AtomSilo hits large Brazilian company in $1M double extortion scheme
The SonicWall Capture Labs threat research team has observed a continued increase in ransomware used in double extortion schemes. The operators of ransomware known as AtomSilo have recently infiltrated a Brazilian pharmaceutical company. The malware installed has encrypted their files and obtained 900GB of very sensitive scientific data and even immigration and contact information of its employees. A $500,000 ransom is offered for 48 hours. After this, the ransom is increased to $1M in Bitcoin. Failure to pay will result in the sensitive data being released to the public.
Infection Cycle:
Upon infection of the ransomware component, files on the system are encrypted. Each encrypted file is given a “.ATOMSILO” file extension.
After encryption, the following message is brought up on the infected machine’s desktop:
The following files are dropped on to the system:
- README-FILE-{machine name}-{random 10 digit number}.hta (in directories with encrypted files)
The tOr web address (http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion) leads to the following page that is hosted by the operators:
The “LIST LEAK” button shows a company that is in the process of being extorted by the operators:
The “GO TO POST” button brings up a page that shows a summary of the data that has been obtained by the attackers:
This page is very long and contains samples of the sensitive data that has been obtained:
The leak also includes company financial data and employee contact information:
We reached out to the email address (arvato@atomsilo.com) provided in the ransom note and received the following response:
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: AtomSilo.A (Trojan)
This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.
