.Adair file extension is an extension that is used by the latest variant of Phobos ransomware. ‘Adair’ variant is very similar in its characteristics to other variants of this ransomware. It also encrypts files, and then renames them, giving them a new filename consisting of their old and ‘.id[user-id].[kusachi@cock.li].Adair’ appended at the end. Criminals demand a ransom for a key-decryptor pair, which is necessary to unlock encrypted data.
Adair virus is the newest version of the Phobos ransomware, which appends the ‘.Adair’ extension to each file that it encrypts using a complex encryption mechanism. As its previous variants, it can use the same distribution methods (spam emails, adware, cracks, key generators and so on). Upon execution, Adair starts working in the background immediately. First of all, the virus configures the Windows so that it starts automatically every time the computer is turned on. Adair ransomware uses this mechanism to continue encrypting files if it was interrupted by turning off or restarting the computer. Further, the ransomware contacts its control server to send information about the infected computer and receive additional commands.
After all the preparatory steps are completed, Adair proceeds to the main thing, it begins to encrypt files. All files will be encrypted, regardless of where they are located, on the local disk or on a network-connected disk. That is, the contents of the following common file types can be encrypted:
.ff, .css, .p7b, .csv, .zip, .pptm, .ysp, .srf, .ws, .wp5, .yal, .big, .srw, .xls, .wp, .slm, .wav, .odt, .m3u, .itm, .mov, .wp4, .jpe, .upk, .tor, .d3dbsp, .docx, .gdb, .mpqge, .avi, .wp6, .wsd, .xpm, .x3f, .xmind, .zi, .rofl, .wp7, .xll, .xyw, .orf, .wotreplay, .wpd, .iwd, .wpe, .sid, .wcf, .py, .bc6, .wmf, .lbf, .ai, .dmp, .rw2, .wire, .wma, .qic, .bc7, .p12, .pkpass, .webdoc, .syncdb, .ntl, .wmv, .ncf, .ppt, .menu, .lvl, .zabw, .flv, .pef, .icxs, .wbm, .dba, .asset, .wn, .wgz, .zdb, .xlsm, .accdb, .3dm, .indd, .pdd, .mrwref, .sr2, .bkp, .wbmp, .xlk, .kdb, .doc, .fos, .mp4, .txt, .z, .wps, .webp, .dwg, .mdf, .itl, .rtf, .yml, .itdb, .das, .wb2, .wpb, .bik, .wpg, .db0, .vpp_pc, .wmo, .svg, .odb, .xx, .der, .ybk, .p7c, .dazip, .wdp, .fpk, .esm, .wmv, .xld, .3ds, .mlx, .2bp, .m4a, .y, .raf, .vtf, .wbk, .bkf, .mdb, .zif, .t12, .wbc, .sie, .x3d, .lrf, .xlsb, .zw, .cer, .re4, .z3d, .bay, .xlgc, .wps, .mef, .rim, .zdc, .x3f, .pdf, .wbd, .xlsm, .sidd, .odm, wallet, .ods, .kf, .xml, .wma, .xwp, .psd, .sidn, .vdf, .1st, .vpk, .pfx, .wpl, .xbdoc, .3fr, .7z, .pst, .rgss3a, .iwi, .ltx, .rar, .mcmeta, .cas, .gho, .sum, .x, .pem, .xmmap, .jpg, .mddata, .wpd, .nrw, .w3x, .jpeg, .m2, .zip, .forge, .apk, .bsa, .xbplate, .fsh, .dng, .png, .cfr, .r3d, .dxg, .wpw, .wpt, .wot, .vcf, .vfs0, .erf, .sav, .sb, .map, .psk, .xlsx, .xf, .epk, .t13, .1, .ztmp, .pak, .kdc, .mdbackup, .qdf, .crw, .bar, .cdr, .sis, .arch00, .wm
After Adair virus encrypts the file, it renames this file. Thus, each encrypted file gets a new filename. For example, the file ‘image.jpg’, after it is encrypted, will be renamed to ‘image.jpg.id[user-id].[kusachi@cock.li].Adair’. In all directories where there is at least one encrypted file, the virus drops two files with the following names: info.txt and info.hta. The contents of these files are shown below.
The contents of the info.hta:
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail kusachi@cock.li
Write this ID in the title of your message
In case of no answer in 24 hours write us to this e-mail:maycat@protonmail.com
If there is no response from our mail, you can install the Jabber client and write to us in support of help_decrypt@xmpp.jp
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Jabber client installation instructions:
Download the jabber (Pidgin) client from https://pidgin.im/download/windows/
After installation, the Pidgin client will prompt you to create a new account.
