You should have, by now, heard of Zepto and its predecessor – Locky ransomware. 上手, now Locky’s creators are back with a newer variant which adds the .odin extension to encrypted files.
How Does Odin Virus Differ from the Original Locky
Apparently, one thing that distinguishes the original Locky from its new variant is the name of the extension (.オーディン) it leaves at the end of each encrypted file. In case you have been a victim of a ransomware attack, you could easily tell which type exactly has locked your files simply by looking at the extension at the end of their names.
Odin virus spreads via several email campaigns which distribute a multitude of obfuscated files, messages, email domains and more, just like Locky does, except it’s on a bigger scale.
Some of the compromised files Odin distributes, look like this:
- CJPOG21534.wsf
- newdoc12.zip
- doc0.zip
- untitled9.zip
Other spam emails distributing Odin virus contain the payload files in an archive. .rtf documents with a password protection have been spotted to deliver the infection as well.
Once Odin is inside the targeted system, the encryption process begins. After it’s completed, you may find 3 new files containing instructions regarding the payment:
- _HOWDO_text.html
- _HOWDO_text.bmp
- _[2_23]_HOWDO_text.html (where 23 can be a different number)
The text of the _HOWDO_text files read like this:
!!! IMPORTANT INFORMATION !!!!
すべてのファイルはRSA-2048およびAES-128暗号で暗号化されています.
RSAとAESの詳細については、こちらをご覧ください。:
感染したWebサイトや悪意のあるWebサイトにアクセスすると、Bbbeなどのランサムウェアが自動的にPCに侵入します。://en.wikipedia.org/wiki/RSA_(暗号システム)
感染したWebサイトや悪意のあるWebサイトにアクセスすると、Bbbeなどのランサムウェアが自動的にPCに侵入します。://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Decrypting of your files is only possible with the private key and decrypt
program, これは私たちの秘密のサーバーにあります.
秘密鍵を受け取るには、リンクの1つに従ってください:
1. http://jhomitevd2abj3fk.tor2web.org/5E950263BC5AAB7E
2. http://jhomitevd2abj3fk.onion.to/5E950263BC5AAB7E
このアドレスのすべてが利用できない場合, 次の手順を実行します:
1. Download and install Tor Browser: HTTPS://www.torproject.org/download/download-easy.html
2. インストールが成功した後, ブラウザを実行し、初期化を待ちます.
3. アドレスバーに入力します: jhomitevd2abj3fk.onion/5E950263BC5AAB7E
4. Follow the instructions on the site.
!!! Your personal identification ID: 5E950263BC5AAB7E !!!
Can You Decrypt Files Encrypted by Odin Virus?
Decryption of files encrypted by Odin virus is not possible yet. しかしながら, the best advice I could give is to remove Odin first and then try to restore some of your data via file recovery tools, or wait until a decryptor is released. Of course, I cannot guarantee that a decryptor will come out, but paying the ransom fee to the cyber crooks is not a solution either. You cannot trust cyber criminals to send you a decryption key after you make the payment, and what’s worse – the virus will remain in your system and may strike again.