Atomsilo

AtomSilo is a type of malware that has been linked to several other ransomware families including LockFile, Rook, Night Sky, and Pandora. This connection was revealed through the analysis of Cobalt Strike Beacon samples loaded by HUI Loader. CTU analysis suggests that these five ransomware families were developed from two distinct codebases: one for LockFile and AtomSilo, and another for Rook, Night Sky, and Pandora. AtomSilo has been implicated in significant cyber attacks, such as the compromise of pharmaceutical company Eisai in December 2021. The operational patterns of these ransomware families do not align with typical financially motivated cybercrime operations. A third-party report attributes the activities of LockFile, AtomSilo, Rook, and Night Sky to a Chinese threat group known as DEV-0401, suggesting that these attacks may be state-sponsored. Other reports indicate an overlap in TTP (Tactics, Techniques, and Procedures) between LockFile and AtomSilo intrusions, further linking these ransomware families together. As of mid-April, a total of 21 victims had been listed across AtomSilo, Rook, Night Sky, and Pandora leak sites. In response to this threat, a decryptor tool for AtomSilo and LockFile was released in October 2021, allowing victims to recover files encrypted by these ransomware families. This development may have prompted the threat actors to create a new ransomware family based on Babuk’s source code. However, they appear to have limited its use to brief, targeted deployments, likely to avoid detection by security researchers. The initial appearance of these ransomware families starting from mid-2021 suggests that the threat actors first developed LockFile and AtomSilo before moving on to develop Rook, Night Sky, and Pandora.