{
	"id": "a3a7a3d0-0669-4f39-b9f2-7a3383818475",
	"created_at": "2026-04-06T00:17:49.657156Z",
	"updated_at": "2026-04-10T03:20:51.758107Z",
	"deleted_at": null,
	"sha1_hash": "2168f975852f41668613f3ba8ebbbbe2c7ac189e",
	"title": "AtomSilo Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 865898,
	"plain_text": "AtomSilo Ransomware\r\nBy Chuong Dong\r\nPublished: 2021-10-13 · Archived: 2026-04-05 19:22:36 UTC\r\nReverse Engineering  · 13 Oct 2021\r\nContents\r\nAtomSilo Ransomware\r\nContents\r\nOverview\r\nIOCS\r\nRansom Note\r\nStatic Code Analysis\r\nCryptographic Keys Setup\r\nRun-Once Mutex\r\nLaunching Encryption Threads\r\nEncryption Threads\r\nDropping Ransom Note\r\nDFS Traversal\r\nFile Encryption\r\nHow To Decrypt\r\nReferences\r\nOverview\r\nThis is my analysis for AtomSilo Ransomware.\r\nAtomSilo uses the standard hybrid-cryptography scheme of RSA-512 and AES to encrypt files and protect its\r\nkeys.\r\nSince it fails to utilize multithreading and uses a DFS algorithm to traverse through directories, AtomSilo’s\r\nencryption is quite slow.\r\nThe malware is relatively short and simple to analyze, so it’s definitely a beginner-friendly choice for those who\r\nwant to get into ransomware analysis!\r\nhttps://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/\r\nPage 1 of 16\n\nFigure 1: AtomSilo leak site.\r\nIOCS\r\nThis sample is a 64-bit Windows executable.\r\nMD5: 81f01a9c29bae0cfa1ab015738adc5cc\r\nSHA256: 7a5999c54f4588ff1581d03938b7dcbd874ee871254e2018b98ef911ae6c8dee\r\nSample:\r\nhttps://bazaar.abuse.ch/sample/7a5999c54f4588ff1581d03938b7dcbd874ee871254e2018b98ef911ae6c8dee/\r\nRansom Note\r\nThe content of the ransom note is stored in plaintext in AtomSilo’s executable. The encrypted victim’s RSA\r\npublic key is appended to the end of the note before the files are dropped on the system.\r\nThe ransom note filename is in the form of README-FILE-[Computer Name]-[Starting Timestamp].hta or\r\nindex.html.\r\nhttps://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/\r\nPage 2 of 16\n\nFigure 2: AtomSilo ransom note.\r\nBelow is the full content of the ransom note file dropped on my machine.\r\n\u003c!DOCTYPE html\u003e\r\n\u003chtml lang=\"en\"\u003e\r\n\u003chead\u003e\r\n \u003cmeta charset=\"utf-8\"\u003e\r\n \u003ctitle\u003eAtom Slio: Instructions\u003c/title\u003e\r\n \u003cHTA:APPLICATION APPLICATIONNAME=\"Atom Slio\" SCROLL=\"yes\" SINGLEINSTANCE=\"yes\" WINDOWSTATE=\"maximize\"\u003e\r\n \r\n \u003cstyle type=\"text/css\"\u003e\r\n .text{\r\n text-align:center;\r\n }\r\n a {\r\n color: #04a;\r\n text-decoration: none;\r\n }\r\n a:hover {\r\n text-decoration: underline;\r\n }\r\n body {\r\n background-color: #e7e7e7;\r\n color: #222;\r\n font-family: \"Lucida Sans Unicode\", \"Lucida Grande\", sans-serif;\r\n font-size: 13pt;\r\n line-height: 19pt;\r\nhttps://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/\r\nPage 3 of 16\n\n}\r\n body, h1 {\r\n margin: 0;\r\n padding: 0;\r\n }\r\n hr {\r\n color: #bda;\r\n height: 2pt;\r\n margin: 1.5%;\r\n }\r\n h1 {\r\n color: #555;\r\n font-size: 14pt;\r\n }\r\n ol {\r\n padding-left: 2.5%;\r\n }\r\n ol li {\r\n padding-bottom: 13pt;\r\n }\r\n small {\r\n color: #555;\r\n font-size: 11pt;\r\n }\r\n .button:hover {\r\n text-decoration: underline;\r\n }\r\n .container {\r\n background-color: #fff;\r\n border: 2pt solid #c7c7c7;\r\n margin: 5%;\r\n min-width: 850px;\r\n padding: 2.5%;\r\n }\r\n .header {\r\n border-bottom: 2pt solid #c7c7c7;\r\n margin-bottom: 2.5%;\r\n padding-bottom: 2.5%;\r\n }\r\n .hr {\r\n background: #bda;\r\n display: block;\r\n height: 2pt;\r\n margin-top: 1.5%;\r\n margin-bottom: 1.5%;\r\n overflow: hidden;\r\n