How to Remove Odin Ransomware and Decrypt .odin Extension Files

Think Locky Ransomware is horrible enough? The development of new ransomware is always beyond people’s imagination. In the beginning, Locky Ransomware used “.locky” file extension to encrypt users’ files and the second variant added “.zepto“. The Locky ransomware family grows at terrifying speed. There is one more updated variant Odin ransomware that appends “.odin” extension to its encrypted files being launched on September. The newer variant of the nefarious Locky Ransomware has been observed on the rise and has become a serious threat to the computer and people’s data. If the files on your computer get converted into the format like “XXXXX.odin” (random combinations of letters and numbers followed by .odin), it indicates that your system has been infected with this ransomware virus and all your data was encrypted by it, which also means you might lose the important data permanently. To remove the ransomware from the infected PC quickly and completely, you can use the Odin ransomware removal tool available in this page. Odin-ransomware-removal-tool_download

Ransomware Has Taken off in 2016

According to the report from Beazley, a leading insurance company, the number of ransomware attacks this year will be four times higher than last year if the trends from the first nine months of 2016 hold. This prediction is likely to become true, because the new types of ransomware grow fast while the progress in researches for cracking ransomware encryption is slow. Even the Locky ransomware has evolved into the third generation Odin, there is still no any effective way that can get the files encrypted by Locky ransomware back freely. ransowmare attacks from 2014 to the end of Sep.2016

(Ransomware attacks: From 2014 to the end of September 2016)

Given by the data from BBR Services, we can see that ransowmare is surprisingly booming in 2016. Even the objects of investigation are confined to Beazley’s clients, the result gives a glimpse of that the ransomware becomes a top concern for web users of the world. The total number of ransomware has grown 128% year on year. Total ransowmare

(Source from: McAfee Labs, 2016.)

Cyber criminals have collected $209 million just in the first three months of this year. It is thought that individual Internet users, businesses or other organizations who believe they have no other choice but to pay the demanded ransom to regain the access to their data result in the rise of ransomware threats.

The Third Member of Locky Family: Odin Ransomware

Being found by a malware expert @dvk01uk in late September, Odin Ransomware is defined as another new variant of Locky virus. From the predecessor Locky ransomware to this Odin file virus, it is now the third time that the infected file’s extension has been changed and it just takes a couple of months to make updated versions of the nasty ransomware. Ransomware is always one of the biggest cyber security threats for all computer users for it can result in irreversible data loss, but it seems that it evolves dramatically and lots of new ransomware emerge this year. The rapid development of ransomware makes it even harder to crack ransomware encryption for security experts. When Odin just came into people’s view, it was once identified as a new type of ransomware by some researchers but soon they find out it belongs to the Locky Ransomware family. The author behind the Locky and Odin ransomware has made some improvements for bug-fixing and decreasing the opportunity for users to unlock their files without paying a ransom. The hackers have used hardcoded RSA keys in the previous version Zepto so that the ransomware is able to work even without network connection. This offline mode allows the Locky 2.0 to encrypt files without talking to the online command and control (C&C) server since some users may shut down command-and-control communication channels for blocking malware. This means that Zepto ransomware can escape from the detection of firewall and some security programs. However, in this way the cyber criminals will not be able to get the exact number of infections so they can’t make statistical models. This could be the reason that attackers has given up using this technic on the Odin version. The most noticeable change in the Locky 3.0 is the switches from the .locky extension to .odin extension for the infected files, so up to Locky version 3, the extensions used by Locky ransomware family include: .locky .zepto .locky If you files are locked by Odin ransomware, it will rename the file names by changing them into lines of 32 hex characters that are divided into five parts separated by hyphens like B3CBE6A2-F5D3-AE86-DBA5-431EDB82AC96.odin. The ransom notes are named in the form as below: _HOWDO_text.html _HOWDO_text.bmp _[2_digit_number]_HOWDO_text.html Odin Just like all other ransomwares, Odin will drop ransom notes on the desktop and all encrypted folders. The ransom note will be displayed in three different formats: text, HTML and image and this is a convention of Locky variants. Besides, it will even replace victims’ desktop wallpaper with the picture of the ransom note in order to ensure they are informed with that all of their data are encrypted and the only way to recover the data is to pay off blackmailers. The following table shows the differences of the file names of the ransom notes for the three Locky variants:

