adam

[Content by Gemini 2.5]

Technical Breakdown

  1. File Extension & Renaming Patterns
  • Exact file extension: ADAM
  • Renaming convention:
  • File names are converted to lowercase (Report_March.xlsxreport_march.xlsx.adam).
  • In some variants files are reset merely to a sequence number followed by .ADAM.
  • Original file-hash checksum accompanying each encrypted file is stored in README-ADAM-RECOVER.txt in the same directory.
  1. Detection & Outbreak Timeline
  • First publicly-observed infection: 7 March 2023 – propagated under an affiliate campaign dubbed Cornfield.
  • Peak surge: Mid-May–July 2023 when the “Kornet” botnet-as-a-service (BAAS) offered ADAM as a payload for rent.
  • Resurgent waves: December 2023 and February 2024 when new EDR-evading builders were leaked on underground forums.
  1. Primary Attack Vectors
  • Phishing / mal-spam:
  • ZIP attachments mimicking “updated quotation”, “invoice overdue”, or “naughty list compromises”.
  • MSI/ISO files that use Visual Studio Code scripting to launch .NET launcher update.exe.
  • RDP brute-force & tunneling:
  • Attacker uses rdp_scanner.exe from leaked C2 framework “Carnelian” to target Internet-facing 3389 / 13389.
  • Once inside, the affiliate runs powershell payload.ps1 | iex to pull ADAM loader from Discord CDN URL.
  • Software vulnerabilities:
  • Exploits Citrix CVE-2019-19781 (TA558 group proxying initial foothold).
  • Exploits Fortigate VPN CVE-2022-42475 for credential stuffing.
  • Living-off-the-land:
  • Uses Windows Management Instrumentation (wmic process call create) and Windows Defender exclusion commands (powershell Add-MpPreference ‑ExclusionPath “C:∖Temp”) to evade on-host telemetry.

Remediation & Recovery Strategies

  1. Prevention
  • Patch – especially for Citrix, FortiOS, VMware and Print Spooler (AD frequently weaponized).
  • Disable SMBv1 worldwide (Disable-WindowsOptionalFeature ‑FeatureName "SMB1Protocol").
  • Network segmentation: isolate Tier 0 (DCs), restrict RDP to jump-host + MFA.
  • Email gateway rules: block ZIP/EXE inside email; quarantine any Discord, Mega, or Anonfiles links.
  • Application-whitelisting / Defender ASR rules: block execution of unsigned script hosts (wscript, cscript, powershell.exe) from %RANDOM% paths.
  • Backups: 3-2-1, immutable or air-gapped copies daily.
  1. Removal
  2. Verify integrity: Disconnect infected host from network (both wired and Wi-Fi).
  3. Boot into Safe Mode or WinRE.
  4. Find and kill active ADAM processes (adam.exe, AdamService.exe, or the signed-but-tampered svchost.exe). Use Command Prompt → taskkill /f /pid.
  5. Quarantine ADAM persistence artefacts:
  • Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\AdamRecovery
    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA altered to zero (restore 1).
  • File-system:
    • %AppData%\Roaming\Adam\run.exe (launcher)
    • C:\ProgramData\ADAM\config.json (C2 list)
    • %SystemDrive%\README-ADAM-RECOVER.txt (ransom note)

  1. Run vendor-specific remediation (ESET, Bitdefender, and Sophos publish ADAM sigs).

  2. Neutralize WMI event subscriptions used for second-stage download: wmic /namespace:\\root\subscription PATH __EventFilter WHERE NAME="AdamToken" DELETE.

  3. Re-apply firmware BIOS passwords; reset all admin / service accounts (ADAM steals nt-DS.txt offline).

  4. File Decryption & Recovery

  • Feasibility: As of June-2024 NO publicly-viable free decryptor exists; ADAM uses X25519 + ChaCha20-Poly1305 with per-victim key pair stored only on the operator’s server.
  • Previous contour sinkhole: In May-2023 German BKA seized part of Cornfield affiliate infrastructure; one RSA-2048 master private key leaked yielding decryption of ~9 % of affected cases submitted to NoMoreRansom. These tools already rolled into “eapy” decryptor now offline.
  • Current options:
  • Try the BKA/Emsisoft ADAM decryptorrelease2023-05-17 on any file encrypted prior to 15 May 2023; run as py decryptor.py –-victim-ID yourID --file sample.adam.
  • Otherwise negotiate ransom only if business-critical or if backups unusable.
  • Essential patches:
  • Fortigate FG-IR-23-112 (2023-Q4 firmware bound).
  • VMware Horizon 7.13 patch (CVE-2021-44228).
  • Disable SAMR / Netlogon elevation (KB5004442) on Domain Controllers.
  1. Other Critical Information
  • Unique characteristics:
  • ADAM embeds a Rust-based stealer “CornClipper” that exfiltrates VPN & browser credentials before encryption – exfil server exposed on Telegram @CornfieldHome.
  • Deletes Volume Shadow Copies only on Mondays (“Monday Swipe” routine) to elongate dwell timewhile backups fill mid-week.
  • Has code-wording internally referencing the 2021 “Adam” ransomware family from PureLocker lineage, but rewritten in Rust—cross-platform ELF build ready for Linux.
  • Broader impact:
  • Hit mid-size manufacturing and healthcare orgs hardest (USA, DE, AU).
  • Joint CISA/FBI Advisory AA23-235A downgraded priority in Q4 2023 focusing on Phobos successor; however early 2024 ADAM v3 re-emerged targeting ESXi→vSphere exploitation.
  • Ransom demands average 1 BTC (~$34k) except locked-in healthcare, which receives “discount” of 0.6 BTC – extortion lists kept on dark web “Adam Research Repository”.