width: 100%;\r\nhttps://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/\r\nPage 4 of 16\n\n}\n .info {\n background-color: #f3f3fc;\n border: 2pt solid #bda;\n display: inline-block;\n padding: 1%;\n text-align: center;\n box-sizing:border-box;\n border-radius:20px;\n }\n .info1 {\n background-color: #f3f3fc;\n border: 2pt solid #bda;\n display: inline-block;\n padding: 1%;\n text-align: center;\n box-sizing:border-box;\n border-radius:20px;\n }\n .h {\n display: none;\n }\n .ml1{\n position:absolute;width:50%;height:10rem;left:-211px;top:0;background:#f3f3fc;border:1px solid #cfd3da;box-s\n }\n\n# Atom Slio\n\nInstructions\n\nWARNING! YOUR FILES ARE ENCRYPTED AND LEAKED!\n\n---\n\nWe are AtomSilo.Sorry to inform you that your files has been obtained and encrypted by us.But don’t worry, your files are safe, provided that you are willing to pay the ransom.\n\nAny forced shutdown or attempts to restore your files with the thrid-party software will be \u003c\n\nThe only way to decrypt your files safely is to buy the special decryption software from us.\n\nThe price of decryption software is 1000000 dollars.  \nI\n\nWe only accept Bitcoin payment,you can buy it from bitpay,coinbase,binance or others.\n\nYou have five days to decide whether to pay or not. After a week, we will no longer provide d\nhttps://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/\nPage 5 of 16\n\n---\n\nTime starts at 0:00 on September 11\n\n--- Survival time：\n\n---\n\nYou can contact us with the following email:\n\n[Email:arvato@atomsilo.com](mailto:arvato@atomsilo.com)\u003c\n\nIf this email can't be contacted, you can find the latest email address on the following webs\n\n[hxxp://[.]on](hxxp://\u003credacted\u003e[.]onion)\n\n---\n[If you don’t know how to open this dark web site, please follow the steps below to installati](hxxp://\u003credacted\u003e[.]onion)\n\n[1. run your Internet browser](hxxp://\u003credacted\u003e[.]onion)1. [enter or copy the address](hxxp://\u003credacted\u003e[.]onion)[https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/ Page 6 of 16](\u003chxxps://www[.]torproject[.]org/download/download-easy\n \u003cli\u003ewait for the site loading\u003c/li\u003e\n \u003cli\u003eon the site you will be offered to download TorBrowser; download and run it, follow the\n \u003cli\u003erun TorBrowser\u003c/li\u003e\n \u003cli\u003econnect with the button \u003e)\n\n- a normal Internet browser window will be opened after the initialization\n- type or copy the address in this browser address bar and press ENTER\n- the site should be loaded; if for some reason the site is not loading wait for a moment     If you have any problems during installation or use of TorBrowser, please, visit [The instructions \"README-FILE-#COMPUTER#-#TIME#.hta\" in the folders with your encrypted files Remember! The worst situation already happened and now the future of your files depends on yo hxmkCZnpWBWUPTcqK4aVOlLut1L3skUJ/15ha57FrzFVDAqPQao9+trRpAzyEGRAcODB4MM8+SddAnBxk93PTrH Static Code Analysis Cryptographic Keys Setup AtomSilo uses a simple hybrid cryptographic approach using RSA and AES from the CryptoPP library to encrypt files. The malware first randomly generates a public-private key pair for the victim and stores them in global variables. Then it encrypts the victim’s public key using its own hard-coded RSA public key and wipes the generated victim public key from memory. Since the CryptoPP code for this is nasty, the best way to analyze these functions is probably pulling function signatures down from Lumina and making assumptions based on the functions getting called. Figure 3: Cryptographic Keys Setup. Since the victim’s public key is required to decrypt files later, AtomSilo clears it out in memory after encrypting and storing the result to avoid the key being recovered from memory. Below is the hard-coded AtomSilo public RSA key. https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/ Page 7 of 16](\u003chxx\n \u003chr\u003e\n \u003cp\u003e\u003cstrong\u003eAdditional information:\u003c/strong\u003e\u003c/p\u003e\n \u003cp\u003eYou will find the instructions (\u003e)\n\nFigure 4: AtomSilo Public RSA Key.