{
	"id": "c54f9cde-d2c7-4a6a-aee8-15940424de88",
	"created_at": "2026-04-06T00:22:25.45142Z",
	"updated_at": "2026-04-10T03:20:39.633587Z",
	"deleted_at": null,
	"sha1_hash": "4e7aaed3fe71a51f4e9348f3b5c13b5754d197ae",
	"title": "AtomSilo Ransomware Enters the League of Double Extortion | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2167933,
	"plain_text": "AtomSilo Ransomware Enters the League of Double Extortion |\r\nZscaler\r\nBy Rajdeepsinh Dodia\r\nPublished: 2021-10-15 · Archived: 2026-04-05 21:05:38 UTC\r\nRansomware is used widely in cyberattacks to disrupt the victim's organization. Over the last two years, many\r\nattackers have evolved their ransomware tactics to include data exfiltration. This tactic is known as \"double-extortion\": attackers demand ransom for the data decryption in addition to the ransom to prevent public release of\r\nthe stolen data. ThreatLabz monitors these threat actors and analyzes the attack sequences of double extortion\r\nattacks. AtomSilo is a new player on the scene, and in this blog, we'll break down the details of their attacks.\r\nIntroduction\r\nAtomSilo ransomware emerged around September 2021, with their tactics including exfiltrating and publishing\r\ntheir first victim's data.\r\nWe'll break down one of their attacks, which started with initial access through exploiting a vulnerability in\r\nAtlassian’s Confluence collaboration software. The ransomware operators planted a back door using legitimate\r\nsoftware via a dll side loading technique. The backdoor allowed remote code execution of Windows Shell\r\ncommands through WMI (Windows Management Interface), which operators exploited using compromised\r\nadministrative accounts before dropping AtomSilo.\r\nTechnical Analysis\r\nThe AtomSilo payload is 64-bit and packed with a modified UPX packer. Once executed, it enumerates each drive\r\nand drops a ransom note in each folder except the few listed in Table1. The ransom note is named “README-FILE-{COMPUTER_Name}-{DateTime}.hta”.\r\nhttps://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion\r\nPage 1 of 9\n\nFigure 1: AtomSilo ransom note\r\nIt enumerates each file and encrypts all folders and files EXCEPT those that contain the below names:\r\nFolder name File name\r\nBoot autorun.inf\r\nWindows index.html\r\nWindows.old boot.ini\r\nTor Browser bootfont.bin\r\nInternet Explorer bootsect.bak\r\nGoogle bootmgr\r\nOpera bootmgr.efi\r\nOpera Software bootmgfw.efi\r\nMozilla desktop.ini\r\nMozilla Firefox iconcache.db\r\nhttps://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion\r\nPage 2 of 9\n\nFolder name File name\r\n$recycle.Bin ntldr\r\nProgramData ntuser.dat\r\nAll Users ntuser.dat.log\r\n  #recycle\r\n  thumbs.db\r\n  ntuser.ini\r\nTable1: List of files and folders \r\nIt also does not encrypt files with the following extensions:\r\n.hta .idx\r\n.hlp .ini\r\n.html .sys\r\n.icl .cab\r\n.exe .spl\r\n.icns .cur\r\n.dll .ocx\r\n.ico .cpl\r\n.cpl .drv\r\nTable2: List of extensions\r\nFile Encryption\r\nRansomware appends  “.atomsilo” extensions to files after encryption. Ransomware uses “CreateFileMappingA”\r\nand “MapViewOfFile” APIs to map the file in memory and moves the pointer to the start of the mapped file.\r\nAtomSilo uses XOR and AES Encryption algorithms to encrypt files. It generates AES round keys using the\r\n“AESKEYGENASSIST”  instruction as shown in the below figure.\r\nhttps://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion\r\nPage 3 of 9\n\nFigure 2: AtomSilo generates encryption keys using AESKEYGENASSIST\r\nThe encryption key is 240 bytes. The first 32 bytes are randomly generated by the payload, and other 208 bytes\r\nare generated using the “AESKEYGENASSIST” instruction. In the file , it takes 16 bytes of plain text  and does\r\nXOR as a first stage encryption. Then, it encrypts it with 14 rounds of AES encryption. It uses “AESENC”\r\ninstruction for the first 13 rounds and the last round uses  “AESENCLAST” instruction.\r\nhttps://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion\r\nPage 4 of 9\n\nFigure 3: Encrypting data using AES algorithm\r\nIt encrypts chunks of the file, not the complete file. It encrypts the first 16 bytes, leaves the next 32 bytes as-is,\r\nencrypts the next 16 bytes, and so on. The below screenshot shows the comparison of the normal file and\r\nencrypted file, where we can see that chunks of files are not encrypted. The encryption key and other information\r\nare encrypted and appended at the end of the encrypted file.\r\nhttps://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion\r\nPage 5 of 9\n\nFigure 4: Original vs Encrypted file\r\nData Leak site\r\nAccording to their leak sites, AtomSilo actors won't attack the following types of organizations:\r\nHospitals.\r\nCritical infrastructure facilities (nuclear power plants, power plants, water treatment facilities).\r\nOil and gas industry (pipelines, oil refineries).\r\nEducational unit.\r\nNon-profit companies.\r\nThey also promise to provide free decryption if the victim company is on the above list.\r\nFigure 5: Data leak site\r\nThe first data leak was from a Brazilian Pharmaceutical company. AtomSilo published around 900 GB data as\r\nshown in the below screenshot:\r\nhttps://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion\r\nPage 6 of 9\n\nFigure 6: Victim data published on data leak site\r\nCloud Sandbox Detection\r\nhttps://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion\r\nPage 7 of 9\n\nFigure 7: Zscaler Cloud Sandbox detection of AtomSilo ransomware\r\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various\r\nlevels.\r\nWin64.Ransom.AtomSilo\r\nIOC\r\nMd5\r\n04a8307259478245cbae49940b6d655a\r\nExplore more Zscaler blogs\r\nZscaler ThreatLabz 2024 Phishing Report\r\nThe Threat Prevention Buyer's Guide\r\nhttps://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion\r\nPage 8 of 9\n\nSource: https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion\r\nhttps://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion"
	],
	"report_names": [
		"atomsilo-ransomware-enters-league-double-extortion"
	],
	"threat_actors": [],
	"ts_created_at": 1775434945,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e7aaed3fe71a51f4e9348f3b5c13b5754d197ae.pdf",
		"text": "https://archive.orkl.eu/4e7aaed3fe71a51f4e9348f3b5c13b5754d197ae.txt",
		"img": "https://archive.orkl.eu/4e7aaed3fe71a51f4e9348f3b5c13b5754d197ae.jpg"
	}
}