ODIN Ransomware

What is ODIN Ransomware?

ODIN Ransomware is a highly malicious computer infection designed to encrypt most of the files on your PC and demand money to decrypt them. It is necessary to remove it if you want to continue using your computer safely, but encrypted files will remain encrypted, and there is little chance of a free decryption making an appearance anytime soon. However, paying the ransom is not an option as well, because you might not get the decryption key you pay for or it might not work. In this short description, we are going to overview how this ransomware works, how it is distributed, and how you can get rid of it. So, without further ado, let us jump right into it.

What does ODIN Ransomware do?

From the outset, we think it is necessary to state that ODIN Ransomware is a variant of Locky Ransomware or rather an updated version of that ransomware. Hence, they work in a similar manner, but there have been some significant changes, so this ransomware needs to be examined anew. Our malware researchers have tested this ransomware and found that is set to encrypt files using the RSA-2048 and AES-128 encryption ciphers. Hence, this encryption method is quite strong, so it requires a custom decryption tool that is yet to be created. At any rate, the files this ransomware is set to encrypt include hundreds of file formats that include but are not limited to .pptx, .pptm, .std, .sxd, .dotx, .docm, .docx, .bak, .tar, .tgz, .rar, and .zip. In short, it is designed to encrypt most files, especially those that are bound to contain valuable information, such as documents, pictures, videos, audios, and so on.

ODIN Ransomware is designed to target almost all directories, but it will skip several of them as they contain files vital to running the operating system. According to our security experts, the locations this ransomware is set to skip include temp, thumbs.db, tmp, winnt, Application Data, AppData, Program Files, Program Files (x86), $Recycle.Bin, System Volume Information, Boot, and Windows. Except for the locations mentioned above, this ransomware will encrypt files in all other places on your PC. Researchers say that, while encrypting the files, it will change their names and append the files with its custom file extension .ODIN. Hence, and encrypted file should look like F68091F1D25A922B1A5FC27B19A9D9FC.odin. Take note that this ransomware will assign a 16 hexadecimal number to you that will be placed at the beginning of the file name. It is also important to note that ODIN Ransomware can encrypt files on network shares even when they are not mapped to a local drive and delete Shadow Volume Copies of the encrypted files using the “vssadmin.exe Delete Shadows /All /Quiet” command.

Once the encryption process is finished, this ransomware will drop several non-malicious files on your computer. Researchers say that in most cases it will drop three files that include _HOWDO_text.html, _HOWDO_text.bmp, and _[2_digit_number]_HOWDO_text.html. The _HOWDO_text.bmp is dropped in %Temp%\MicroImageDir and is set as the desktop wallpaper, while the other two files are placed on the desktop and feature the same information as the image file. These files are ransom note and feature information on how to go to a hidden Tor website to pay the random of 0.5 BTC ($301.65 USD) or 1 BTC ($603.23 USD) to decrypt your files. Again, as mentioned in the introduction, there is no guarantee that your files will be decrypted.

Where does ODIN Ransomware come from?

Our security experts have found that this malicious application is disseminated using malicious emails sent from the email account controlled by this ransomware’s developers. The emails are said to be disguised as invoices. Previously, the subject line used to look something along the lines of ATTN: Invoice J-98223146. However, we do not know whether this is still the case, but the email does not contain much text and the texts only says that you need to open the attached file for more information about receiving your compensation according to listed at the bottom of the invoice. Apparently, the cyber criminal wants to bait you to open the invoice thinking that you have struck gold. The attached file is a zipped JavaScript file that, when opened, will download a malicious DLL installer, decrypt it and execute it through Rundll32.exe. The command used to execute the file is “rundll32.exe %Temp%\[name_of_dll],qwerty.” If you have an antimalware tool, then it could stop the infection, but otherwise, this malicious file will start to encrypt your files.

How do I remove ODIN Ransomware?

If your PC has become infected with this ransomware and your files have been encrypted, then we suggest that you remove it and wait for a free decryption tool to be created. Of course, you can also try paying the ransom, but, again, there is no guarantee that your files will be decrypted. Please follow the guide below on how to delete ODIN Ransomware manually. We recommend using SpyHunter’s free scan feature to detect the main file and then go to the location manually to remove it.

Delete this ransomware manually

1. Go to http://www.anti-spyware-101.com/spyhunter
2. Download and Install SpyHunter and scan your PC.
3. Once the malicious file is located, press Windows+E keys.
4. Type the file path in the File Explorer’s address line and hit Enter.
5. Find the main file, right-click it and click Delete.
6. Then, enter %Temp%\MicroImageDir in the address line.
7. Find _HOWDO_text.bmp and delete it.
8. Then, go to the desktop and delete {random number}_HOWDO_text.html and _HOWDO_text.html
9. Empty the Recycle Bin.
10. Then, press Windows+R keys.
11. In the Registry Editor, go to HKCU\Software
12. Find and delete the Locky registry key.
13. Then, go to HKCU\Control Panel\Desktop
14. Find Wallpaper, right-click it and click Modify.
15. Erase C:\Users\{User name}\Desktop and click OK.
16. Close the Registry Editor.

Download Removal Tool100% FREE spyware scan and
tested removal of ODIN Ransomware*