Avast, a Czech cybersecurity software firm, has released a free decryptor for victims of AtomSilo and LockFile. A forensic and malware analyst at RE-CERT, Jiří Vinopal published his findings on Oct 17, 2021. His initial discovery covered weaknesses only in AtomSilo ransomware; with further analysis, the same information was expanded to develop a decryptor for LockFile strains too.

Ransom Note

Apart from minute differences, AtomSilo and LockFile have similar functions. Encrypted files have .ATOMSILO and .lockfile extensions; these files contain the ransomware notes with the names:

• README-FILE-%ComputerName%-%TimeStamp%.hta
• LOCKFILE-FILE-%ComputerName%-%TimeStamp%.hta

AtomSilo ransom message

LockFile ransom message

Working

Fixed drives are called in AtomSilo by searching for local drives, and LockFile uses GetLogicalDriveStringsA() for the same. The separate thread created for each list recursively searches the drive system to encrypt files.

AtomSilo excludes a list of folders, file names, and file types unencrypted to prevent compromising the PC entirely. LockFile avoids encrypting files and folders with a few sub-strings, such as Windows, NTUSER, LOCKFILE, and .lockfile. Furthermore, it excludes 788 file extensions such as .exe, .jpg, .bmp, and .gif.

Encryption

Files are encrypted with a unique AES-256 key, and an RSA-4096 session key pair is generated for each victim. The files are further encrypted with a session RSA key, stored at the end of the encrypted file.

Limitations of the Decryptor

The decryptor looks for files with known file formats to verify the process. Files that have an unknown format, or are a text file with no format at all, will not be successfully decrypted.

The procedure is given by Avast to download and use the Decryptor:

1. Download the free decryptor. The single EXE file covers both ransomware strains.
2. Simply run the EXE. It starts in the form of a wizard, which leads you through the configuration of the decryption process.
3. On the initial page, you can see a list of credits. Simply click “Next.”

4. On the next page, select the list of locations which you want to be decrypted. By default, it contains a list of all local drives.
5. On the third page, you can select whether you want to encrypt backup files. These backups may help if anything goes wrong during the decryption process. This option is turned on by default, which we recommend. After clicking “Decrypt”, the decryption process begins.
6. Let the decryptor work and wait until it finishes.