ODIN Ransomware / Virus
Have you heard of the name ransomware? I know you heard of malware, spyware and adware too. But ransomware may be a new thing to you. In this article, you are going to get everything about ODIN ransomware. Before we get into it, I want to give you an overview of ransomware.
Unlike traditional malware, ransomware doesn’t make your computer act weirdly out of the blue. Once it gets into your system, it encrypts almost all your files into a special type. You need a private key to decrypt the files back. The developer keeps the key in a remote and anonymous server.
They demand some ransom to decrypt the files. Most of the ransomware demands money in the form of bitcoins. You will also get a deadline beyond which no one can retrieve your data. The same goes with Cerber 4.1.6 Ransomware as well.
Update (24-03-2017): Cerber ransomware decryptor is no longer working. To get more update please check exhaustive list of ransomware decryptor tools available so far.
ODIN Removal Tool: Ransomware ODIN Decryptor
I have divided this article into different sections for the reading convenience. You can find the removal and decryption methods on the bottom.
First, let us move on to what ODIN ransomware is.
What is ODIN Ransomware?
ODIN is the latest version of the locky ransomware that encrypts your data and demands money for decryption. The previous versions appended .zepto or .locky extension to files. But here, ODIN adds .odin extension. No one can open such files without proper private key.
The ODIN virus uses a combination of AES and RSA encryption. For the same reason, you can’t unlock it easily. Even with brute force attempts, you will take hundreds of years for successful decryption.
Once it gets into a system, the ransomware affects a system process, rundll32.exe. As it integrates itself to a system file, ordinary antimalware software fails to detect them.
When the ransomware is executed, it will scan all your drives and cloud storage services. Developers specify the types of files it encrypts into the algorithm. On finding such types of files, it will encrypt them and create two keys; both public and private.
The private key is stored in a remote server owned by the developers themselves. They will ask you for a ransom (3 bitcoins or about $1900) to decrypt the files. The ransom amount is higher than that of other ransomware.
The naming system of ODIN ransomware has a special pattern. Whenever it finds a file to encrypt, it changes the name in the format of {user id}-{4 characters}-{12 characters}.odin. Suppose you have a file named Work.doc, it will change the name to RHDY5DH7-GT6D-D56F-76GT-T6H3BP4O0G86.odin.
.ODIN Virus
The developers of ODIN virus are professionals in the field of coding and hacking. So, they will never leave even a distant clue that leads to the private key.
The ransomware creates three files in every directory that contains at least one encrypted file. They are “_5_HOWDO_text.html”, “_HOWDO_text.bmp”, and “_HOWDO_text.html”. The second one is an image file, which you will see as your desktop wallpaper. All these three files contain the same ransom demanding message.
For your information, I am leaving such a message generated by an ODIN ransomware below.
“d=*-|==** __$$|$
.+.|.
|.=_=$-*$|-$|=|++-|+
!!! IMPORTANT INFORMATION!!!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
hxxp://en.wikipedia.org/wiki/RSA (cryptosystem)
hxxp://en.wikipedia.org/wiki/Advanced Encryption Standard
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
hxxps://jhomitevd2abj3fk.tor2web.org/D56F3331E80D9E17
hxxp://jhomitevd2abj3fk.onion.to/D56F3331E80D9E17
If all of this addresses are not available, follow these steps:
- Download and install Tor Browser: hxxps://www.torproject.org/download/download-easy.html
- After a successful installation, run the browser and wait for initialisation.
- Type in the address bar: jhomitevd2abj3fk.onion/D56F3331E80D9E17
- Follow the instructions on the site.
!!! Your personal identification ID: D56F3331E80D9E17 !!!
=+_$ =** +.+
+=*_$.*.=_
=__|+-$|+*.=*$
=-.$”
You can see the payment information on the website given in the message. But security professionals recommend you shouldn’t pay the money they demand because there is no guarantee that they will decrypt the files once they receive the payment.
How does ODIN Get into My System?
Ransomware developers use multiple methods to get into your system. Nonetheless, email attachments remain to be their favourite option since long.
They send you an email regarding an eCommerce delivery or a payment. In the case of eCommerce delivery, the email reads they have tried to deliver you a package but it failed and, you have to ensure whether your details are correct or not by checking the attachment.
The payment related mail tells the same story that they tried to send you a payment of a big amount and it returned. In order to get it, you have to check your payment details. In this case also, you will get an attachment.
Almost 80% of the people open the attachment. Mostly, it is a zipped file with a document inside. You will consider it as a harmless file because you may have the conservative thought they only executable files contain malware. On contrary to this, it will execute a macro when you open the file. As a result, it will affect rundll32.exe and keep on encrypting all your important files without any hindrance.
Sometimes, ODIN ransomware attacks your system from freeware and cracks as well. I recommend you should leave the crack downloading habit. Most of them come with a malware pre-attached.
