AtomSilo Ransomware
By Chuong Dong
Published: 2021-10-13 · Archived: 2026-04-05 19:22:54 UTC
Reverse Engineering  · 13 Oct 2021
Contents
AtomSilo Ransomware
Contents
Overview
IOCS
Ransom Note
Static Code Analysis
Cryptographic Keys Setup
Run-Once Mutex
Launching Encryption Threads
Encryption Threads
Dropping Ransom Note
DFS Traversal
File Encryption
How To Decrypt
References
Overview
This is my analysis for AtomSilo Ransomware.
AtomSilo uses the standard hybrid-cryptography scheme of RSA-512 and AES to encrypt files and protect its
keys.
Since it fails to utilize multithreading and uses a DFS algorithm to traverse through directories, AtomSilo’s
encryption is quite slow.
The malware is relatively short and simple to analyze, so it’s definitely a beginner-friendly choice for those who
want to get into ransomware analysis!
https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/
Page 1 of 16

Figure 1: AtomSilo leak site.
IOCS
This sample is a 64-bit Windows executable.
MD5: 81f01a9c29bae0cfa1ab015738adc5cc
SHA256: 7a5999c54f4588ff1581d03938b7dcbd874ee871254e2018b98ef911ae6c8dee
Sample:
https://bazaar.abuse.ch/sample/7a5999c54f4588ff1581d03938b7dcbd874ee871254e2018b98ef911ae6c8dee/
Ransom Note
The content of the ransom note is stored in plaintext in AtomSilo’s executable. The encrypted victim’s RSA
public key is appended to the end of the note before the files are dropped on the system.
The ransom note filename is in the form of README-FILE-[Computer Name]-[Starting Timestamp].hta or
index.html.
https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/
Page 2 of 16

Figure 2: AtomSilo ransom note.
Below is the full content of the ransom note file dropped on my machine.
<!DOCTYPE html>
<html lang="en">
<head>
 <meta charset="utf-8">
 <title>Atom Slio: Instructions</title>
 <HTA:APPLICATION APPLICATIONNAME="Atom Slio" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize">
 
 <style type="text/css">
 .text{
 text-align:center;
 }
 a {
 color: #04a;
 text-decoration: none;
 }
 a:hover {
 text-decoration: underline;
 }
 body {
 background-color: #e7e7e7;
 color: #222;
 font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif;
 font-size: 13pt;
 line-height: 19pt;
https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/
Page 3 of 16

}
 body, h1 {
 margin: 0;
 padding: 0;
 }
 hr {
 color: #bda;
 height: 2pt;
 margin: 1.5%;
 }
 h1 {
 color: #555;
 font-size: 14pt;
 }
 ol {
 padding-left: 2.5%;
 }
 ol li {
 padding-bottom: 13pt;
 }
 small {
 color: #555;
 font-size: 11pt;
 }
 .button:hover {
 text-decoration: underline;
 }
 .container {
 background-color: #fff;
 border: 2pt solid #c7c7c7;
 margin: 5%;
 min-width: 850px;
 padding: 2.5%;
 }
 .header {
 border-bottom: 2pt solid #c7c7c7;
 margin-bottom: 2.5%;
 padding-bottom: 2.5%;
 }
 .hr {
 background: #bda;
 display: block;
 height: 2pt;
 margin-top: 1.5%;
 margin-bottom: 1.5%;
 overflow: hidden;
 width: 100%;
https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/
Page 4 of 16

}
 .info {
 background-color: #f3f3fc;
 border: 2pt solid #bda;
 display: inline-block;
 padding: 1%;
 text-align: center;
 box-sizing:border-box;
 border-radius:20px;
 }
 .info1 {
 background-color: #f3f3fc;
 border: 2pt solid #bda;
 display: inline-block;
 padding: 1%;
 text-align: center;
 box-sizing:border-box;
 border-radius:20px;
 }
 .h {
 display: none;
 }
 .ml1{
 position:absolute;width:50%;height:10rem;left:-211px;top:0;background:#f3f3fc;border:1px solid #cfd3da;box-s
 }

# Atom Slio

Instructions

WARNING! YOUR FILES ARE ENCRYPTED AND LEAKED!

