The guide below provides a comprehensive analysis of the .odin ransomware virus and lists viable methods to restore files encrypted by this new Locky version.
There is a new variant of the notoriously prolific ransomware called Locky in the wild. The latest spinoff appends the .odin extension to encrypted files instead of the previously used .zepto string. Furthermore, the names of recovery manuals created on the infected computer have changed to _HOWDO_text.html and _HOWDO_text.bmp. The rest of the operational characteristics, including the distribution avenue and ransom payment methods, are still invariable.
The threat actors in charge of the Locky ransomware have been consistent in terms of the timing of their code updates. The .zepto predecessor of the .odin file extension virus edition had been discovered in late June 2016, so the average life span of these versions is on the order of three months. Whereas there aren’t many significant tweaks made to the offending program in the most recent upgrade, some modifications are noteworthy. Most importantly, the victims bump into an unsurmountable hurdle when trying to access their personal data as the operating system is unable to process ODIN files.
A concomitant problem is that it’s impossible to determine a specific file’s whereabouts, because the Odin build of Locky completely scrambles filenames. On the outside, every data entry turns into a sequence of 32 hexadecimal chars followed by the .odin extension. In fact, the issue is more serious than the mere renaming, since the information ends up encrypted. The ransomware in question employs two different types of cipher to make one’s files inaccessible. At the first phase, it uses AES-128 cryptosystem to randomize the inner structure of every data entry. The secret AES key generated in the course of this routine is then encrypted with a stronger algorithm called RSA-2048. The whole repository of private decryption keys resides on a Command and Control server that’s reliably secured against unauthorized access. Therefore, the sole way to get hold of the recovery instruments is to comply with the perpetrators’ demands.
According to _HOWDO_text.html and _HOWDO_text.bmp ransom notes, which appear on the desktop and within different encoded folders, the user must go to a specific Tor page in order to get started on the fix. Having visited the online resource named the “Locky Decryptor Page”, the victim will be told to purchase 0.5 BTC and send it to the extortionists’ Bitcoin address provided there. Then, the infected person will supposedly be able to refresh the page and download the Locky Decryptor that will reinstate the .odin files. It’s not recommended to take these claims for granted, though. Also, paying about $300 isn’t in anyone’s best interest. Fortunately, some forensic techniques may turn out efficient to recover data locked by the Odin virus.
Automated removal of Odin virus
Owing to an up-to-date database of malware signatures and intelligent behavioral detection, the recommended software can quickly locate the infection, eradicate it and remediate all harmful changes. So go ahead and do the following:
1. Download and install the antimalware tool. Open the solution and have it check your PC for PUPs and other types of malicious software by clicking the Start Computer Scan button
2. Rest assured the scan report will list all items that may harm your operating system. Select the detected entries and click Fix Threats to get the troubleshooting completed.
Ways of non-ransom recovery of .odin files
Cracking the crypto used by this ransom trojan is more of a science fiction thing rather than an attainable prospect for the masses. This is why the troubleshooting in predicaments of this sort is a matter of two approaches: one is to pay the ransom, which isn’t an option for many victims; and the other is to apply instruments that take advantage of the ransomware’s possible weaknesses. If the latter is your pick, the advice below is a must-try.
Backups can make your day
Not only are you a lucky person in case you’ve been backing up your most important files, but you’re also a wise and prudent user. This isn’t necessarily a resource-heavy activity these days – in fact, some providers of online services are allocating a sufficient size of cloud storage space for free so that every customer can easily upload their critical data without paying a penny. Having removed Odin ransomware, therefore, all you have to do is download your stuff from the remote server or transfer it all from an external piece of hardware if that’s the case.
Restore previous versions of encrypted files
A positive upshot of using this technique depends on whether or not the ransomware has erased the Volume Shadow Copies of the files on your PC. This is a Windows feature that automatically makes and keeps the backups of data elements on the hard drive as long as System Restore is enabled. The cryptoware in question is programmed to switch off the Volume Shadow Copy Service (VSS), but it has reportedly failed to in some cases. Checking one’s options regarding this workaround is doable in two ways: through the Properties menu of each file or by means of the remarkable open-source tool called Shadow Explorer. We recommend the software-based way because it’s automated, hence faster and easier. Just install the app and use its intuitive controls to get previous versions of the encrypted objects reinstated.
Data recovery toolkit to the rescue
Some strains of ransomware are known to delete the original files after the encryption routine has been completed. As hostile as this activity appears, it can play into your hands. There are applications designed to revive the information that was obliterated because of malfunctioning hardware or due to accidental removal. The tool called Data Recovery Pro by ParetoLogic features this type of capability therefore it can be applied in ransom attack scenarios to at least get the most important files back. So download and install the program, run a scan and let it do its job.
Revise your security status
Post-factum assessment of the accuracy component in malware removal scenarios is a great habit that prevents the comeback of harmful code or replication of its unattended fractions. Make sure you are good to go by running an additional safety checkup.
- Petya ransomware removal and system recovery (upd. June 27)
- Sorebrect ransomware – fileless malware exploits PsExec utility
- Remove MOLE02 ransomware virus and decrypt .mole02 files (upd. June 15)
- Erebus ransomware infects Linux web servers in South Korea
- Decrypt .master ransomware files – BTCWare virus variant