According to Avast’s Threat Intelligence Team, “The Avast AtomSilo decryptor uses a known file format during the decryption process to ensure that the file was successfully decrypted. As a result, some files may not be decrypted. The decryptor works for both ransomware strains because they are very similar, even though the groups deploying them on victims’ networks use different attack tactics.
Avast, an antivirus and cyber-security company, has released free decryption utilities to recover files encrypted by three ransomware strains: AtomSilo, Babuk and LockFile.Because of the similarities between the two ransomware strains, the AtomSilo and LockFile decrypters are being distributed as a single download.”Both the AtomSilo and LockFile ransomware strains are very similar to each other, and this description covers both of them except for minor differences.”
Jiri vinopal a security researcher at RE-CERT, who posted on Twitter earlier this month that he found a way to crack AtomSilo’s encryption and had already created a proof-of-concept decrypter.
Something big -> I just cracked #AtomSilo – one of the Latest Ransomware Family – More information soon. Stay Tuned. (cde07f39b45b883c861f4d4d0c6afb80) For more information (Only for trusted Security accounts) DM me. Please help me to reach more People who could be affected!!!
Babuk is a Russian ransomware, its source code was leaked along with some of the decryption keys in September 2021.
Avast said that the source code contained decryption for previous victims.The decrypter, however, will only work for previous Babuk victims who had files encrypted with the.babuk or.babyk file extensions.
AtomSilo ransomware searches local drives using a fixed drive list, whilst LockFile calls GetLogicalDriveStringsA() and processes all drives that are fixed drives.
A separate thread is created for each drive in the list. This thread recursively searches the given logical drive and encrypts files found on it. To prevent paralyzing the compromised PC entirely, AtomSilo has a list of folders, file names and file types that are left unencrypted which are listed here:
| Excluded folders | |||
| Boot | Windows | Windows.old | Tor Browser |
| Internet Explorer | Opera | Opera Software | |
| Mozilla | Mozilla Firefox | $Recycle.Bin | ProgramData |
| All Users |
| Excluded files | |||
| autorun.inf | index.html | boot.ini | bootfont.bin |
| bootsect.bak | bootmgr | bootmgr.efi | bootmgfw.efi |
| desktop.ini | iconcache.db | ntldr | ntuser.dat |
| ntuser.dat.log | ntuser.ini | thumbs.db | #recycle |
| Excluded extensions | |||||
| .hta | .html | .exe | .dll | .cpl | .ini |
| .cab | .cur | .cpl | .drv | .hlp | .icl |
| .icns | .ico | .idx | .sys | .spl | .ocx |
LockFile avoids files and folders, containing those sub-strings:
| Excluded sub-strings | |||
| Windows | NTUSER | LOCKFILE | .lockfile |
For each victim, the ransomware generates an RSA-4096 session keypair. Its private portion is then encrypted with the master RSA key and stored in the ransom note file (hardcoded in the binary). For each file, a new AES-256 file key is generated. The session RSA key then encrypts this key, which is then stored at the end of the encrypted file, along with the original file size.
How to use the Decryptor
To decrypt your files, please, follow these steps:
- Download the free decryptor. The single EXE file covers both ransomware strains.
- Simply run the EXE. It starts in form of wizard, which leads you through configuration of the decryption process.
- On the initial page, you can see a list of credits. Simply click “Next”
- On the next page, select the list of locations which you want to be decrypted. By default, it contains a list of all local drives.
- On the third page, you can select whether you want to backup encrypted files. These backups may help if anything goes wrong during the decryption process. This option is turned on by default, which we recommend. After clicking “Decrypt”, the decryption process begins.
- Let the decryptor work and wait until it finishes.
Indicators Of Compromise:
| SHA | filename |
d9f7bb98ad01c4775ec71ec66f5546de131735e6dba8122474cc6eb62320e47b | .ATOMSILO |
bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce | .lockfile |
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
CyberWorkx 