\r\nRun-Once Mutex\r\nAtomSilo calls CreateMutexA to check if the mutex with name “8d5e957f297893487bd98fa830fa6413” already\r\nexists, and if it does, the malware exits immediately. This is to avoid having multiple instances of the malware\r\nrunning at the same time.\r\nFigure 5: Run-Once Mutex Check.\r\nhttps://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/\r\nPage 8 of 16\n\nLaunching Encryption Threads\r\nAtomSilo attempts to use multithreading to speed up traversing and encrypting files on the system. It iterates\r\nthrough a list of drive names from “a:” to “z:” and spawns a new thread to encrypt each.\r\nFigure 6: Spawning Encryption Threads.\r\nFigure 7: List Of Drive Names.\r\nThe idea for multithreading is definitely there, but spawning threads this way is inefficient since the total\r\nthroughputs and speed will be skewed toward the drive that has the most files inside.\r\nEncryption Threads\r\nhttps://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/\r\nPage 9 of 16\n\nDropping Ransom Note\r\nFor each encountered directory, AtomSilo drops a ransom note in it.\r\nFirst, the malware decrypts the following stack string and formats it as below.\r\n\u003casf\u003e\r\n\u003c/asf\u003e\r\n\u003ccsf\u003e3\u003c/csf\u003e\r\n\u003cbsf\u003e[Computer Name]\u003c/bsf\u003e\u003c/span\u003e\u003c/body\u003e\u003c/html\u003e\r\n[Directory Name]\\index.html\r\n[Directory Name]\\README-FILE-[Computer Name]-[Starting Timestamp].hta\r\nFigure 8: Resolving HTML Tags \u0026 Filename.\r\nThe ransom note’s filenames are used depending on its dropped location. When AtomSilo encounters any file\r\nwith the extensions .php, .asp, .jsp, or .html, it uses [Directory Name]\\index.html as the ransom note filename.\r\nFor any other directory, it uses [Directory Name]\\README-FILE-[Computer Name]-[Starting\r\nTimestamp].hta.\r\nFinally, AtomSilo writes the content of the ransom note in in the following format.\r\n[Ransom Note Content]\u003casf\u003e[Victim Encrypted RSA Public Key]\u003c/asf\u003e\u003ccsf\u003e3\u003c/csf\u003e\u003cbsf\u003e[Computer Name]\u003c/bsf\u003e\u003c/span\u003e\u003c\r\nhttps://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/\r\nPage 10 of 16\n\nFigure 9: Writing Ransom Note Content.\r\nDFS Traversal\r\nEach thread uses DFS to traverse a directory being passed into it. First, to look for all files and subdirectories, it\r\nuses the standard API calls FindFirstFileA and FindNextFileA.\r\nAtomSilo stores a list of names to avoid encrypting in memory to iterate and check for each file/directory\r\nencountered. If the name of the file/directory is in the list, it is skipped and not encrypted.\r\nFigure 10: Traversing \u0026 Skipping Files.\r\nThe list of file/directory names to avoid is shown below.\r\nhttps://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/\r\nPage 11 of 16\n\nBoot, Windows, Windows.old, Tor Browser, Internet Explorer, Google,\r\nOpera, Opera Software, Mozilla, Mozilla Firefox, $Recycle.Bin, ProgramData,\r\nAll Users, autorun.inf, index.html, boot.ini, bootfont.bin, bootsect.bak,\r\nbootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr,\r\nntuser.dat, ntuser.dat.log, ntuser.ini, thumbs.db, #recycle, ..