A new ransomware group has been spotted abusing a recently patched vulnerability in Atlassian Confluence Server and Data Center. The group, dubbed Atom Silo, is using the flaw to deploy its ransomware.

What has happened?

Sophos MTR Rapid Response team recently spotted and investigated a ransomware attack. The attack has been linked to Atom Silo and abuses the now-patched RCE flaw tracked as CVE-2021-26084.
  • The ransomware employed by the Atom Silo group is very identical to LockFile and LockBit ransomware groups.
  • The group is using several novel techniques that make it very challenging to examine, including DLL side-loading to interrupt endpoint protection.
  • Successful exploitation of CVE-2021-26084 allows unauthenticated attackers to execute remote commands on unpatched Confluence servers.

Technical insights

The attackers successfully made use of a three-weeks-old vulnerability for their initial compromise.
  • Ransomware payloads spread by Atom Silo used a malicious kernel driver to evade detection by disrupting endpoint protection solutions. 
  • Additionally, the attackers have been observed using inbuilt and native Windows tools, along with resources, to move further within the network until they deploy the ransomware.


Discovered recently, Atom Silo is already showing a lot of potential with its techniques and capabilities to go after enterprise products such as Confluence servers. If not acted against now, it may become even more challenging for organizations to stay protected from this threat.

Cyware Publisher