Adame ransomware (Bonus: Decryption Steps) - updated Sep 2019
Adame virus Removal Guide
What is Adame ransomware?
Adame ransomware is the cryptovirus, supposedly spreading with Adobe software cracks and torrent files
Adame ransomware is the virus that makes a huge difference in the speed and performance of the infected device due to additional background processes. Adame cryptovirus is the ransomware that gets on the system as a installations file of Adobe cracks, video game cheats. This is a vector used by other virus developers because people tend to pirate various programs and serial numbers or license keys of tools. Users[1] recently reported about the renewed virus activity and many of these online forum posts state that people downloaded Abode Lightroom, Adobe Photoshop, Adobe Premiere, Adobe After Effects, Adobe Animate, and other software from this provider. Apparently, one of the installer files contain malware instead of needed information and raises questions when the needed program is not openable. However, the question is answered when ransom note in the form of a pop-up program window named info appears on the screen. The note also can be loaded on the desktop as info.txt file.
People state that files immediately get unreachable and marked with .Adame extension, hence the name of the virus, so the ransom demand can be made. Remember this and the fact that Adame ransomware virus is a version of Phobos ransomware. This relation indicates the possibility that malicious ransomware payload includes modules that affect the system and can further infect the machine with trojans, worms, other malware.
Also, it is known that the family of Phobos loads processes and executables on the machine to ensure the persistence and interfere with the performance of infected computer further. “The App that Reminds You to Move More” is the process that can be found running in the background. As typical for the family, the ransom note initially delivers instructions and when the victim follows provided links the amount appears on the payment system. However, this is never the recommended route.
Name | Adame ransomware |
---|---|
Type | Cryptovirus/ file-locking malware |
Ransom note | The program window with payment instructions named encrypted.hta appears immediately after the encryption process, the same information may appear in info.hta, info.txt |
File marker | .id[].[supportcrypt2019@cock.li].Adame is a full pattern of the file marker that appears on every document, photo, video file or archive that gets encoded |
The process running in the background | “The App that Reminds You to Move More” |
Family | Phobos cryptovirus |
Distribution | Infected file attachments with macro viruses from email spam – common vector used by ransomware developers. The Adame infections are related to malicious files that get installed as a part of the cracked software package or different torrent files. Mainly, victims stated about pirated versions of Adobe products that delivered malware on their PCs |
Contact email | raynorzlol@tutanota.com, supportcrypt2019@cock.li, supportcrypt2019@protonmail.com |
Elimination | Remove Adame ransomware with anti-malware tool and clean virus damage using FortectIntego. Base your selection of antivirus tool on detection rate, but remember that names differ due to the malware database the security tool provider uses |
Virus developers claim that they can recover affected files with the only possible solution – decryption key they develop for each victim separately and allegedly shares it with a victim after the money transfer. Unfortunately, ransom paying is not the best solution since contacting cybercriminals can lead to more issues with the machine or even further damage to the device.[2] Ransomware is based on blackmailing victims, so virus developers have no mercy for you or your files.
Adame ransomware is the virus that completely overwhelms the victim with all the changes in the system and the ransom demand. However, ransomware has more features than file encryption alone. Since it aims to make a profit from infecting machines, it can also steal valuable information and email addresses or credentials that can be used in secondary scamming campaigns.
It is known that like any other cryptovirus, Adame ransomware targets online banking credentials, personal logins or passwords and other details stored directly on the device or saved on the browser as auto-fill information. In addition to this background process, the virus can:
- alter Windows configuration files;
- add new registry entries;
- delete files;
- add programs or data;
- infect the machine with other malware.
Adame ransomware is the malware that shows up with a ransom demanding message and makes people eager to pay. However, all the malicious processes happen in the background.
Adame ransomware starts the attack with infecting the machine and checking the location of the device. Sometimes particular countries are excluded from such processes. If the system is suitable for the infection, the ransomware runs AES encryption algorithm and encodes all the data found on the machine. Common files like photos, documents, videos, music, audio files get encrypted and then encrypted.hta appears on the screen with the following message:
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail supportcrypt2019@cock.li
Write this ID in the title of your message:
In case of no answer in 24 hours write us to this e-mail:supportcrypt2019@protonmail.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Besides this program window with direct payment transfer instructions, a virus can add info.txt text file on the screen that contains less detailed information. In most cases, Adame ransomware repeats contact information and lists emails in the text file where criminals encourage people to follow instructions in the HTA file as soon as possible.
Adame cryptovirus changes tactics over time
.Adame virus tactics differ from attack to attack, but all reports and user-provided samples revealed more unique information about the threat. Some user posts online showed that ransomware included different coding than before or than any other virus in this category before. Instead of focusing on file encryption in formats like photos, documents, and so on, malware encodes system data and valuable files like Windows Configuration files, driver files, data needed for restoring.
Such data disruption on the system seems to be more effective before targeting common files stored on the machine because disabled security software, crucial system functions allow virus developers to access and encrypt files much easier. This way, the virus cannot be detected too.