_HELP_instructions.html (old)
_{number}_HELP_instructions.html (new)

The contents in the ransom note basically are the same as the note of Locky. The Odin ransom note explains to users that the files on the computer are all encrypted with RSA-2048 and AES-128 ciphers and instructs users to decrypt their files by obtaining the private key. This time the ransomware usually requires 1.5 Bitcoins while in fact the required ransom ranges from 0.5 to 3.0 Bitcoins. Only after the required ransom has been paid, the victim will be provided with the specific “private key” to decrypt the files. As the third generation, .Odin ransomware is even more aggressive than its ancestor Locky. It targets at more computer files so it has been updated to expand the list of the file types that it can encrypt. Below is the list of new file types targeted by Odin.

.yuv .qbx .ndd .exf .cdr4 .vmsd .dat .indd .pspimage .obj
.ycbcra .qbw .mrw .erf .cdr3 .vhdx .cmt .iif .ps .mlb
.xis .qbr .moneywell .erbsql .bpw .vhd .bin .fpx .pct .md
.x3f .qba .mny .eml .bgt .vbox .aiff .fff .pcd .mbx
.x11 .py .mmw .dxg .bdb .stm .xlk .fdb .m4v .lit
.wpd .psafe3 .mfw .drf .bay .st7 .wad .dtd .m .laccdb
.tex .plc .mef .dng .bank .rvt .tlg .design .fxg .kwm
.sxg .plus_muhd .mdc .dgc .backupdb .qcow .st6 .ddd .flac .idx
.stx .pdd .lua .des .backup .qed .st4 .dcr .eps .html
.st8 .p7c .kpdx .der .back .pif .say .dac .dxb .flf
.st5 .p7b .kdc .ddrw .awg .pdb .sas7bdat .cr2 .drw .dxf
.srw .oth .kdbx .ddoc .apj .pab .qbm .cdx .db3 .dwg
.srf .orf .kc2 .dcs .ait .ost .qbb .cdf .cpi .dds
.sr2 .odm .jpe .dc2 .agdl .ogg .ptx .blend .cls .css
.sqlite .odf .incpas .db_journal .ads .nvram .pfx .bkp .cdr .config
.sdf .nyf .iiq .csl .adb .ndf .pef .al .arw .cfg
.sda .nxl .ibz .csh .acr .m4p .pat .adp .ai .cer
.sd0 .nx2 .ibank .crw .ach .m2ts .oil .act .aac .asx
.s3db .nwb .hbk .craw .accdt .log .odc .xlr .thm .aspx
.rwz .ns4 .gry .cib .accdr .hpp .nsh .xlam .srt .aoi
.rwl .ns3 .grey .ce2 .accde .hdd .nsg .xla .save .accdb
.rdb .ns2 .gray .ce1 .ab4 .groups .nsf .wps .safe .7zip
.rat .nrw .fhd .cdrw .3pr .flvv .nsd .tga .rm .1cd
.raf .nop .fh .cdr6 .3fr .edb .nd .rw2 .pwm .wab
.qby .nk2 .ffd .cdr5 .vmxf .dit .mos .r3d .pages .prf
.oab .msg .mapimail .jnt .dbx .contact

How Odin Ransomware Gets Distributed?