Click “Add”
In the “Protocol” field, select XMPP
In “Username” – come up with any name
In the field “domain” – enter any jabber-server, there are a lot of them, for example – exploit.im
Create a password
At the bottom, put a tick “Create account”
Click add
If you selected “domain” – exploit.im, then a new window should appear in which you will need to re-enter your data:
User
password
You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)
If you don’t understand our Pidgin client installation instructions, you can find many installation tutorials on youtube – hxxps://www.youtube.com/results?search_query=pidgin+jabber+install
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
The contents of the info.txt:
!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: kusachi@cock.li.
If we don’t answer in 24h., send e-mail to this address: maycat@protonmail.com
If there is no response from our mail, you can install the Jabber client and write to us in support of help_decrypt@xmpp.jp
Criminals use these files to demand ransom from victims of Adair virus. The ransom demand message said that the victim’s files are encrypted. The authors of the virus demand a ransom in exchange for a key and a decryptor. Attackers offer to decrypt 5 files for free, but these files should not contain any valuable information. Of course, decryption of 5 files cannot guarantee that after paying the ransom the victim will be able to recover files affected with the ransomware.
Threat Summary
Name | Adair |
Type | Crypto malware, File locker, Ransomware, Filecoder, Crypto virus |
Encrypted files extension | .adair, .id[user-id].[kusachi@cock.li].Adair |
Ransom note | info.txt and info.hta |
Contact | kusachi@cock.li, maycat@protonmail.com and help_decrypt@xmpp.jp on Jabber. |
Ransom amount | $500-$1500 in Bitcoins |
Detection Names | Trojan/Win32.BantaRansom, Ransom:Win32/Phoenix, Trojan.Ransom.Phobos, Ransom.Phobos, W32/Phobos.C, Trojan.Encoder.29362, Win32/Filecoder.Phobos, Trojan-Ransom.Phobos |
Symptoms | Files won’t open. All of your files have a different file extension appended to the filenames. Files named like ‘info.txt’, or ‘info.hta’ in each folder with at least one encrypted file. Your desktop is locked with a message about How to pay to unlock your files. |
Distribution ways | Malicious email attachments. Exploit kits (cybercriminals use crypto malware packaged in an ‘exploit kit’ that can find a vulnerability in Web-browser, Windows operating system, Adobe Flash Player, PDF reader). Social media posts (they can be used to force users to download malicious software with a built-in ransomware downloader or click a malicious link). Malvertising campaigns. |
Removal | To remove Adair ransomware use the removal guide |
Decryption | To decrypt Adair ransomware use the steps |
Security researchers confirm that Adair virus does indeed encrypt files, and also that a decryptor and a key are required to decrypt them. If your files are encrypted with .Adair file extension, then we recommend using the following steps. These steps will help you remove the ransomware and decrypt (restore) the encrypted files. Read the entire manual carefully. To make it easier for you to follow the instructions, we recommend that you print it or open it on your smartphone.
To remove Adair virus and restore .Adair files, use the steps below:
How to remove Adair virus
If the computer is attacked by Adair ransomware virus, the first thing you need to do is not to try to decrypt (recover) the encrypted files right away! First of all, you need to check your computer for malware, find and remove Adair virus. For this, we recommend using free malware removal tools. It is better to use not one tool, but two or more. Below we provide the best malware removal utilities and brief instructions on their use.
Remove Adair with Zemana
Zemana Free can search for all kinds of malicious software, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the Adair ransomware, you can easily and quickly delete it.
- Download Zemana Free on your personal computer from the link below.
Zemana AntiMalware
164111 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your web-browser will open the “Save as” dialog box. Please save it onto your Windows desktop.
- Once downloading is finished, please close all applications and open windows on your system. Next, start a file called Zemana.AntiMalware.Setup.
- This will start the “Setup wizard” of Zemana Free onto your computer. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana Anti Malware will start and show the main window.
- Further, press the “Scan” button . Zemana Anti-Malware (ZAM) program will scan through the whole computer for the Adair crypto virus, other kinds of potential threats like malicious software and trojans. This procedure may take quite a while, so please be patient.
- When the system scan is complete, Zemana Free will display a list of all threats detected by the scan.
- Make sure all threats have ‘checkmark’ and click the “Next” button. The tool will delete Adair crypto virus and other security threats and add items to the Quarantine. After disinfection is complete, you may be prompted to reboot the system.
- Close the Zemana Free and continue with the next step.
Remove Adair ransomware with MalwareBytes Free
We suggest using the MalwareBytes which are fully clean your machine of the Adair ransomware virus. This free tool is an advanced malware removal program created by (c) Malwarebytes lab. This program uses the world’s most popular anti-malware technology. It’s able to help you delete ransomware viruses, potentially unwanted programs, malicious software, adware software, toolbars, and other security threats from your personal computer for free.