Adame ransomware from the beginning was known for being persistent and spreading in large-scale campaigns. Developers want to infect as many devices as possible in one attack. This is probably the most spread and currently active versions in Phobos ransomware family.
The month of September 2019 came with mote reports and virus samples from users. This data revealed additional unique facts about spreading and Adame ransomware:
- people get this virus after installing Adobe products;
- malicious payload loaded as installer file or executable;
- files even come from trusted uploader torrent with loads of seeders.
Don't trust such public sites and torrent services, malware developers hit such websites and use various flaws to obtain money from many victims. Phobos ransomware cannot be decrypted at this point, so you need to focus on virus removal and possibly store encrypted data on the external device until the tool gets created.
Adame virus is the threat that changes its malicious tactics and can run different commands on the machine besides the file encryption.
Although criminals behind this threat claim about decryption possibility, you need to remove Adame ransomware without even considering the ransom payment. There is no need to spend your money when, in most cases, the decryption tool does not exist. Developers change the initial code, and this virus is distributed in various campaigns that target large scale of victims. Global attacks aim to affect as many people as possible. So this is one of the most popular and dangerous Phobos versions.
Reports about this threat also show that Adame ransomware removal becomes impossible after some time. The virus can propagate across various mediums and load other files, processes, programs on the machine. All those associated intruders, alterations on the system can ensure that malware is more persistent.
This is the reason why experts[3] always recommend rebooting the machine in Safe Mode with Networking and then running a system scan with tools like FortectIntego. When you run a check on the machine, anti-malware tools can indicate Adame ransomware payload, malicious files, and virus damage, so you need one tool to eliminate the threat completely.
Common ransomware is being spread by hackers
When it comes to threats like ransomware, the more common distribution techniques are phishing attacks and infected files that get attached to spam emails. These campaigns that spread cryptovirus involves techniques that allow to deliver malware across multiple platforms and spread them to a bigger number of potential victims.[4]
Cybercriminals and hackers are more likely to spread such a serious threat because they aim to scare people into paying the ransom. Also, this is more advanced and involves experience in coding such sophisticated malware. Many reports state that torrent files, even from verified accounts or trusted soruces deliver malware payload.
You shouldn't trust any person, service or website that provides such cracks, serial numbers of legitimate software, cheats of video games and license numbers of security programs are one of the more popular things that people try to pirate online. However, some of the installer files contain executables with ransomware payload and once you trigger the installation, you get your PC infected.
Developers always changing their tactics, so be aware of other methods like infected documents – the popular technique of delivering the malicious script. Macro-infected documents are loaded on legitimate-looking emails with subject lines like Invoice, Order information, Shipping details as attachments. Once the PDF or Word document gets downloaded and opened malicious macros trigger the drop of the ransomware payload. Ransomware infiltration happens in seconds and you cannot stop the process.
Adame ransomware removal is the process that requires more help from professional tools
You need to react to Adame ransomware virus infection as soon as possible because malware can propagate further and infect more devices on the same network or even permanently damage the machine. Hackers can target further than your own PC.
As soon as you notice the suspicious activity on the machine and get your data affected, you need to remove Adame ransomware completely. If you react quickly, you can eliminate all traces of the virus and take your system back to a safe place without malware.
Unfortunately, manual Adame ransomware removal is not giving the best results because of its reported persistency, you need to get automatic tools like anti-malware tools and run a full system scan. Using FortectIntego, SpyHunter 5Combo Cleaner, or Malwarebytes can give you the advantage because these programs terminate the malware itself and clean virus damage.
Getting rid of Adame virus. Follow these steps
Manual removal using Safe Mode
Adame ransomware can be more persistent, so reboot the machine in Safe Mode with Networking before an anti-malware scan
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove Adame using System Restore
You can enable the System Restore feature and eliminate Adame ransomware this way
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of Adame. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove Adame from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by Adame, you can use several methods to restore them:
Data Recovery Pro is the method that can help with files encrypted by Adame ransomware
If you need alternate solution for data backups, Data Recovery Pro is the one to try. The program can restore accidentally deleted and corrupted files too
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Adame ransomware;
- Restore them.
Windows Previous Versions feature for file recovery after Adame ransomware attack
When System Restore gets enabled, you can use Windows Previous Versions as a data recovery method
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer for help when dealing with Adame ransomware
Your encrypted files can be recovered if you can use Shadows Volume Copies and ShadowExplorer tool
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Decryption is not possible for Adame ransomware
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Adame and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Stream videos without limitations, no matter where you are
There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.
Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.
Data backups are important – recover your lost files
Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.
While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.
- ^ . Adame has hit me. Reddit. Online community forum.
- ^ Larry Dignan. Ransomware attacks: Why and when it makes sense to pay the ransom. ZDNet. Technology and cybersecurity news.
- ^ Losvirus. Losvirus. Spyware related news.
- ^ Antonio Challita. The four most popular methods hackers use to spread ransomware. ITprotocol. Security and IT news.