You should have, by now, heard of Zepto and its predecessor – Locky ransomware. Well, now Locky’s creators are back with a newer variant which adds the .odin extension to encrypted files.
How Does Odin Virus Differ from the Original Locky
Apparently, one thing that distinguishes the original Locky from its new variant is the name of the extension (.odin) it leaves at the end of each encrypted file. In case you have been a victim of a ransomware attack, you could easily tell which type exactly has locked your files simply by looking at the extension at the end of their names.
Odin virus spreads via several email campaigns which distribute a multitude of obfuscated files, messages, email domains and more, just like Locky does, except it’s on a bigger scale.
Some of the compromised files Odin distributes, look like this:
- CJPOG21534.wsf
- newdoc12.zip
- doc0.zip
- untitled9.zip
Other spam emails distributing Odin virus contain the payload files in an archive. .rtf documents with a password protection have been spotted to deliver the infection as well.
Once Odin is inside the targeted system, the encryption process begins. After it’s completed, you may find 3 new files containing instructions regarding the payment:
- _HOWDO_text.html
- _HOWDO_text.bmp
- _[2_23]_HOWDO_text.html (where 23 can be a different number)
The text of the _HOWDO_text files read like this:
!!! IMPORTANT INFORMATION !!!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
hxxps://en.wikipedia.org/wiki/RSA_(cryptosystem)
hxxps://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Decrypting of your files is only possible with the private key and decrypt
program, which is on our secret server.
To receive your private key follow one of the links:
1. http://jhomitevd2abj3fk.tor2web.org/5E950263BC5AAB7E
2. http://jhomitevd2abj3fk.onion.to/5E950263BC5AAB7E
If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: jhomitevd2abj3fk.onion/5E950263BC5AAB7E
4. Follow the instructions on the site.
!!! Your personal identification ID: 5E950263BC5AAB7E !!!
Can You Decrypt Files Encrypted by Odin Virus?
Decryption of files encrypted by Odin virus is not possible yet. However, the best advice I could give is to remove Odin first and then try to restore some of your data via file recovery tools, or wait until a decryptor is released. Of course, I cannot guarantee that a decryptor will come out, but paying the ransom fee to the cyber crooks is not a solution either. You cannot trust cyber criminals to send you a decryption key after you make the payment, and what’s worse – the virus will remain in your system and may strike again.