The guide below provides a comprehensive analysis of the .odin ransomware virus and lists viable methods to restore files encrypted by this new Locky version.
There is a new variant of the notoriously prolific ransomware called Locky in the wild. The latest spinoff appends the .odin extension to encrypted files instead of the previously used .zepto string. Furthermore, the names of recovery manuals created on the infected computer have changed to _HOWDO_text.html and _HOWDO_text.bmp. The rest of the operational characteristics, including the distribution avenue and ransom payment methods, are still invariable.
The threat actors in charge of the Locky ransomware have been consistent in terms of the timing of their code updates. The .zepto predecessor of the .odin file extension virus edition had been discovered in late June 2016, so the average life span of these versions is on the order of three months. Whereas there aren’t many significant tweaks made to the offending program in the most recent upgrade, some modifications are noteworthy. Most importantly, the victims bump into an unsurmountable hurdle when trying to access their personal data as the operating system is unable to process ODIN files.
A concomitant problem is that it’s impossible to determine a specific file’s whereabouts, because the Odin build of Locky completely scrambles filenames. On the outside, every data entry turns into a sequence of 32 hexadecimal chars followed by the .odin extension. In fact, the issue is more serious than the mere renaming, since the information ends up encrypted. The ransomware in question employs two different types of cipher to make one’s files inaccessible. At the first phase, it uses AES-128 cryptosystem to randomize the inner structure of every data entry. The secret AES key generated in the course of this routine is then encrypted with a stronger algorithm called RSA-2048. The whole repository of private decryption keys resides on a Command and Control server that’s reliably secured against unauthorized access. Therefore, the sole way to get hold of the recovery instruments is to comply with the perpetrators’ demands.
According to _HOWDO_text.html and _HOWDO_text.bmp ransom notes, which appear on the desktop and within different encoded folders, the user must go to a specific Tor page in order to get started on the fix. Having visited the online resource named the “Locky Decryptor Page”, the victim will be told to purchase 0.5 BTC and send it to the extortionists’ Bitcoin address provided there. Then, the infected person will supposedly be able to refresh the page and download the Locky Decryptor that will reinstate the .odin files. It’s not recommended to take these claims for granted, though. Also, paying about $300 isn’t in anyone’s best interest. Fortunately, some forensic techniques may turn out efficient to recover data locked by the Odin virus.
Odin ransomware automated removal and data recovery
Owing to an up-to-date database of malware signatures and intelligent behavioral detection, the recommended software can quickly locate the infection, eradicate it and remediate all harmful changes. So go ahead and do the following:
1. Download and install the antimalware tool. Open the solution and have it check your PC for PUPs and other types of malicious software by clicking the Start Computer Scan button
2. Rest assured the scan report will list all items that may harm your operating system. Select the detected entries and click Fix Threats to get the troubleshooting completed.
Data recovery toolkit to the rescue
Some strains of ransomware are known to delete the original files after the encryption routine has been completed. As hostile as this activity appears, it can play into your hands. There are applications designed to revive the information that was obliterated because of malfunctioning hardware or due to accidental removal. The tool called Stellar Data Recovery features this type of a capability and therefore it can be applied in ransom attack scenarios to at least get the most important files back. So use the app to get an idea of what data can be restored and let it do the recovery job. Here is a step-by-step walkthrough:
1. Download and install Stellar Data Recovery.
2. Open the application, select the types of recoverable files to look for, and click Next.
3. Choose the areas you want the tool to recover from and click the Scan button.
4. Having scanned the specified locations, the program will display a notification about the total amount of recoverable data. Close the dialog and click the Recover button. This will hopefully help you get some of your valuable files back.
Ransomware Prevention Tips
To avoid Odin ransomware and other file-encrypting infections in the future, follow several simple recommendations:
- Toggle your email provider’s anti-spam settings to filter out all the potentially harmful incoming messages. Raising the bar beyond the default protection is an important countermeasure for ransom Trojans
- Define specific file extension restrictions in your email system. Make sure that attachments with the following extensions are blacklisted: .js, .vbs, .docm, .hta, .exe, .cmd, .scr, and .bat. Also, treat ZIP archives in received messages with extreme caution
- Rename the vssadmin.exe process so that ransomware is unable to obliterate all Shadow Volume Copies of your files in one shot
- Keep your Firewall active at all times. It can prevent crypto ransomware from communicating with its C&C server. This way, the threat won’t be able to obtain cryptographic keys and lock your files
- Back up your files regularly, at least the most important ones. This recommendation is self-explanatory. A ransomware attack isn’t an issue as long as you keep unaffected copies of your data in a safe place
- Use an effective antimalware suite. There are security tools that identify ransomware-specific behavior and block the infection before it can do any harm.
These techniques are certainly not a cure-all, but they will add an extra layer of ransomware protection to your security setup.
Revise your security status
Post-factum assessment of the accuracy component in malware removal scenarios is a great habit that prevents the comeback of harmful code or replication of its unattended fractions. Make sure you are good to go by running an additional safety checkup. Another benefit of using the antimalware tool is that it will keep ransomware threats from intruding on your computer further on.