Locky ransomware is back with a new variant. This time, it encrypts files by adding the extension .ODIN to every file that ends up being locked in the process. The ransom note says that the encryption which is used is RSA-2048 with 128-bit AES ciphers. This variant of Locky ransomware is not to be underestimated and malware researchers are concerned that massive infections are about to commence in relation to it. To know how to remove the new variant of the Locky virus and try to decrypt some of your data, read the article carefully.
|Short Description||The ransomware will encrypt your files and demand a ransom for decryption.|
|Symptoms||The ransomware encrypts files by adding the .ODIN extension to all encrypted files.|
|Distribution Method||Spam Emails, Email Attachments, Executable Files|
|Detection Tool|| See If Your System Has Been Affected by Locky |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Locky.|
|Data Recovery Tool||Stellar Phoenix Data Recovery Technician’s License Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Locky Virus – Infection Spread
Locky virus utilizes more than one way to spread itself. There are a couple of malicious e-mail campaigns which distribute files which download the ransomware. Those e-mails try to convince unsuspecting users that the messages they convey are important, as well as the attached file that comes with each one of those e-mails. The file is presented as an invoice or something similar and the email address that it comes from uses the top world domains. The files might look harmless, but they are the source of the infection. If you open an attachment, your computer will get infected, and your files will be encrypted.
Here are some examples of files that this variant of Locky uses, with the first being the most common:
Different methods for spreading the newest Locky infection could be using social media services and file sharing networks. Be careful when surfing the Internet and avoid suspicious e-mails, links, and files. Check downloaded files for their signatures, size, and scan them with security software before thinking of using them. You should read more tips for ransomware prevention in our forum thread.
Locky Virus – A Closer Look
The new Locky virus variant is expanding rapidly with spam e-mail campaigns just like its predecessors. The difference, in this case, is that there is a multitude of obfuscated files spread along with different messages, email domains, etc. It all just seems on a bigger scale. It might not be so effective now when lots of people know about ransomware and this method is one of the most commonly used ones in the past year.
The ransomware will use the legitimate RunDll32.exe program found on Windows to execute the DLL file in question, using the following command:
→rundll32.exe %Temp%\[DLL file name],qwerty
The Windows Registry will be affected as well, so the ransomware virus can retain persistence. That will make the malware launch automatically with each start of the Windows Operating System. Afterward, the encryption process begins. When that process completes, you are left with files with changed filenames and three additional files that you can access. The three files are the following:
- _[2_23]_HOWDO_text.html (where 23 can be a different number)
These files contain the payment instructions and here is how the content of one .html looks like:
The text of the _HOWDO_text files reads the following:
!!! IMPORTANT INFORMATION !!!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
Decrypting of your files is only possible with the private key and decrypt
program, which is on our secret server.
To receive your private key follow one of the links:
If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: jhomitevd2abj3fk.onion/5E950263BC5AAB7E
4. Follow the instructions on the site.
!!! Your personal identification ID: 5E950263BC5AAB7E !!!
If you follow suit and go to the instructions page on the payment website, you will witness this page:
This Locky ransomware variant has been seen to put a price of both 0,5 and 1,5 Bitcoins. In any case, do not pay the cybercriminals as nobody can guarantee that paying will get your files back. The money will probably be used to develop new ransomware or other variants of this one which is stronger, both in code and encryption and use better tricks to hide from security programs. The past has shown that Locky has only evolved, and it hasn’t been beaten yet.
You can view some articles about the Locky ransomware and its past variants here:
- The original Locky ransomware (.locky extension)
- Zepto Ransomware (.zepto extension)
- Bart Ransomware (.bart.zip extension)
The encrypted files will have the new extension .ODIN and the file name is changed with unique numbers and symbols for your computer. The ransomware uses RSA-2048 bit encryption algorithm with 128-bit AES ciphers. You can see the list of file types that will get encrypted on a compromised machine right here:
→.yuv, .ycbcra, .xis, .wpd, .tex, .sxg, .stx, .srw, .srf, .sqlitedb, .sqlite3, .sqlite, .sdf, .sda, .s3db, .rwz, .rwl, .rdb, .rat, .raf, .qby, .qbx, .qbw, .qbr, .qba, .psafe3, .plc, .plus_muhd, .pdd, .oth, .orf, .odm, .odf, .nyf, .nxl, .nwb, .nrw, .nop, .nef, .ndd, .myd, .mrw, .moneywell, .mny, .mmw, .mfw, .mef, .mdc, .lua, .kpdx, .kdc, .kdbx, .jpe, .incpas, .iiq, .ibz, .ibank, .hbk, .gry, .grey, .gray, .fhd, .ffd, .exf, .erf, .erbsql, .eml, .dxg, .drf, .dng, .dgc, .des, .der, .ddrw, .ddoc, .dcs, .db_journal, .csl, .csh, .crw, .craw, .cib, .cdrw, .cdr6, .cdr5, .cdr4, .cdr3, .bpw, .bgt, .bdb, .bay, .bank, .backupdb, .backup, .back, .awg, .apj, .ait, .agdl, .ads, .adb, .acr, .ach, .accdt, .accdr, .accde, .vmxf, .vmsd, .vhdx, .vhd, .vbox, .stm, .rvt, .qcow, .qed, .pif, .pdb, .pab, .ost, .ogg, .nvram, .ndf, .m2ts, .log, .hpp, .hdd, .groups, .flvv, .edb, .dit, .dat, .cmt, .bin, .aiff, .xlk, .wad, .tlg, .say, .sas7bdat, .qbm, .qbb, .ptx, .pfx, .pef, .pat, .oil, .odc, .nsh, .nsg, .nsf, .nsd, .mos, .indd, .iif, .fpx, .fff, .fdb, .dtd, .design, .ddd, .dcr, .dac, .cdx, .cdf, .blend, .bkp, .adp, .act, .xlr, .xlam, .xla, .wps, .tga, .pspimage, .pct, .pcd, .fxg, .flac, .eps, .dxb, .drw, .dot, .cpi, .cls, .cdr, .arw, .aac, .thm, .srt, .save, .safe, .pwm, .pages, .obj, .mlb, .mbx, .lit, .laccdb, .kwm, .idx, .html, .flf, .dxf, .dwg, .dds, .csv, .css, .config, .cfg, .cer, .asx, .aspx, .aoi, .accdb, .7zip, .xls, .wab, .rtf, .prf, .ppt, .oab, .msg, .mapimail, .jnt, .doc, .dbx, .contact, .mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .wallet, .upk, .sav, .ltx, .litesql, .litemod, .lbf, .iwi, .forge, .das, .d3dbsp, .bsa, .bik, .asset, .apk, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .pst, .onetoc2, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key
The Locky ransomware is very likely to erase all Shadow Volume Copies from the Windows Operating System. Read below to see how to remove the virus and try to decrypt some of your data.
Remove Locky Virus and Restore .ODIN Files
If your computer got infected with the Locky ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Locky.