02Sep, 2019


Do you know about Adame Ransomware? Some highly skilled cyber crooks prefer to build and tailor unique malware and take great pride in this. Others, however, would rather take it easy and still cash in some profits, preferable with minimum effort involved. Such individuals like to base their malware creations on the code of already existing, well-established threats. This is the case with the creators of the Adame Ransomware. This file-encrypting Trojan is a variant of the infamous Phobos Ransomware.

An Offshoot of the Phobos Ransomware

Upon close examination of its code, security researchers have now tied Adame’s structure to that of the nasty Phobos ransomware family. However, the group of hackers behind the attacks has largely concealed its identity so that security analysts have no way of knowing if Adame is being utilized by the same criminal gangs as those behind Phobos. While Adame’s code is similar to that of Phobos, Adame appends a different extension – all encrypted files are renamed using the following patterns:

  • [File_name].id.[victim_ID][].Adame
  • [File_name].id.[victim_ID][].Adame

Once the damage is done

Once launched, Adame Ransomware performs a series of unstoppable actions. First, it collects whatever personal and system configuration details it comes across. Should it find any AV software, Adame creates a shield against it so as to evade detection. Finally, the ransomware modifies the system’s registry and boot settings to make sure it launches during system startup every time. While earlier Adame Ransomware attacks mainly focused on encrypting user rather than system data, more recent reports suggest that Adame’s developers have tweaked it a bit. As a result, Adame now spreads to all mapped drives when attacking network-connected PCs, encrypting both user and Windows system files alike. As soon as Adame has finished encrypting the data, it draws up a pair of documents – a pop-up HTML called Info.hta and an Info.txt Notepad file – on the victim’s desktop.

Infection Vectors

The most common methods of propagating ransomware threats are at play here, namely spam email campaigns, infected pirated applications, and bogus software updates.When the Adame Ransomware manages to worm its way into a system, it starts the attack by triggering a scan. This scan is meant to locate all the file which the Adame Ransomware was programmed to target. Once the scan is through, the Adame Ransomware will begin encrypting the targeted files. Upon encryption, the files have their names altered. The Adame Ransomware adds a ‘.id[].[].Adame’ extension at the end of the filename.

The Ransom Note

Next, the Adame Ransomware drops a ransom note named ‘encrypted.hta.’ The ransom note reads:

The authors of the Adame Ransomware do not mention a specific ransom fee. Instead, they claim that the price depends on how quickly the victim gets in touch with them, which sounds like a common social engineering technique. The attackers offer to decrypt up to five files free of charge provided that the total size does not exceed 4MB. This is usually done to prove to the victim that the attackers have a working decryption key. The authors of the Adame Ransomware make it clear that they want the ransom fee in the shape of Bitcoin which is a common request when dealing with cybercriminals because the cryptocurrency helps them protect their anonymity and avoid getting in trouble. The attackers give out two email addresses where they would like to be contacted – ‘,’ and ‘’

We advise you strongly to stay away from the authors of the Adame Ransomware, and from cyber crooks in general. Nothing good can come out of attempting to negotiate with such individuals.


NB: Are you infected by a ADAME  Ransomware?

Our main Policy  is, we operate on No Data = No Fee or your money back!.

How we Operate: Click Here:

Our  success rate so far  in ransomware data recovery from CryptolockerJava, Arrow, DMA, XTBL, Kyra, Locky, Thor, CryptoMIX, Microsoft Crypto, AletaArena, Nuclear, NM4,Gryphon, BTC, and Zepto (to mention few!) is 100%.

Click here to submit a new case -> 

New Case  >>>

Leave a Reply

Your email address will not be published. Required fields are marked *