A new variant of the infamous Locky Ransomware has been observed in the wild. It’s called Odin. This variant appends the extension .odin to the files it encrypts with new ransom note filenames. This ransomware is being spread via spam emails that carry a malicious WSF Script attachment.
How Odin encrypts the victim’s files
• Once the user opens the WSF Script attachment, a ransomware payload gets downloaded from a malicious website as an encoded file without any extension.
• The file gets decoded into a Windows Dynamic Link Library (DLL) file.
• The payload is launched using rundll32.exe which encrypts the files stored on the infected system, renames the encrypted files, and appends the .ODIN extension to them.
Below are the ransom notes created by the ODIN ransomware:
After the ransomware encrypts the infected computer’s files, it changes the desktop wallpaper to the below note (_HOWDO_text.html) (fig 2). The note informs the user that their files have been encrypted and the only way to decrypt them is by using a private key and a decryption program. This is followed by other instructions.
Quick Heal Virus Protection proactively detects the malicious DLL file as “Ransom.Zepto.PB7” and the malicious WSF Script file as “JS.Locky.FT” and reduces the risk of the ransomware infection.
Ransomware has become a perpetual threat for individual users and businesses too. Once it encrypts any files, it is impossible to decrypt the data unless a ransom is paid to the perpetrator. Given the extent of the damage a ransomware can do to your data, it is important that you follow the recommended security measures mentioned below.
Subject Matter Expert