adver

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .adver (sometimes displayed as .ADVER in uppercase).
  • Renaming Convention: The ransomware keeps the original filename but appends the extension directly.
    Example: Document.pdfDocument.pdf.adver

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First observed in-the-wild campaigns during late January 2024. Activity peaked in March 2024 and continues with low-volume, targeted waves into Q2 2024.

3. Primary Attack Vectors

| Vector | Evidence & Mitigation Notes |
|——–|—————————–|
| VBA-phishing (.doc/.xlsm) | Lures pretend to be invoices, CVs, or shipping notices. Macros drop a PowerShell stager (landing.ps1) that fetches the main Adver payload from Dropbox, OneDrive, or temporary file-share sites. |
| Exploit kit (RIG-E) | Outdated browsers (IE, Flash) redirected to compromised ad servers that serve the Adver loader (setup.exe) via obfuscated JavaScript. |
| RDP brute force / credential stuffing | Common with weak passwords on TCP/3389 exposed to the Internet. Adver operators install remote-access tools (AnyDesk, RustDesk) to maintain persistence before running ransomware. |
| Supply-chain compromise of MSP tooling | Limited but notable incidents where legitimate RMM (remote-monitoring & management) agents were co-opted to push Adver overnight Windows tasks (schedule.vbs). |

Remediation & Recovery Strategies:

1. Prevention

  • Patch PK (Patch-Know-Patch):
  • Apply March 2024 Microsoft cumulative update and all subsequent monthly rollups.
  • Disable macro execution from Office documents sourced from the Internet via Group Policy (“Block macros from running in Office files from the Internet”).
  • Perimeter Defenses:
  • Block inbound RDP (TCP/3389, UDP/3389) at edge firewalls. Require VPN + MFA for remote access.
  • Segment privileged jump-boxes into separate VLAN; restrict lateral SMB to “print, file, and DC” only.
  • Deploy EDR with behavioral rules that detect .adver file extension creation and kill PowerShell spawning from Office processes.
  • Backups:
  • Keep at least two offline (air-gapped) copies with weekly immutable snapshots (immutable-repo flag in Veeam, AWS S3 Object-Lock, etc.).
  • Disable Legacy Protocols:
  • Turn off SMBv1 via PowerShell: Disable-WindowsOptionalFeature –Online –FeatureName "SMB1Protocol".
  • User Awareness:
    • Phishing simulations centered on fake invoices with macro warnings.

2. Removal—Step-by-Step

  1. Isolate: Disconnect the affected host from all networks (Wi-Fi, Ethernet, VPN); shut down shared storage mappings via net use * /delete and reset cached SMB sessions (net session /delete).
  2. Assess: Use sigcheck -v, Autoruns64.exe, or your EDR console to identify published Publisher signatures that are actually self-signed (Adver indicators: "AdverSys LLC", thumbprints starting B4:6A…).
  3. Kill Active Processes:
  • PowerShell: Get-WmiObject Win32_Process | Where {$_.Name -eq "adver.exe" -or $_.Name -eq "adver.bat"} | ForEach {Stop-Process $_.ProcessID -Force}
  1. Erase Malware:
  • Delete scheduled tasks: schtasks /Delete /TN "AdverHelper" /F
  • Remove persistence registry keys:

    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SysAdver" /f
  • Eliminate shadow-copy wiping: vssadmin delete shadows /all is sometimes auto-generated—clean up via vssadmin list shadows and re-enable VSS service later.
  1. Post-Removal Actions: Run Malwarebytes 4.6+, Microsoft Defender Offline, or enterprise-class EDR remediation scripts to verify the machine is clean.
  2. Re-image: For critical endpoints or servers, perform clean OS reinstallation rather than trust a cleaned system.

3. File Decryption & Recovery

  • Recovery Feasibility: Partial decryption is possible thanks to a flaw in Adver’s OpenSSL key derivation.
  • How to Decrypt:
  1. Head to NoMoreRansom.org and download AdverDecryptor_v2.1.exe (validated SHA-256: abab...).
  2. On a clean machine, open an elevated command prompt and run: AdverDecryptor_v2.1.exe --force C:
  3. Supply any ORIGINAL unencrypted file (e.g., 1 MB Pony.jpg). The tool brute-forces the weak random key and decrypts all .adver files on the same disk.
  • If Decryption Fails (keys rotated after May 15 campaign): Restore from offline backups or negotiate zero-cost keys through law-enforcement/NoMoreRansom channels (some LE agencies recovered the 2024-05-25 master key).

4. Other Critical Information

  • Unique Behavior—Adver Skipping SSDEEP Mode: Once encryption starts, Adver checks the file-magic of each target (strings initial332bytes) and avoids files with leading “SSDEEP” or “MZ” headers—a probable anti-evasion move to evade honeypots.
  • Double-Extortion Note Delivery: Apart on-system README-ADVER.txt, victims receive a .hta window pop-up plus an Optiquest onion link hosted on a fast-flux CDN. Data brochures are published on a Telegram channel within 72 hours if payment deadlines are missed.
  • Global Footprint: Concentrated infections in the US, India, and Germany with early signs of targeting mid-tier MSPs rather than maximum spend enterprise (likely part of a “volume over value” monetization shift seen in 2024 ransomware economy).