Remove New Locky Virus and Restore .ODIN Files - How to, Technology and PC Security Forum |

Remove New Locky Virus and Restore .ODIN Files


Locky ransomware is back with a new variant. This time, it encrypts files by adding the extension .ODIN to every file that ends up being locked in the process. The ransom note says that the encryption which is used is RSA-2048 with 128-bit AES ciphers. This variant of Locky ransomware is not to be underestimated and malware researchers are concerned that massive infections are about to commence in relation to it. To know how to remove the new variant of the Locky virus and try to decrypt some of your data, read the article carefully.

ATTENTION! New Locky virus is on the loose, changing the names of the files and adding .shit file extension. More informaton, removal and file restoration alternatives, in the following link.

Threat Summary

TypeRansomware, Crypto-Virus
Short DescriptionThe ransomware will encrypt your files and demand a ransom for decryption.
SymptomsThe ransomware encrypts files by adding the .ODIN extension to all encrypted files.
Distribution MethodSpam Emails, Email Attachments, Executable Files
Detection Tool See If Your System Has Been Affected by Locky


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Locky.
Data Recovery ToolStellar Phoenix Data Recovery Technician’s License Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Locky Virus – Infection Spread

Locky virus utilizes more than one way to spread itself. There are a couple of malicious e-mail campaigns which distribute files which download the ransomware. Those e-mails try to convince unsuspecting users that the messages they convey are important, as well as the attached file that comes with each one of those e-mails. The file is presented as an invoice or something similar and the email address that it comes from uses the top world domains. The files might look harmless, but they are the source of the infection. If you open an attachment, your computer will get infected, and your files will be encrypted.

Here are some examples of files that this variant of Locky uses, with the first being the most common:

  • CJPOG21534.wsf

There are situations where a .wsf is attached, while not being compressed in an archive, and sometimes it has a hidden 1-character file along with it. Other spam email campaigns which spread this new Locky variant place the payload files in an archive. Researchers have also sighted some .rtf documents which are spreading the infection, but are password protected, so it’s harder for security software to detect it. JavaScript and Windows Script are also used to initiate a download of the payload file, which is in most cases a DLL file.

Different methods for spreading the newest Locky infection could be using social media services and file sharing networks. Be careful when surfing the Internet and avoid suspicious e-mails, links, and files. Check downloaded files for their signatures, size, and scan them with security software before thinking of using them. You should read more tips for ransomware prevention in our forum thread.

Locky Virus – A Closer Look

The new Locky virus variant is expanding rapidly with spam e-mail campaigns just like its predecessors. The difference, in this case, is that there is a multitude of obfuscated files spread along with different messages, email domains, etc. It all just seems on a bigger scale. It might not be so effective now when lots of people know about ransomware and this method is one of the most commonly used ones in the past year.

After the Locky ransomware virus has downloaded its payload file, in a result of you opening on a JavaScript, Windows Script or whatever file that only looks like a document, another file will be downloaded. In most cases that would be a DLL (Dynamic-link Library) file, which installs more files that are needed for the ransomware to execute and encrypt a compromised system.

The ransomware will use the legitimate RunDll32.exe program found on Windows to execute the DLL file in question, using the following command:

→rundll32.exe %Temp%\[DLL file name],qwerty

The Windows Registry will be affected as well, so the ransomware virus can retain persistence. That will make the malware launch automatically with each start of the Windows Operating System. Afterward, the encryption process begins. When that process completes, you are left with files with changed filenames and three additional files that you can access. The three files are the following:

  • _HOWDO_text.html
  • _HOWDO_text.bmp
  • _[2_23]_HOWDO_text.html (where 23 can be a different number)

These files contain the payment instructions and here is how the content of one .html looks like:


The text of the _HOWDO_text files reads the following:


All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:

Decrypting of your files is only possible with the private key and decrypt
program, which is on our secret server.
To receive your private key follow one of the links:

If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser:
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: jhomitevd2abj3fk.onion/5E950263BC5AAB7E
4. Follow the instructions on the site.
!!! Your personal identification ID: 5E950263BC5AAB7E !!!

