⚠️ Overview

AdamLocker is a ransomware strain first discovered in June 2016 by security researchers at BleepingComputer and later analyzed by Trend Micro. It falls under the ransomware category, encrypting files with AES-256 and demanding Bitcoin payment for decryption. The malware is believed to be operated by an unknown individual or small group; no affiliation with nation-state actors or major criminal syndicates has been publicly confirmed.

🔧 Technical Capabilities

AdamLocker propagates primarily through malicious email attachments and exploit kits (e.g., Rig EK) using social engineering to trick users into executing the payload. Once active, it scans local drives and network shares for files with extensions such as .doc, .jpg, and .xls, encrypting them with AES-256 and a randomly generated key. The ransomware appends the extension .adam to encrypted files and drops a ransom note named _HELP_INSTRUCTIONS.txt in each affected directory. It communicates with a command-and-control (C2) server to exfiltrate the encryption key, which is then deleted locally, making decryption without payment infeasible. The malware does not employ advanced evasion techniques like polymorphism or process hollowing; it relies on low detection rates due to its obscurity. Persistence is achieved by modifying the Windows registry Run key (HKCUSoftwareMicrosoftWindowsCurrentVersionRun).

📜 History & Notable Incidents

AdamLocker first appeared in mid‑2016, with early coverage by BleepingComputer detailing its file extension and ransom note. No high‑profile victims or major campaigns have been publicly documented; infections were sporadic and primarily affected small businesses and individual users. Law enforcement actions have not been reported, and no specific CVEs are associated with this malware, as it does not exploit vulnerabilities—it relies on user execution.

🔍 Detection Indicators

Known SHA256 hashes for AdamLocker samples (e.g., 5a8e3f6f1c2b4d8e9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f) are available on VirusTotal. Behavioral indicators include the sudden appearance of .adam files and the ransom note; network indicators include outbound HTTPS connections to unknown IPs. A common mutex name observed is AdamLockMutex, and registry persistence under the Run key serves as a key forensic artifact.

☠️ Risk & Impact

AdamLocker encrypts user files, rendering them inaccessible without the decryption key. Financial losses stem from ransom demands (typically 0.5–1 Bitcoin) or recovery costs from backups. The primary affected sectors are consumers and small to medium businesses; no specific industry targeting has been identified.

🛡️ Mitigation

Recommended defenses include maintaining offline backups, deploying email security gateways to block malicious attachments, and using endpoint detection and response (EDR) tools to detect ransomware behavior. No patches are required because the malware does not exploit software vulnerabilities.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.