Avast just published a decryption tool that would allow victims of the AtomSilo and LockFile ransomware gangs to restore part of their files without paying a ransom. This decryptor may be unable to decrypt files that have an unknown, proprietary, or no format at all.
According to Avast’s threat intelligence team, the Avast AtomSilo decryptor uses a recognized file format to check whether the file was successfully decrypted during the decryption process. As a result, some files may be unable to be decrypted.
Even though gangs spreading the ransomware on victims’ networks employ different attack strategies, the decryptor functions for both ransomware strains. It is because they are pretty similar.
AtomSilo and LockFile victims may download the decryption tool from Avast’s servers and use the guidelines in the decryptor’s UI to decrypt entire disk partitions.
The LockFile ransomware attack first surfaced in July 2021. The gang was discovered stealing Windows domains and encrypting machines after abusing servers that were not patched against the ProxyShell and PetitPotam vulnerabilities.
When LockFile ransomware encrypts files, it appends the .lockfile extension to file names and drops ransom notes in the ‘[victim name]-LOCKFILE-README.hta’ format.
The color palette and ransom letter style of LockFile are very similar to those of the LockBit ransomware. There looks like no connection between the two groups, though.
Atom Silo is a new ransomware group that has recently attacked Confluence Server and Data Center systems vulnerable to a now fixed and actively exploited vulnerability.
According to SophosLabs experts, the ransomware employed by Atom Silo is nearly identical to LockFile. On the other hand, Atom Silo operators use unique tactics that make it incredibly difficult to examine their attacks. For example, side-loading malicious dynamic-link libraries might cause endpoint security systems to fail.