo is a new player on the scene, and in this blog, we’ll break down the details of their attacks.

Introduction

AtomSilo ransomware emerged around September 2021, with their tactics including exfiltrating and publishing their first victim’s data.

We’ll break down one of their attacks, which started with initial access through exploiting a vulnerability in Atlassian’s Confluence collaboration software. The ransomware operators planted a back door using legitimate software via a dll side loading technique. The backdoor allowed remote code execution of Windows Shell commands through WMI (Windows Management Interface), which operators exploited using compromised administrative accounts before dropping AtomSilo.

Technical Analysis

The AtomSilo payload is 64-bit and packed with a modified UPX packer. Once executed, it enumerates each drive and drops a ransom note in each folder except the few listed in Table1. The ransom note is named “README-FILE-{COMPUTER_Name}-{DateTime}.hta”.

Figure 1: AtomSilo ransom note

It enumerates each file and encrypts all folders and files EXCEPT those that contain the below names:

		Folder name
		File name
	


	
		Boot
		autorun.inf
	
	
		Windows
		index.html
	
	
		Windows.old
		boot.ini
	
	
		Tor Browser
		bootfont.bin
	
	
		Internet Explorer
		bootsect.bak
	
	
		Google
		bootmgr
	
	
		Opera
		bootmgr.efi
	
	
		Opera Software
		bootmgfw.efi
	
	
		Mozilla
		desktop.ini
	
	
		Mozilla Firefox
		iconcache.db
	
	
		$recycle.Bin
		ntldr
	
	
		ProgramData
		ntuser.dat
	
	
		All Users
		ntuser.dat.log
	
	
		 
		#recycle
	
	
		 
		thumbs.db
	
	
		 
		ntuser.ini

Table1: List of files and folders

It also does not encrypt files with the following extensions:

		.hta
		.idx
	
	
		.hlp
		.ini
	
	
		.html
		.sys
	
	
		.icl
		.cab
	
	
		.exe
		.spl
	
	
		.icns
		.cur
	
	
		.dll
		.ocx
	
	
		.ico
		.cpl
	
	
		.cpl
		.drv

Table2: List of extensions

File Encryption

Ransomware appends “.atomsilo” extensions to files after encryption. Ransomware uses “CreateFileMappingA” and “MapViewOfFile” APIs to map the file in memory and moves the pointer to the start of the mapped file. AtomSilo uses XOR and AES Encryption algorithms to encrypt files. It generates AES round keys using the “AESKEYGENASSIST” instruction as shown in the below figure.

Figure 2: AtomSilo generates encryption keys using AESKEYGENASSIST

The encryption key is 240 bytes. The first 32 bytes are randomly generated by the payload, and other 208 bytes are generated using the “AESKEYGENASSIST” instruction. In the file , it takes 16 bytes of plain text and does XOR as a first stage encryption. Then, it encrypts it with 14 rounds of AES encryption. It uses “AESENC” instruction for the first 13 rounds and the last round uses “AESENCLAST” instruction.

Figure 3: Encrypting data using AES algorithm

It encrypts chunks of the file, not the complete file. It encrypts the first 16 bytes, leaves the next 32 bytes as-is, encrypts the next 16 bytes, and so on. The below screenshot shows the comparison of the normal file and encrypted file, where we can see that chunks of files are not encrypted. The encryption key and other information are encrypted and appended at the end of the encrypted file.

Figure 4: Original vs Encrypted file

Data Leak site

According to their leak sites, AtomSilo actors won’t attack the following types of organizations:

Hospitals.
Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities).
Oil and gas industry (pipelines, oil refineries).
Educational unit.
Non-profit companies.

They also promise to provide free decryption if the victim company is on the above list.

Figure 5: Data leak site

The first data leak was from a Brazilian Pharmaceutical company. AtomSilo published around 900 GB data as shown in the below screenshot:

Figure 6: Victim data published on data leak site

Cloud Sandbox Detection

Figure 7: Zscaler Cloud Sandbox detection of AtomSilo ransomware

IOC

Md5

04a8307259478245cbae49940b6d655a

Article Link: https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion