Jump to content

Recommended Posts

The .Adame extension has been used by both Phobos and a Scarab variant. Files encrypted by Phobos will have an <ID>-<id> with 8 random hexadecimal characters>.[<email>] followed by the .Adame extension as explained here by Amigo-A (Andrew Ivanov).

<filename>.<extension>.id[F6593DDC-2275].[[email protected]].Adame
<filename>.<extension>.id[70C80B9F-1127].[[email protected]].Adame
<filename>.<extension>.id[AE9AE1C0-2275].[[email protected]].Adame

If it does not have the <ID>-<id> with 8 random hexadecimal characters>.[<email>] pattern followed by the .Adame extension, then it is a Scarab variant. Based on infection rates, you are most likely infected with Phobos which leaves files (ransom notes) named Phobos.hta, Encrypted.txt, Data.hta, info.hta and info.txt.
  • Upvote 1
Link to post
Share on other sites
  • 3 months later...

Unfortunately, there is no known method to decrypt files encrypted by any Phobos Ransomware variants without paying the ransom and obtaining the private keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. Without the master private RSA key that can be used to decrypt your files, decryption is impossible. That usually means the key is unique (specific) for each victim and generated in a secure way that cannot be brute-forced.


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...