Locky ransomware continues to evolve. The new extension .ODIN is placed as an appendix to the original file extension names after they get encrypted. The cryptovirus seeks to encrypt nearly 400 different file types. As the ransom note states, data is locked by the RSA 2048-bit encryption algorithm while using 128-bit AES ciphers. Spam e-mail campaigns have launched a storm of e-mails containing malicious attachments. To remove the new variant of Locky and see if you could decrypt any of your files, carefully read this article to the end.
|Short Description||The ransomware will run a .DLL installer and encrypt your data. After that it will show a ransom note with paying instructions required for decryption.|
|Symptoms||The virus will append the .ODIN extension to around 380 different file types after it encrypts them.|
|Distribution Method||Spam Emails, Email Attachments, Script Files|
|Detection Tool|| See If Your System Has Been Affected by .ODIN Virus |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss .ODIN Virus.|
|Data Recovery Tool||Stellar Phoenix Data Recovery Technician’s License Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
.ODIN Virus – Chronological Background
The .ODIN file extension virus is actually a new variant of the Locky ransomware. At the beginning of this year, Locky first started encrypting people’s files with a strong military algorithm. That first variant used big spam e-mail campaigns to spread Locky’s payload file, including the usage of different exploit kits.
Almost immediately after the .Zepto variant another cryptovirus joined this ransomware family, going by the name Bart. The same payment layout was used, but also rebranded with the new name. Then, AVG researchers found that the third iteration of the ransomware had flaws in the code and was decryptable, so an official decrypter program got released from them. As a counter-attack, the creator of Bart tweaked its code and released the improved Bart2 ransomware cryptovirus.
Now, the virus goes back to its roots with its original name – Locky, the massive spam email campaigns, and encryption as strong as the original.
.ODIN Virus – Infection Tactics
The .ODIN virus uses multiple tactics to spread its infection. There could be targeted attacks, but for now, the prevalent method is using botnets, presumably the Necurs botnet used from a month ago. The botnets spread the spam emails, which try to convince unsuspecting users that the information contained in the attached files is urgent. The emails either use the same domain name as the email address to which they are sent or a completely unrelated one. The subjects of these emails are mostly the following ones:
- Re: Documents Requested
- FW:Documents Requested
- Updated invoice #[2-digit number]
Various other tactics for the spreading of the latest infection of Locky might be implemented, such as the use of social media networks and file sharing services. Be wary when browsing the Web and refrain from opening suspicious files, links and e-mails. Perform checks on files for their signatures, size, and also scan them with a security application before opening them. You should see tips for preventing ransomware in our forum topic.
.ODIN Virus – Detailed Information
The .ODIN virus is the latest iteration of the Locky ransomware. Spam email campaigns distributed by botnets make for the quick spread which is typical for this cryptovirus. Its files are harder to detect than past variants and its code seem upgraded. Unfortunately, people still fall victim to this kind of attacks, especially when they are personalized and imitate somebody from their social circle.
The ransomware uses the RunDll32.exe program integrated in the Windows OS to execute the .dll file using this command line:
→rundll32.exe %Temp%\[DLL file name],qwerty
The ransomware will modify Registry entries of the Windows OS to remain persistent.
The registry entries will be responsible for the automatic launch of the .ODIN virus with each start of the Windows Operating System. They will also make its manual removal very difficult and to constantly reappear if all main files are not removed at once. Then, the encryption process starts. When that operation has finished, you will see your files with changed names and some additional files that you can access. The three accessible files are the following:
- _[2_47]_HOWDO_text.html (where 47 can be any number of digits)
Those files contain the payment instructions and you can preview their contents in the screenshot below:
The text of the _HOWDO_text files reads the following:
!!! IMPORTANT INFORMATION !!!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
Decrypting of your files is only possible with the private key and decrypt
program, which is on our secret server.
To receive your private key follow one of the links:
If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: jhomitevd2abj3fk.onion/5E950263BC5AAB7E
4. Follow the instructions on the site.
!!! Your personal identification ID: 5E950263BC5AAB7E !!!
If you click or type in that link, you will be redirected to the website page with instructions for paying. You will land on the following page:
The .ODIN virus variant has been witnessed to ask for 1,5 and 0,5 Bitcoins depending on the version a person stumbles upon. Whatever the case is, do not pay the cyber crooks as you cannot be guaranteed of getting your files back after payment. The money will certainly be used for financially supporting criminal activity, such as to develop new ransomware or more variants of this one. If we put Locky on an imaginary, chronological timeline, we can easily deduct that it has only continued to evolve.
You can view some articles connected to past variants of the .ODIN ransomware right here:
- Locky ransomware (.locky extension)
- Zepto Ransomware (.zepto extension)
- Bart Ransomware (.bart.zip extension)
The encrypted files will have the new extension .ODIN and the file name is changed with unique symbols and numbers for your computer. The ransomware utilizes an RSA 2048-bit encryption algorithm with 128-bit AES ciphers. You can open the accordion and see the full list with file types that will be encrypted on a compromised computer from down here:
The .ODIN ransomware is highly probable to delete all of the Shadow Volume Copies found on your Windows operating system. Continue to read down below to see how to remove this virus and to try a few ways to decrypt parts of your data.
Remove .ODIN Virus and Restore .ODIN Files
If your computer got infected with the .ODIN ransomware cryptovirus, you should have some experience in removing malware. You should get rid of this ransomware as quick as possible before it can have the chance to spread deeper and infect more computers. You should remove the ransomware and follow the step-by-step instructions manual given below. To see ways in which you can try to recover your files, see the step titled 2. Restore files encrypted by .ODIN Virus.