If you follow suit and go to the instructions page on the payment website, you will witness this page:


This Locky ransomware variant has been seen to put a price of both 0,5 and 1,5 Bitcoins. In any case, do not pay the cybercriminals as nobody can guarantee that paying will get your files back. The money will probably be used to develop new ransomware or other variants of this one which is stronger, both in code and encryption and use better tricks to hide from security programs. The past has shown that Locky has only evolved, and it hasn’t been beaten yet.

You can view some articles about the Locky ransomware and its past variants here:

The encrypted files will have the new extension .ODIN and the file name is changed with unique numbers and symbols for your computer. The ransomware uses RSA-2048 bit encryption algorithm with 128-bit AES ciphers. You can see the list of file types that will get encrypted on a compromised machine right here:


→.yuv, .ycbcra, .xis, .wpd, .tex, .sxg, .stx, .srw, .srf, .sqlitedb, .sqlite3, .sqlite, .sdf, .sda, .s3db, .rwz, .rwl, .rdb, .rat, .raf, .qby, .qbx, .qbw, .qbr, .qba, .psafe3, .plc, .plus_muhd, .pdd, .oth, .orf, .odm, .odf, .nyf, .nxl, .nwb, .nrw, .nop, .nef, .ndd, .myd, .mrw, .moneywell, .mny, .mmw, .mfw, .mef, .mdc, .lua, .kpdx, .kdc, .kdbx, .jpe, .incpas, .iiq, .ibz, .ibank, .hbk, .gry, .grey, .gray, .fhd, .ffd, .exf, .erf, .erbsql, .eml, .dxg, .drf, .dng, .dgc, .des, .der, .ddrw, .ddoc, .dcs, .db_journal, .csl, .csh, .crw, .craw, .cib, .cdrw, .cdr6, .cdr5, .cdr4, .cdr3, .bpw, .bgt, .bdb, .bay, .bank, .backupdb, .backup, .back, .awg, .apj, .ait, .agdl, .ads, .adb, .acr, .ach, .accdt, .accdr, .accde, .vmxf, .vmsd, .vhdx, .vhd, .vbox, .stm, .rvt, .qcow, .qed, .pif, .pdb, .pab, .ost, .ogg, .nvram, .ndf, .m2ts, .log, .hpp, .hdd, .groups, .flvv, .edb, .dit, .dat, .cmt, .bin, .aiff, .xlk, .wad, .tlg, .say, .sas7bdat, .qbm, .qbb, .ptx, .pfx, .pef, .pat, .oil, .odc, .nsh, .nsg, .nsf, .nsd, .mos, .indd, .iif, .fpx, .fff, .fdb, .dtd, .design, .ddd, .dcr, .dac, .cdx, .cdf, .blend, .bkp, .adp, .act, .xlr, .xlam, .xla, .wps, .tga, .pspimage, .pct, .pcd, .fxg, .flac, .eps, .dxb, .drw, .dot, .cpi, .cls, .cdr, .arw, .aac, .thm, .srt, .save, .safe, .pwm, .pages, .obj, .mlb, .mbx, .lit, .laccdb, .kwm, .idx, .html, .flf, .dxf, .dwg, .dds, .csv, .css, .config, .cfg, .cer, .asx, .aspx, .aoi, .accdb, .7zip, .xls, .wab, .rtf, .prf, .ppt, .oab, .msg, .mapimail, .jnt, .doc, .dbx, .contact, .mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .wallet, .upk, .sav, .ltx, .litesql, .litemod, .lbf, .iwi, .forge, .das, .d3dbsp, .bsa, .bik, .asset, .apk, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .pst, .onetoc2, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key

The Locky ransomware is very likely to erase all Shadow Volume Copies from the Windows Operating System. Read below to see how to remove the virus and try to decrypt some of your data.

Remove Locky Virus and Restore .ODIN Files

If your computer got infected with the Locky ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Locky.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share