---

We are AtomSilo.Sorry to inform you that your files has been obtained and encrypted by us.But don’t worry, your files are safe, provided that you are willing to pay the ransom.

Any forced shutdown or attempts to restore your files with the thrid-party software will be <

The only way to decrypt your files safely is to buy the special decryption software from us.

The price of decryption software is 1000000 dollars.  
I

We only accept Bitcoin payment,you can buy it from bitpay,coinbase,binance or others.

You have five days to decide whether to pay or not. After a week, we will no longer provide d
https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/
Page 5 of 16

---

Time starts at 0:00 on September 11

--- Survival time：

---

You can contact us with the following email:

[Email:arvato@atomsilo.com](mailto:arvato@atomsilo.com)<

If this email can't be contacted, you can find the latest email address on the following webs

[hxxp://[.]on](hxxp://<redacted>[.]onion)

---
[If you don’t know how to open this dark web site, please follow the steps below to installati](hxxp://<redacted>[.]onion)

[1. run your Internet browser](hxxp://<redacted>[.]onion)1. [enter or copy the address](hxxp://<redacted>[.]onion)[https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/ Page 6 of 16](<hxxps://www[.]torproject[.]org/download/download-easy
 <li>wait for the site loading</li>
 <li>on the site you will be offered to download TorBrowser; download and run it, follow the
 <li>run TorBrowser</li>
 <li>connect with the button >)

- a normal Internet browser window will be opened after the initialization
- type or copy the address in this browser address bar and press ENTER
- the site should be loaded; if for some reason the site is not loading wait for a moment     If you have any problems during installation or use of TorBrowser, please, visit [The instructions "README-FILE-#COMPUTER#-#TIME#.hta" in the folders with your encrypted files Remember! The worst situation already happened and now the future of your files depends on yo hxmkCZnpWBWUPTcqK4aVOlLut1L3skUJ/15ha57FrzFVDAqPQao9+trRpAzyEGRAcODB4MM8+SddAnBxk93PTrH Static Code Analysis Cryptographic Keys Setup AtomSilo uses a simple hybrid cryptographic approach using RSA and AES from the CryptoPP library to encrypt files. The malware first randomly generates a public-private key pair for the victim and stores them in global variables. Then it encrypts the victim’s public key using its own hard-coded RSA public key and wipes the generated victim public key from memory. Since the CryptoPP code for this is nasty, the best way to analyze these functions is probably pulling function signatures down from Lumina and making assumptions based on the functions getting called. Figure 3: Cryptographic Keys Setup. Since the victim’s public key is required to decrypt files later, AtomSilo clears it out in memory after encrypting and storing the result to avoid the key being recovered from memory. Below is the hard-coded AtomSilo public RSA key. https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/ Page 7 of 16](<hxx
 <hr>
 <p><strong>Additional information:</strong></p>
 <p>You will find the instructions (>)

Figure 4: AtomSilo Public RSA Key.
Run-Once Mutex
AtomSilo calls CreateMutexA to check if the mutex with name “8d5e957f297893487bd98fa830fa6413” already
exists, and if it does, the malware exits immediately. This is to avoid having multiple instances of the malware
running at the same time.
Figure 5: Run-Once Mutex Check.
https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/
Page 8 of 16

Launching Encryption Threads
AtomSilo attempts to use multithreading to speed up traversing and encrypting files on the system. It iterates
through a list of drive names from “a:” to “z:” and spawns a new thread to encrypt each.
Figure 6: Spawning Encryption Threads.
Figure 7: List Of Drive Names.
The idea for multithreading is definitely there, but spawning threads this way is inefficient since the total
throughputs and speed will be skewed toward the drive that has the most files inside.
Encryption Threads
https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/
Page 9 of 16