Yet another method is software updaters. There are tons of fake software updater with ODIN virus. On installing the same, you unconsciously run the ransomware itself.
Types of Files Affected by ODIN
We all are aware of the unlimited file types available today. When it comes to images, there are JPG, PNG, BMP, GIF and more. Same is the case with audio, video, documents and others as well.
Literally, ODIN ransomware affect every files no matter what it extension is. If you want to get the definite list of file extensions, which are usually affected by ODIN, you must check the list given below.
.0, .1, .1st, .2bp, .3dm, .3ds, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt, .wav, .wbc, .wbd, .wbk, .wbm, .wbmp, .wbz, .wcf, .wdb, .wdp, .webdoc, .webp, .wgz, .wire, .wm, .wma, .wmd, .wmf, .wmv, .wn, .wot, .wp, .wp4, .wp5, .wp6, .wp7, .wpa, .wpb, .wpd, .wpe, .wpg, .wpl, .wps, .wpt, .wpw, .wri, .ws, .wsc, .wsd, .wsh, .x, .x3d, .x3f, .xar, .xbdoc, .xbplate, .xdb, .xdl, .xld, .xlgc, .xll, .xls, .xlsm, .xlsx, .xmind, .xml, .xmmap, .xpm, .xwp, .xx, .xy3, .xyp, .xyw, .y, .yal, .ybk, .yml, .ysp, .z, .z3d, .zabw, .zdb, .zdc, .zi, .zif, .zip, .zw
ODIN Removal Tool
I have got multiple methods to remove ODIN extension and ransomware. So here you go finally!
Method 1: Using Malwarebyte’s Anti-malware
Step 1: You have to download the software first. It is recommended to have an internet connection with decent speed.
Step 2: Once you finish downloading it, open the executable installer file. Just follow the on-screen instructions to finish the process.
Step 3: Don’t forget to open the software on finishing the installation. You can see a Scan now button on the bottom of the interface. Simply, press on it.
Step 4: The duration of the scan solely depends on the amount of data you have in your computer. It will present a list of malware infections before you after finishing the scan.
Step 5: Select all (recommended) and hit on Remove selected.
In order to see the changes in effect, choose Yes on the restart prompt.
Method 2: Using Hitman Pro
Step 1: Download Hitman Pro using this link and install the software.
Step 2: Installation isn’t a mammoth task as you have to follow the on-screen instructions. That’s all. When it finishes, Hitman Pro will start scanning your computer.
Step 3: As I said earlier, the duration depends on the amount of data. Once the scanning completes, you will see the malicious items as the result. Choose the action you want to take for each risk and, press Next.
Step 4: Activate the free license for 30 days and, remove the malicious files.
Maybe, you have to remove those three files created by ODIN. Don’t forget to change the wallpaper as well.
Method 3: Remove ODIN from Registry
In order to run the ransomware every time, it will create a bunch of registry keys. You will read how to remove them here.
Step 1: Press Win key+ R to get the run dialogue box.
Step 2: Enter regedit into it. You will see the registry editor on the screen.
Step 3: You should follow the paths given below and remove the keys related to ODIN.
- HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \Run
- HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \RunOnceEx
- HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \RunOnce
- HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \RunServicesOnce
- HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \RunServices
- HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Run
- HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \Policies \Explorer \Run
- HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \RunServices
- HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Policies \Explorer \Run
- HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Runonce
- HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \RunServicesOnce
Method 4: Kill ODIN Related Processes
Here, we seek the help of the task manager to kill the processes related to ODIN.
Step 1: Press Ctrl+ Shift+ Esc to launch Task Manager.
Step 2: You will get multiple tabs. Go to Details.
Step 3: Check for ODIN related tasks there. Just kill them right after you detect them. Follow right-click >> End task >> End now for that.
How to Decrypt ODIN Infected Files
Though there are no proven methods that retrieve ODIN infected files completely, you can try out some.
Method 1: Using Shadow Explorer
Step 1: You have to download Shadow Explorer first. Use the link given below for that.
Step 2: What you get is the executable installer file. So, just open the same to install the software. Installation can be done simply by following the instructions on the screen.
Step 3: Once you finish installing it, open the interface.
You should select the drive first and then, the date. What this software does is reinstating your files into the state as it was on the given date. So, you must choose the date before the ODIN invasion occurred.
Choose the file or folder from the main area of interface on the right side and right-click on it. Finally, go with Export and, browse to the destination into which the earlier version is saved.
You can also use system’s own restore tools to do the same as well.
Conclusion of ODIN Ransomware Removal Tool & Decryptor
The ransomware gets stronger and stronger every day. So, you can’t always rescue your system from its clutches.
Means prevention is better than cure. You shouldn’t open email attachments from strange IDs. Moreover, don’t ever try to download cracks and patches, especially from P2P networks.
I hope you got what I am talking about.
In case you have any doubt about ODIN ransomware, feel free to reach out to me with it using the comment section down below.
Comments are closed.