adage

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Files encrypted by AdAge are given the “.adage” extension.
  • Renaming Convention: All affected files are renamed as follows:
    <OriginalFileName>.<original-extension>.id-XXXXXXXX.[<contact-e-mail>].adage
    Example: Report_Q4.xlsx.id-1E857D00.[[email protected]].adage

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: The first documented AdAge activity was observed in late May 2019, peaking between June and September 2019. It is a successor/variant of the Phobos family.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Exploitation of exposed RDP (port 3389, 33890) using brute-force or weak credentials.
  2. Double-extortion: Steals data via built-in PowerShell scripts → threatens public leak if ransom is unpaid.
  3. Lateral movement via SMBv1 (EternalBlue is not part of the default toolkit, but post-exploitation scripts deploy it manually).
  4. Malicious email campaigns (weaponized Office docs or ISO files carrying AdAge dropper).
  5. Cracked software bundles and fake browser updates delivered by malvertising.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
  1. Hard-set GPO to enforce NLA + TLS on RDP, disable SMBv1, and restrict RDP exposure via VPN only.
  2. Strong, unique passwords (≥16 chars) and 2FA on every remote-access solution (RDP, VPN, VMI).
  3. Segment networks via firewalls—separate critical servers from user VLANs, block port 445/135/139 outbound.
  4. Email & macro filtering in Exchange/Office 365 (block ISO/LNK attachments by default).
  5. Application whitelisting (Applocker, WDAC) to block unsigned PowerShell/LOLbins from launching.
  6. **Daily, off-site, *offline* backups (3–2-1 rule) with write-once read-many (WORM) storage.

2. Removal – Clean-Up Workflow

  1. Air-gap the host (network cable/Wi-Fi off, write-protect USB for evidence).
  2. Boot from Windows RE → scan with Microsoft Defender AMSI scan, ESET Rogue AV, Malwarebytes, Kaspersky VRT or Sophos Clean.
  3. Manually hunt for persistence:
  • Scheduled tasks (schtasks /query /fo LIST /v | findstr "adage")
  • Registry Run keys (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)
  1. Identify shared volumes where .adage files propagate—stop all SMB sessions (net use) and disable ADMIN$.
  2. Re-patch OS fully via Windows Update—apply CVE-2017-0144/SMBv1 roll-up, RDP fix KB4565351, etc.
  3. Re-image or reinstall OS only after ensuring no hidden WMI or BIOS-level implants (use PE boot + vendor firmware check).

3. File Decryption & Recovery

  • Recovery Feasibility:
    Files cannot currently be decrypted without the attackers’ private RSA key.
    Options:
  1. **Use your most recent, *offline* backup** – zero-cost, fastest restore path.
  2. Shadow-copy resurrection – run:

    vssadmin list shadows
    shadowexplorer.exe
    Restore-Computer -RestorePoint <RP>

    Note: Phobos/Adage typically wipes shadow copies (vssadmin delete shadows /all).
  3. Cloud sync rollback – OneDrive/SharePoint/Box/G-Drive file-version snapshots (check 30–90-day retention).
  4. File-recovery tools (last resort) – Photorec, R-studio, Recuva, EaseUS, targeting un-encrypted file remains on sparse files.
  5. Do NOT pay – no guarantee unique key, further funds fuel more attacks (FBI & CISA consistently warn).
  • Essential Tools/Patches:
  • Windows SMBv1 Disable script – https://aka.ms/smbv1
  • Phobos Decryptor (proof-of-concept by Emsisoft) – still requires adversary’s key – https://emsisoft.com/ransomware/phobos
  • Kroll AdAge IOC search script – https://github.com/kroll-cyber/adage-hunter
  • Microsoft Defender (built-in) + KB5028310 (Sept 2023 Defender Platform update) – detects AdAge variants offline.
  • RDPshield 2FA (Duo, Azure MFA, Entra)

4. Other Critical Information

  • Unique Characteristics:

  • Uses parallel mutex behavior: waits for 60 seconds after infection before spamming network shares—evades some fast AV responders.

  • Adds victims to a public shaming portal (`hxxp://rfk7[.]tk>) and optionally threatens DDoS.

  • Double-extension phishing lure e-mails feature “resume.pdf.jpg” strings to trick mail scanners.

  • Broader Impact:

  • Described by CERT-EU as responsible for $3.2 M loss in 2019 in municipal entities.

  • Spawned hybrid campaigns with Dharma/Crysis and LockBit operators re-using AdAge infrastructure for “franchise licensing.”

  • Heightened SOC alert volume due to extensive lateral SMB scanning (often triggers duplicate noise in EG-NSS feeds).

Use this guide as a blueprint to audit, harden, and recover from AdAge attacks. When in doubt, escalate to your national CERT or follow CISA Ransomware Playbook rev.4 incident response workflow.