According to Avast’s Threat Intelligence Team, “The Avast AtomSilo decryptor uses a known file format during the decryption process to ensure that the file was successfully decrypted. As a result, some files may not be decrypted. The decryptor works for both ransomware strains because they are very similar, even though the groups deploying them on victims’ networks use different attack tactics.

Avast, an antivirus and cyber-security company, has released free decryption utilities to recover files encrypted by three ransomware strains: AtomSilo, Babuk and LockFile.Because of the similarities between the two ransomware strains, the AtomSilo and LockFile decrypters are being distributed as a single download.”Both the AtomSilo and LockFile ransomware strains are very similar to each other, and this description covers both of them except for minor differences.”

Jiri vinopal a security researcher at RE-CERT, who posted on Twitter earlier this month that he found a way to crack AtomSilo’s encryption and had already created a proof-of-concept decrypter.

Something big -> I just cracked #AtomSilo – one of the Latest Ransomware Family – More information soon. Stay Tuned. (cde07f39b45b883c861f4d4d0c6afb80) For more information (Only for trusted Security accounts) DM me. Please help me to reach more People who could be affected!!!

Babuk is a Russian ransomware, its source code was leaked  along with some of the decryption keys in September 2021.

Avast said  that the source code contained decryption for previous victims.The decrypter, however, will only work for previous Babuk victims who had files encrypted with the.babuk or.babyk file extensions.

AtomSilo ransomware searches local drives using a fixed drive list, whilst LockFile calls GetLogicalDriveStringsA() and processes all drives that are fixed drives.

A separate thread is created for each drive in the list. This thread recursively searches the given logical drive and encrypts files found on it. To prevent paralyzing the compromised PC entirely, AtomSilo has a list of folders, file names and file types that are left unencrypted which are listed here:

Excluded folders
BootWindowsWindows.oldTor Browser
Internet ExplorerGoogleOperaOpera Software
MozillaMozilla Firefox$Recycle.BinProgramData
All Users
Excluded files
autorun.infindex.html boot.inibootfont.bin
Excluded extensions

LockFile avoids files and folders, containing those sub-strings:

Excluded sub-strings

For each victim, the ransomware generates an RSA-4096 session keypair. Its private portion is then encrypted with the master RSA key and stored in the ransom note file (hardcoded in the binary). For each file, a new AES-256 file key is generated. The session RSA key then encrypts this key, which is then stored at the end of the encrypted file, along with the original file size.

How to use the Decryptor

To decrypt your files, please, follow these steps:

  1. Download the free decryptor. The single EXE file covers both ransomware strains.
  2. Simply run the EXE. It starts in form of wizard, which leads you through configuration of the decryption process.
  3. On the initial page, you can see a list of credits. Simply click “Next”
  1. On the next page, select the list of locations which you want to be decrypted. By default, it contains a list of all local drives.
  2. On the third page, you can select whether you want to backup encrypted files. These backups may help if anything goes wrong during the decryption process. This option is turned on by default, which we recommend. After clicking “Decrypt”, the decryption process begins.
  3. Let the decryptor work and wait until it finishes.

Indicators Of Compromise:


–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s