- MalwareBytes can be downloaded from the following link. Save it on your Windows desktop.
Malwarebytes Anti-malware
326461 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- After downloading is finished, close all applications and windows on your system. Open a file location. Double-click on the icon that’s named mb3-setup.
- Further, click Next button and follow the prompts.
- Once install is complete, press the “Scan Now” button . MalwareBytes Free utility will start scanning the whole PC to find out the Adair crypto malware and other security threats. This procedure can take quite a while, so please be patient. While the MalwareBytes Anti Malware application is checking, you can see number of objects it has identified as threat.
- After finished, it will show the Scan Results. Make sure to check mark the threats which are unsafe and then click “Quarantine Selected”. Once the procedure is done, you can be prompted to restart your machine.
The following video offers a steps on how to uninstall browser hijacker infections, adware software and other malicious software with MalwareBytes Anti-Malware (MBAM).
Remove Adair ransomware from PC with Kaspersky virus removal tool
Kaspersky virus removal tool (KVRT) is free and easy-to-use malware removal tool. It can scan and remove crypto viruses like Adair, other malware, potentially unwanted applications, trojans, spyware and adware software. KVRT is powerful enough to find and uninstall malicious registry entries and files that are hidden on the PC system.
Download Kaspersky virus removal tool (KVRT) on your computer from the link below.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is complete, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you’ll see the Kaspersky virus removal tool screen as on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to perform a system scan for the Adair crypto malware . While the Kaspersky virus removal tool is checking, you can see how many objects it has identified either as being malware.
When finished, the results are displayed in the scan report as shown in the following example.
Make sure to check mark the threats which are unsafe and then click on Continue to start a cleaning process.
How to decrypt .adair files
Files with the extension ‘.adair’ are encrypted files. In other words, the contents of these files are locked. Their contents cannot be read even if you rename files or change their extension. Unfortunately, today there is no way to decrypt files encrypted with Adair virus, because to decrypt them you need a unique key, and this key is in the hands of criminals.
Never pay the ransom! Nevertheless, everyone has to remember that paying the developers of the Adair ransomware virus who are threatening you is a terrible idea. You can pay this money, but there is no guarantee that your files will be yours again. That is the reason why you should consider other options (that do not involve paying the makers of the Adair ransomware) in order to decrypt locked personal files. There still are some ways to defuse crypto malware without paying ransom, so you would not need to pay hackers and you would not let them reach their goal.
Fortunately, there are several alternative methods that do not require the use of a key and therefore allow you restore the contents of encrypted files. Try to recover the encrypted files using free tools listed below.
How to restore .adair files
If all your files are encrypted with .Adair file extension, then you only have one thing left, use alternative methods to restore the contents of the encrypted files. There are several alternative methods that may allow you to restore the contents of encrypted files. These methods of file recovery do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that the computer does not have active ransomware. Therefore, if you have not yet checked your computer for ransomware, do it right now, use free malware removal tools or return to step 1 above.
Use shadow copies to restore .adair files
A free tool named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can recover your documents, photos, and music encrypted by Adair ransomware from Shadow Copies for free. Unfortunately, this method does not always work due to the fact that the ransomware almost always deletes all Shadow copies.
Download ShadowExplorer on your computer from the following link.
438818 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the download is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like the one below.
Start the ShadowExplorer tool and then select the disk (1) and the date (2) that you want to restore the shadow copy of file(s) encrypted by the Adair crypto virus as displayed on the image below.
Now navigate to the file or folder that you want to restore. When ready right-click on it and click ‘Export’ button as displayed in the figure below.
Recover .adair files with PhotoRec
There is another way to recover the contents of the encrypted files. This method is based on using data recovery tools. We recommend using a tool called PhotoRec. It has all the necessary functions and is completely free.
Download PhotoRec on your Windows Desktop from the link below.
When downloading is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the screen below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll display a screen like below.
Select a drive to recover as on the image below.
You will see a list of available partitions. Select a partition that holds encrypted files as displayed in the figure below.
Press File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is done, click OK button.
Next, press Browse button to select where recovered photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered files are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where restored documents, photos and music are stored. You will see a contents as on the image below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your PC from Adair ransomware virus?
Most antivirus applications already have built-in protection system against the crypto virus. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic utility to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of MS Windows operating system from Microsoft Windows XP to Windows 10.
Visit the following page to download HitmanPro.Alert. Save it on your Windows desktop or in any other place.
After downloading is done, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. After the tool is opened, you will be shown a window where you can choose a level of protection, as displayed below.
Now click the Install button to activate the protection.
Finish words
This guide was created to help all victims of Adair ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .Adair files; how to recover the encrypted files. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Adair virus related issues, go to here.