\r\nIf AtomSilo encounters a subdirectory, the malware appends its name to the current directory path, drops a\r\nransom note inside, and passes the path to its traversal function to recursively go through it. No need for me to\r\ndiscuss how much of a speed boost the ransomware gets out of this.\r\nFigure 11: Traversing Subdirectories With DFS.\r\nIf AtomSilo encounters a file, the malware checks if the filename contains the following extensions.\r\n.atomsilo, .hta, .html, .exe, .dll, .cpl, .ini, .cab, .cur, .cpl,\r\n.cur, .drv, .hlp, .icl, .icns, .ico, .idx, .sys, .spl, .ocx\r\nIf it does, the file is skipped and not encrypted.\r\nhttps://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/\r\nPage 12 of 16\n\nFigure 12: Skipping Files Based On Extension.\r\nAs discussed above, when AtomSilo encounters any file with the extensions .php, .asp, .jsp, or .html, it drops the\r\nransom note in the path [Directory Name]\\index.html. Finally, it passes the file path to a function to encrypt it.\r\nFigure 13: Dropping Ransom Note \u0026 Encrypting File.\r\nFile Encryption\r\nFor each file to be encrypted, AtomSilo randomly generates a 32-byte AES key. First, it gets the current system\r\ntime and uses that as the seed for the C++ pseudo-random number generator through srand. Using this, the\r\nmalware generates a random string of 32 characters, and each character is randomly chosen to be a lower-case\r\nletter, upper-case letter, or a number between 0-9.\r\nhttps://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/\r\nPage 13 of 16\n\nFigure 14: Randomly Generating AES Key.\r\nNext, the AES key is encrypted using the victim’s RSA private key.\r\nFigure 15: Encrypting AES Key With Victim Private Key.\r\nAtomSilo then opens the file using CreateFileA and maps it to the address space of the current process to read\r\nand write directly using CreateFileMappingA and MapViewOfFile.\r\nhttps://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/\r\nPage 14 of 16\n\nFigure 16: Retrieving File Handle \u0026 Mapping To Memory.\r\nPrior to encrypting the file, the malware writes the encrypted AES key to the last 0x210 bytes at the end of the\r\nfile.\r\nFigure 17: Writing Encrypted AES Key To File.\r\nFinally, AtomSilo encrypts the file using the AES key with the AES implementation from CryptoPP, closes the\r\nfile mapping handle, and appends “.ATOMSILO” to the end of the filename.\r\nhttps://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/\r\nPage 15 of 16\n\nFigure 18: Encrypting \u0026 Changing File Extension.\r\nHow To Decrypt\r\nThe victim’s encrypted public RSA key is appended near the end of the ransom note, which is encrypted using\r\nAtomSilo’s public RSA key. Therefore, to decrypt the victim’s public RSA key, AtomSilo’s private RSA key is\r\nrequired.\r\nTo decrypt a file encrypted by AtomSilo, the encrypted AES key can be extracted from the end of the file. Since\r\nthe AES key is encrypted using the victim’s private RSA key, it can be decrypted using the victim’s public RSA\r\nkey.\r\nReferences\r\nhttps://github.com/weidai11/cryptopp\r\nSource: https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/\r\nhttps://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/"
	],
	"report_names": [
		"AtomSiloRansomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434669,
	"ts_updated_at": 1775791251,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2168f975852f41668613f3ba8ebbbbe2c7ac189e.pdf",
		"text": "https://archive.orkl.eu/2168f975852f41668613f3ba8ebbbbe2c7ac189e.txt",
		"img": "https://archive.orkl.eu/2168f975852f41668613f3ba8ebbbbe2c7ac189e.jpg"
	}
}