Blog

Threat Research Labs
Ransomware Alert! ODIN – A new variant of Locky Ransomware
September 30, 2016

locky_ransomware

A new variant of the infamous Locky Ransomware has been observed in the wild. It’s called Odin. This variant appends the extension .odin to the files it encrypts with new ransom note filenames. This ransomware is being spread via spam emails that carry a malicious WSF Script attachment.

How Odin encrypts the victim’s files

• Once the user opens the WSF Script attachment, a ransomware payload gets downloaded from a malicious website as an encoded file without any extension.

• The file gets decoded into a Windows Dynamic Link Library (DLL) file.

• The payload is launched using rundll32.exe which encrypts the files stored on the infected system, renames the encrypted files, and appends the .ODIN extension to them.

odin

Fig 1

Below are the ransom notes created by the ODIN ransomware:

_16_HOWDO_text.html

_HOWDO_text.bmp

_HOWDO_text.html

After the ransomware encrypts the infected computer’s files, it changes the desktop wallpaper to the below note (_HOWDO_text.html) (fig 2). The note informs the user that their files have been encrypted and the only way to decrypt them is by using a private key and a decryption program. This is followed by other instructions.

odin2

Fig 2

Quick Heal Virus Protection proactively detects the malicious DLL file as “Ransom.Zepto.PB7” and the malicious WSF Script file as “JS.Locky.FT” and reduces the risk of the ransomware infection.

Ransomware has become a perpetual threat for individual users and businesses too. Once it encrypts any files, it is impossible to decrypt the data unless a ransom is paid to the perpetrator. Given the extent of the damage a ransomware can do to your data, it is important that you follow the recommended security measures mentioned below.

  1. Back up your files on a regular basis. A ransomware goes after your files when it infects your computer. If you have a backup of all your important files, there is no reason why you should give in to the ransomware’s demands. Remember to disconnect the Internet while you are backing up on an external hard drive. Unplug the drive before you go online again. Several free and paid Cloud backup services available on the market that can take data backup periodically.
  2. Use a reliable antivirus software that can block infected emails, websites, and stop infections that can spread through USB drives. Keep the software up-to-date.
  3. Apply recommended security updates for your computer’s Operating System and all other programs such as Adobe, Java, Internet Browsers, etc.
  4. Do not click on links or download attachments that arrive in emails from unwanted or unexpected sources. Even if such emails seem to be from a known source, it is better to call up the sender and verify them first.

 

ACKNOWLEDGMENT
Subject Matter Expert

  • Anita Ladkat (Threat Research and Response Team)

SHARE THIS STORY

Have something to add to this story? Share it in the comments.

Threat Research Labs
About Threat Research Labs
Quick Heal Threat Research Labs provides detailed analysis of current malware trends, threats, vulnerabilities and recent cyber-attacks. The Labs’ reports help...
Articles by Threat Research Labs »

14 Comments

Your email address will not be published.

CAPTCHA Image

  1. Deepak agrwalSeptember 30, 2016 at 7:11 PM

    What would be the procedure for taking backup and restore through seqreite

    Reply
  2. Nice blog for new variant of LOCKY!!

    Reply
  3. Ashish MauryaOctober 2, 2016 at 8:37 PM

    Cerber Ransomware is very dangerous because decryption of encrypted files are impossible only we can stop it by using a reliable antivirus like Quick Heal otherwise anybody can losse whole data.

    Reply
  4. Ransomware damage my files complite
    how recover the my file

    Reply
  5. Sanchit GargOctober 5, 2016 at 6:59 PM

    Hi
    My computer got affected with this ransomware though I was having quick heal. Please help me decrypt my files somehow. Or please update me as soon as you get an decrypter for the .odin files.

    Reply
  6. chakrapanichaturvedi@yahoo.co.inOctober 7, 2016 at 5:07 PM

    I am Suffered from same problem of .ODIN
    please help me to resolve it

    Reply
  7. ramarao.p.s.October 8, 2016 at 6:33 AM

    very useful info.why donot u send it as a mail to ur customers. thank you.

    Reply
  8. Hello, Its really the very good information shared by research team member. I really appreciate the QuickHeal Team efforts about spreading this news and makin people aware about this. You guys are doing good job and helping people. AWESOME ARTICLE.

    Reply
  9. A month ago, I noticed a message that popped up automatically on my computer that said, “Extracting files.” I did not even try to extract anything. The same thing happened today too. So, like the last time, I cancelled the action of my computer before it could extract the files since I suspect that it is a virus spreading / hacking attempt. What do I do in such a situation?

    Reply