Dropping Ransom Note
For each encountered directory, AtomSilo drops a ransom note in it.
First, the malware decrypts the following stack string and formats it as below.
<asf>
</asf>
<csf>3</csf>
<bsf>[Computer Name]</bsf></span></body></html>
[Directory Name]\index.html
[Directory Name]\README-FILE-[Computer Name]-[Starting Timestamp].hta
Figure 8: Resolving HTML Tags & Filename.
The ransom note’s filenames are used depending on its dropped location. When AtomSilo encounters any file
with the extensions .php, .asp, .jsp, or .html, it uses [Directory Name]\index.html as the ransom note filename.
For any other directory, it uses [Directory Name]\README-FILE-[Computer Name]-[Starting
Timestamp].hta.
Finally, AtomSilo writes the content of the ransom note in in the following format.
[Ransom Note Content]<asf>[Victim Encrypted RSA Public Key]</asf><csf>3</csf><bsf>[Computer Name]</bsf></span><
https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/
Page 10 of 16

Figure 9: Writing Ransom Note Content.
DFS Traversal
Each thread uses DFS to traverse a directory being passed into it. First, to look for all files and subdirectories, it
uses the standard API calls FindFirstFileA and FindNextFileA.
AtomSilo stores a list of names to avoid encrypting in memory to iterate and check for each file/directory
encountered. If the name of the file/directory is in the list, it is skipped and not encrypted.
Figure 10: Traversing & Skipping Files.
The list of file/directory names to avoid is shown below.
https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/
Page 11 of 16

Boot, Windows, Windows.old, Tor Browser, Internet Explorer, Google,
Opera, Opera Software, Mozilla, Mozilla Firefox, $Recycle.Bin, ProgramData,
All Users, autorun.inf, index.html, boot.ini, bootfont.bin, bootsect.bak,
bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr,
ntuser.dat, ntuser.dat.log, ntuser.ini, thumbs.db, #recycle, ..
If AtomSilo encounters a subdirectory, the malware appends its name to the current directory path, drops a
ransom note inside, and passes the path to its traversal function to recursively go through it. No need for me to
discuss how much of a speed boost the ransomware gets out of this.
Figure 11: Traversing Subdirectories With DFS.
If AtomSilo encounters a file, the malware checks if the filename contains the following extensions.
.atomsilo, .hta, .html, .exe, .dll, .cpl, .ini, .cab, .cur, .cpl,
.cur, .drv, .hlp, .icl, .icns, .ico, .idx, .sys, .spl, .ocx
If it does, the file is skipped and not encrypted.
https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/
Page 12 of 16

Figure 12: Skipping Files Based On Extension.
As discussed above, when AtomSilo encounters any file with the extensions .php, .asp, .jsp, or .html, it drops the
ransom note in the path [Directory Name]\index.html. Finally, it passes the file path to a function to encrypt it.
Figure 13: Dropping Ransom Note & Encrypting File.
File Encryption
For each file to be encrypted, AtomSilo randomly generates a 32-byte AES key. First, it gets the current system
time and uses that as the seed for the C++ pseudo-random number generator through srand. Using this, the
malware generates a random string of 32 characters, and each character is randomly chosen to be a lower-case
letter, upper-case letter, or a number between 0-9.
https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/
Page 13 of 16

Figure 14: Randomly Generating AES Key.
Next, the AES key is encrypted using the victim’s RSA private key.
Figure 15: Encrypting AES Key With Victim Private Key.
AtomSilo then opens the file using CreateFileA and maps it to the address space of the current process to read
and write directly using CreateFileMappingA and MapViewOfFile.
https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/
Page 14 of 16

Figure 16: Retrieving File Handle & Mapping To Memory.
Prior to encrypting the file, the malware writes the encrypted AES key to the last 0x210 bytes at the end of the
file.
Figure 17: Writing Encrypted AES Key To File.
Finally, AtomSilo encrypts the file using the AES key with the AES implementation from CryptoPP, closes the
file mapping handle, and appends “.ATOMSILO” to the end of the filename.
https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/
Page 15 of 16

Figure 18: Encrypting & Changing File Extension.
How To Decrypt
The victim’s encrypted public RSA key is appended near the end of the ransom note, which is encrypted using
AtomSilo’s public RSA key. Therefore, to decrypt the victim’s public RSA key, AtomSilo’s private RSA key is
required.
To decrypt a file encrypted by AtomSilo, the encrypted AES key can be extracted from the end of the file. Since
the AES key is encrypted using the victim’s private RSA key, it can be decrypted using the victim’s public RSA
key.
References
https://github.com/weidai11/cryptopp
Source: https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/
https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/
Page 16 of 16