AtomSilo hits large Brazilian company in $1M double extortion scheme

October 1, 2021

The SonicWall Capture Labs threat research team has observed a continued increase in ransomware used in double extortion schemes. The operators of ransomware known as AtomSilo have recently infiltrated a Brazilian pharmaceutical company. The malware installed has encrypted their files and obtained 900GB of very sensitive scientific data and even immigration and contact information of its employees. A $500,000 ransom is offered for 48 hours. After this, the ransom is increased to $1M in Bitcoin. Failure to pay will result in the sensitive data being released to the public.

Infection Cycle:

Upon infection of the ransomware component, files on the system are encrypted. Each encrypted file is given a ".ATOMSILO" file extension.

After encryption, the following message is brought up on the infected machine's desktop:

The following files are dropped on to the system:

README-FILE-{machine name}-{random 10 digit number}.hta (in directories with encrypted files)

The tOr web address (http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion) leads to the following page that is hosted by the operators:

The "LIST LEAK" button shows a company that is in the process of being extorted by the operators:

The "GO TO POST" button brings up a page that shows a summary of the data that has been obtained by the attackers:

This page is very long and contains samples of the sensitive data that has been obtained:

The leak also includes company financial data and employee contact information:

We reached out to the email address (arvato@atomsilo.com) provided in the ransom note and received the following response:

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: AtomSilo.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.