.ODIN Virus Removal (Locky Ransomware) - How to, Technology and PC Security Forum | SensorsTechForum.com

.ODIN Virus Removal (Locky Ransomware)


Locky ransomware continues to evolve. The new extension .ODIN is placed as an appendix to the original file extension names after they get encrypted. The cryptovirus seeks to encrypt nearly 400 different file types. As the ransom note states, data is locked by the RSA 2048-bit encryption algorithm while using 128-bit AES ciphers. Spam e-mail campaigns have launched a storm of e-mails containing malicious attachments. To remove the new variant of Locky and see if you could decrypt any of your files, carefully read this article to the end.

Threat Summary

Name.ODIN Virus
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware will run a .DLL installer and encrypt your data. After that it will show a ransom note with paying instructions required for decryption.
SymptomsThe virus will append the .ODIN extension to around 380 different file types after it encrypts them.
Distribution MethodSpam Emails, Email Attachments, Script Files
Detection Tool See If Your System Has Been Affected by .ODIN Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .ODIN Virus.
Data Recovery ToolStellar Phoenix Data Recovery Technician’s License Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.ODIN Virus – Chronological Background

The .ODIN file extension virus is actually a new variant of the Locky ransomware. At the beginning of this year, Locky first started encrypting people’s files with a strong military algorithm. That first variant used big spam e-mail campaigns to spread Locky’s payload file, including the usage of different exploit kits.

Afterward, near the end of this June, Locky got upgraded with the .Zepto file extension. Researchers saw that the code was improved, while the spam email campaigns were way more (and are still ongoing). JavaScript files were used in the email attachments, and the emails themselves were sent by powerful botnets.

Almost immediately after the .Zepto variant another cryptovirus joined this ransomware family, going by the name Bart. The same payment layout was used, but also rebranded with the new name. Then, AVG researchers found that the third iteration of the ransomware had flaws in the code and was decryptable, so an official decrypter program got released from them. As a counter-attack, the creator of Bart tweaked its code and released the improved Bart2 ransomware cryptovirus.

Now, the virus goes back to its roots with its original name – Locky, the massive spam email campaigns, and encryption as strong as the original.

.ODIN Virus – Infection Tactics

The .ODIN virus uses multiple tactics to spread its infection. There could be targeted attacks, but for now, the prevalent method is using botnets, presumably the Necurs botnet used from a month ago. The botnets spread the spam emails, which try to convince unsuspecting users that the information contained in the attached files is urgent. The emails either use the same domain name as the email address to which they are sent or a completely unrelated one. The subjects of these emails are mostly the following ones:

  • Re: Documents Requested
  • FW:Documents Requested
  • Updated invoice #[2-digit number]

The files found inside the attachments may look harmless, but the infection starts from there. The files will usually be compressed in a .zip archive. Inside the archive there is a .swf file, for example PYLPK3401.wsf. There could be an equivalent in the form of a password protected .rtf document. If you execute that file, your computer will be infected, and your files would get encrypted. That happens via JavaScript or Windows Script, initiated from the file, resulting in downloading the payload file, which is .DLL file.

Various other tactics for the spreading of the latest infection of Locky might be implemented, such as the use of social media networks and file sharing services. Be wary when browsing the Web and refrain from opening suspicious files, links and e-mails. Perform checks on files for their signatures, size, and also scan them with a security application before opening them. You should see tips for preventing ransomware in our forum topic.

.ODIN Virus – Detailed Information

The .ODIN virus is the latest iteration of the Locky ransomware. Spam email campaigns distributed by botnets make for the quick spread which is typical for this cryptovirus. Its files are harder to detect than past variants and its code seem upgraded. Unfortunately, people still fall victim to this kind of attacks, especially when they are personalized and imitate somebody from their social circle.

The Locky cryptovirus downloads its payload file from the opening of a JavaScript or Windows Script file that looks like a document. The new variant uses a Dynamic Link Library (.DLL) file, which will infect your system and encrypt your data files.

The ransomware uses the RunDll32.exe program integrated in the Windows OS to execute the .dll file using this command line:

→rundll32.exe %Temp%\[DLL file name],qwerty

The ransomware will modify Registry entries of the Windows OS to remain persistent.

Full List of Infected Registry Entries

The registry entries will be responsible for the automatic launch of the .ODIN virus with each start of the Windows Operating System. They will also make its manual removal very difficult and to constantly reappear if all main files are not removed at once. Then, the encryption process starts. When that operation has finished, you will see your files with changed names and some additional files that you can access. The three accessible files are the following:

  • _HOWDO_text.html
  • _HOWDO_text.bmp
  • _[2_47]_HOWDO_text.html (where 47 can be any number of digits)

Those files contain the payment instructions and you can preview their contents in the screenshot below:


The text of the _HOWDO_text files reads the following:


All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:

Decrypting of your files is only possible with the private key and decrypt
program, which is on our secret server.
To receive your private key follow one of the links:
1. http://jhomitevd2abj3fk.tor2web.org/5E950263BC5AAB7E
2. http://jhomitevd2abj3fk.onion.to/5E950263BC5AAB7E

If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: jhomitevd2abj3fk.onion/5E950263BC5AAB7E
4. Follow the instructions on the site.
!!! Your personal identification ID: 5E950263BC5AAB7E !!!

If you click or type in that link, you will be redirected to the website page with instructions for paying. You will land on the following page:


The .ODIN virus variant has been witnessed to ask for 1,5 and 0,5 Bitcoins depending on the version a person stumbles upon. Whatever the case is, do not pay the cyber crooks as you cannot be guaranteed of getting your files back after payment. The money will certainly be used for financially supporting criminal activity, such as to develop new ransomware or more variants of this one. If we put Locky on an imaginary, chronological timeline, we can easily deduct that it has only continued to evolve.

You can view some articles connected to past variants of the .ODIN ransomware right here:

The encrypted files will have the new extension .ODIN and the file name is changed with unique symbols and numbers for your computer. The ransomware utilizes an RSA 2048-bit encryption algorithm with 128-bit AES ciphers. You can open the accordion and see the full list with file types that will be encrypted on a compromised computer from down here:

Full List with Extensions

The .ODIN ransomware is highly probable to delete all of the Shadow Volume Copies found on your Windows operating system. Continue to read down below to see how to remove this virus and to try a few ways to decrypt parts of your data.

Remove .ODIN Virus and Restore .ODIN Files

If your computer got infected with the .ODIN ransomware cryptovirus, you should have some experience in removing malware. You should get rid of this ransomware as quick as possible before it can have the chance to spread deeper and infect more computers. You should remove the ransomware and follow the step-by-step instructions manual given below. To see ways in which you can try to recover your files, see the step titled 2. Restore files encrypted by .ODIN Virus.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share