Home / Spyware Help / Korean AdamLocker Ransomware Removal Guide

Korean AdamLocker Ransomware Removal Guide

by 0 Comments

Do you know what Korean AdamLocker Ransomware is?

Korean AdamLocker Ransomware mainly targets Korean computer users as its name suggests. Our researchers have found that this new threat is built on a previous ransomware infection that emerged about a year ago and was called AdamLocker Ransomware. This predecessor did not actually demand any ransom fee after encryption; it disclosed the decryption key after the victim pressed a button. This new threat, on the other hand, does seem to be all about your money. Still, we do not advise you to pay because you have no guarantee that these attackers will actually send you the decryption key. Unfortunately, it is more likely that you will be attacked again if you contact such cyber criminals or transfer money to them. We recommend that you remove Korean AdamLocker Ransomware immediately from your PC so that you can restore your system and use your computer again.

The most likely way for you to let this beast on board is to open a spam mail with an attachment. This attachment only looks like an image or a document, but, in reality, it is the malicious executable that will start up this unfortunate cyber attack against your system. This spam can be very misleading; this is why victims decide to open it in the first place. Its sender may appear to be totally authentic to you, the subject line way too important for you to ignore this mail even if you find it in your spam folder. As you may know, sometimes even legitimate and important mails can end up in this folder due to your spam filter being too strict. This is why most victims open it anyway. What is vital to understand that you may be lucky this time that the simple act of opening this mail does not result in infecting your system; you need to click to view the attachment for this malicious threat to initiate. This means that usually you have a chance to say no and stop this vicious attack. However, once you click to open this attached file, you will not be able to delete Korean AdamLocker Ransomware without serious consequences.

The same can happen to you if your browsers and drivers are not up-to-date and you land on a malicious page armed with Exploit Kits like RIG. Such a kit can be used to drop ransomware threats like this without your noticing it. In fact, once you get redirected to such a malicious page and it loads in your outdated browser, it can exploit the unpatched security bugs and drop an infection in no time. By the time you could exit or close the browser window, even encryption could have been started. You should also forget about downloading free files from shady torrent and freeware pages if you do not want to remove Korean AdamLocker Ransomware or any other dangerous infection in the end as a result.

Once initiated, this ransomware creates a copy of itself called "adm_64.exe" and places it in your %ALLUSERSPROFILE% folder to operate through it. We did not find any PoE (Point of Execution) created in the Windows Registry; however, this threat does create some entries for the file associations with its extension ".adam" that is appended to each affected file. This malware infection also blocks your Task Manager and Run processes to disable your possible attempts to kill it or delete it. Then, when the encryption has finished, you are exposed to the ransom note screen, which is exactly the same as its predecessor's with the only difference being the note itself. This time the note is in Korean and demands money from you paid in Bitcoin so that you would allegedly get the decryption key. Since our researchers have found that this infection may be possible to be decrypted, we believe that you should not hesitate to remove Korean AdamLocker Ransomware from your computer.

Although we have not yet found a free file recovery tool developed by enthusiastic malware hunters, it can show up anytime on the web. We do not recommend that you try to find it, though. This could also be risky so it is better to ask an advanced user or specialist. In order for you to be able to eliminate this serious threat, you need to restart your computer in Safe Mode. Please use our guide below as a reference to manually kill this ransomware. If you would like to defend your PC against all known potential and malicious threats, we suggest that you install a reliable anti-malware program like SpyHunter.

Restart your computer in Safe Mode

Windows 8, Windows 8.1, and Windows 10

  1. Navigate to the Metro UI screen.
  2. Press the Power icon.
  3. Press and hold the Shift key and select the Restart option.
  4. Select Advanced in the Troubleshooting menu.
  5. Click Startup Settings and click Restart.
  6. Tap the F4 key to restart in Safe Mode.

Windows XP, Windows Vista, and Windows 7

  1. Restart your computer and keep tapping the F8 key to bring up the boot menu.
  2. Select Safe Mode and hit the Enter key.

Remove Korean AdamLocker Ransomware from Windows

  1. Tap Win+R and type regedit. Press OK.
  2. Delete the following registry entries:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr (value data: "0x00000001 (1)")
    HKCR\.adam
    HKCR\adam
    HKLM\SOFTWARE\Classes\.adam
    HKLM\SOFTWARE\Classes\adam
  3. Tap Win+E.
  4. Delete all suspicious files you can find in your default and preferred download directories.
  5. Delete "%ALLUSERSPROFILE%\adm_64.exe"
  6. Empty your Recycle Bin and restart your computer.

In non-techie terms:

Korean AdamLocker Ransomware is a new ransomware that is based on AdamLocker Ransomware, which appeared last year. Although its predecessor did not extort money from its victims but simply revealed the decryption key, this new variant seems to want your money. Our researchers say that this malware infection targets Korean computer users, which is not the first time it has happened in the past weeks actually. This new threat can sneak onto your system and encrypt your personal files as well as executables. It can also disable your Task Manager and Run processes, which makes it more difficult to eliminate it. Although you are told to pay a certain amount in Bitcoin for the decryption key, we do not think it is a good idea to go along with it. We recommend that you remove Korean AdamLocker Ransomware from your computer as soon as possible. If you do not want similar threats to appear on your system, we advise you to install a reputable anti-malware program right away.