.Adame Files Virus (Phobos Ransomware) — How to Remove It (Update September 2019)

.Adame Files Virus (Phobos Ransomware) — How to Remove It

.Adame Files Virus virus remove

What is .Adame files virus .Adame files virus is also known as .Adame ransomware and encrypts users’ files while asking for a ransom.

The .Adame files virus is a new release of the Phobos ransomware family aiming to infect as many computer users as possible. It is being developed by an unknown hacking collective and once it is installed on a given computer it will lead to numerous dangerous system changes. After all included modules have finished running the encryption phase will be run. Finally the .Adame extension will be applied to all affected files.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts files on your computer machine and demands a ransom to be paid to allegedly restore them.
SymptomsThe ransomware will blackmail the victims to pay them a decryption fee. Sensitive user data may be encrypted by the ransomware code.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Adame


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Adame.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Adame Virus — Update February 2020
The .adame virus has been recently found in an active attack campaign which features some changes in the sequence and functionality of the ransomware. It is dropped by a Visual Basic script which means that possible infections are done by interacting with web sites and emails. In most cases this is caused by falling victim to phishing campaigns that can use both email messages and hacker-made sites. The new samples are confirmed to provide for a network connection module — it is possible that the virus will allow the criminals to execute Trojan commands. If such behavior is embedded the hackers can access data on the contaminated machines, take over control and install other malware.
The .Adame files virus appears to be changing tactics over time as victims have reported that the newer versions show different sequences of commands. A new sample which is just a few weeks old shows that instead of focusing merely on the user data the .Adame ransomware is also encrypting system data and valuable files such as the following:

  • Windows Configuration Files
  • Restore Files
  • Driver Files

All of this shows that the hackers who are responsible for the ongoing infections have found out that it is likely more effective to target such data first before moving on to disrupt the stored user data on the system. Any changes to critical security data can make it very difficult to use the computers and may also prevent some of the security software from attempting to remove it effectively.

.Adame Files Virus — Update August 2019

The .Adame files virus is being currently spread in a worldwide attack campaign through several large-scale distribution techniques. Numerous reports indicate that the campaign is set to infect as many victims as possible in a global attack. What’s particularly interesting about this threat is that it is one of the most popular Phobos-based strains which is currently adopted by the hackers.

The virus has been shown to propagate across various mediums and being linked in a number of payload sources: external hard drives, flash drives, network shares and etc. Once uploaded in a network by an attacker the .Adame virus can propagate freely and infect as many victim devices as possible.

.Adame Files Virus – Detailed Description
The .Adame files virus is a new version of the Phobos ransomware which means that it is likely being spread by an experienced hacking group.

Like other similar threats, it can be used in an attack campaign that is spread across multiple distribution techniques. One of the most popular attack methods is to send out phishing tactics that rely on sending out email messages that are reminiscent of bulk SPAM. An alternative is to create dangerous web sites that are designed to appear as commonly opened addresses and web portals. Both the emails and the sites are hosted on domains that sound very similar to legitimate ones, they also include self-signed or stolen security certificates.

In order to infect more victims the hackers can embed the necessary code into file carriers:

  • Setup Packages — The .Adame files virus can be made part of many installers of popular applications. This means that the infections can be made by downloading packages of various software including the following: productivity tools, graphics software, utilities, office programs and etc.
  • Infected Documents — The other popular mechanism is the creation of macro-infected documents which can be of all popular file formats: documents, spreadsheets, presentations and text files. Whenever they are opened by the victims a pop-up prompt will appear asking the users to enable the built-in code in order to correctly view the document. If this is done so the .Adame files virus infection will begin.

Other distribution methods that are widely used by the victims include the embedding of the necessary code into malicious web browser plugins which will be uploaded to the relevant repositories using fake user reviews and developer credentials. Any virus-related files can also be shared freely among criminals and Internet users on file-sharing networks such as BitTorrent.

.Adame Files Virus – What Does It Do?
As soon as the .Adame files virus infection is made an installation sequence will be started. It will likely be very similar to previous Phobos ransomware viruses by starting a data harvesting process — it will search for information that can expose the identity of the victims and also generate a profile of their machines. This is used to carry out crimes like identity theft and financial abuse. The generated hardware profile can be used with another module in order to create an unique ID that is assigned to each host. Furthermore a security bypass can be made part of the .Adame files virus engine. They will rely scan the system’s memory and hard disk for any installed security software and bypass or entirely delete them. This step includes the likes of anti-virus programs, sandbox and developer environments, virtual machine hosts and firewalls.

The system settings that usually follow from other similar Phobos ransomware can include the following actions:

  • Boot Options Changes — The .Adame Files virus can be programmed into starting every time the computer boots. In certain cases it can also block access to the recovery boot options thus rendering most manual user removal guides non-working.
  • Windows Registry Changes — The ransomware can effectively reprogram existing values found within the Windows Registry or create new ones specific for the .Adame file virus. This can lead to the inability to launch certain features and programs, data loss and may also experience severe performance issues.
  • Payload Delivery — The .Adame files virus infection can be used to infect the victim hosts with other threats: Trojans, hijackers, miners and etc.

When all components have finished running the actual file encryption will begin. Based on a built-in list of target file type extensions. The most popular ones are the following: multimedia files, documents, backups, databases, restore points and etc. Once this process has completed all victim files will be renamed with the .Adame extension. The users will be blackmailed into paying the hackers a decryption fee through an automatically-generated ransom note.

The .Adame Files Virus is a cryptovirus programmed to encrypt user data. As soon as all modules have finished running in their prescribed order the lockscreen will launch an application frame which will prevent the users from interacting with their computers. It will display the ransomware note to the victims.

You should NOT under any circumstances pay any ransom sum. Your files may not get recovered, and nobody could give you a guarantee for that.

The .Adame Files Virus cryptovirus could be set to erase all the Shadow Volume Copies from the Windows operating system with the help of the following command:

→vssadmin.exe delete shadows /all /Quiet

If your computer device was infected with this ransomware and your files are locked, read on through to find out how you could potentially restore your files back to normal.

Remove .Adame Files Virus

If your computer system got infected with the Adame virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share