Everyone has the potential to be a victim of this type of threat. Even the Odin Ransomware is evolved from Locky ransomware, its distribution still mainly relies on phishing. It still uses a spam e-mail, and attachments virus files (.zip, .docx, .doc, etc) to spread it. By making use of several email campaigns which distribute a multitude of obfuscated files, messages, email domains and more, just like Locky does, it is able to attack computers world-widely. Some of the compromised files Odin distributes, look like this: KBPWN68213.wsf Here is one sample e-mail used to deliver dangerous ransomware: Odin containing email Other spam emails distributing Odin contain the payload files in an archive. .rtf documents with a password protection have been spotted to deliver the infection as well. When a user receives such a letter, and when he opens an attachment, he downloads encrypted .dll installer meanwhile. After that, it will be decrypted and executed by the program that presents in the Windows basic list of tools – Rundll32.exe. When the file is executed, it will encrypt all accessible files.

How Can You Remove Odin Ransomware?

Once the computer gets hit by this ransomware and all files are encrypted,  the hackers often encourage and coerce victims just to pay the ransom to get the data back, but authorities and security researchers usually advise users not to pay the ransom because the price is expensive for most of people (0.5 BTC is about equal to 365 US dollar and there is no guarantee that cyber criminals will actually give you your data back as they promised. Even if you indeed pay the attackers off, you may get nothing or you still could be the target in the next ransomware attack. There are many cases that organizations and individuals never get any decryption key or tool after they paid the ransom, so it is strongly suggested that victims of Odin ransomware should download a reliable anti-malware tool to delete the malicious program and prevent further damage.

Solution One Use Anti-Malware Tool to Ensure the Safety of Your PC

spyhunter-download-button You can get its scan service free of charge. During the process of scan, it will show a list of all detected items including the name, position and other detailed information. You can remove the detected items after the scan completes if you have purchased this product. If the removal is completes but your data is still locked, you can try the next step.

Solution Two Restore the Losing Data from A Recent Backup

If the antivirus program fail to detect or remove the ransomware or you data cannot be recovered, you can utilize tools like Data Recovery, MiniTool Power Data Recovery Free to recover the corrupt file safely. But this seems not much helpful as you wish by the current evidence we have. If you create the restore point frequently or happen to have the restore point , you can choose to restore the system from the latest system restore point. However, this method can only be done when your restore point remains intact. This option will take your PC back to an earlier point in time without affecting your files but it will delete the programs, updates and drivers that are appeared on your PC later than the restore point.

Perform a system restore for Windows 7

Step 1 Log in your computer as the administrator. Step 2 Open Control Panel from Start menu. control panel windows7 Step3 Click System and Security and click on Restore your computer to an earlier time. system and security windows7 Restore your computer to an earlier time Step 4 Press Open System Restore button. Open system restore windows 7 Step 5 Click on the Next > and you will see a list of the restore point that you have created before. Choose the latest one that before your computer system got infected with the ransomware and then click on Next >. choose restore point windows 7 Step 6 Confirm your restore point and click on Finish. Finish windows7 Step 7 Click Yes to confirm your operations and start to restore the system. Yes windows7 Step 8 The restore is in process. restore begins windows 7 Step 9 You will see the message during the restore process. The time it takes to complete the whole process is uncertain as it depends on the system condition. You PC will automatically restart when restore finishes. restore message

Perform a system restore for Windows 8

Step 1 Move your cursor on the screen’s right edge, and then click Search. Step 2 Enter Control Panel in the search box, and click Control Panel. control panel windows 7 Step 3 Enter Recovery in the Control Panel search box, and then tap or click Recovery. Search-ControlPanel-Recovery type Step 4 Click Open System Restore. security_restore_click If you are asked for the administrator password, you should enter the password on the box. win8.sysrestore04 Step 5 Click Next > and you will see a list of available restore points that you can choose. You should select the most recent point before the ransomware appeared on the system and click on Next >. security_restore_choose Step 6 Select Finish and click on Yes to start the restore. select-yes Step 7 Now please wait until the restore process get finished. Don’t be surprised if you see your computer restart several times during the restore process.

Perform a system restore for Windows 10

Step 1 Right-click (or press and hold) the Start button, and then select Control Panel. Step 2 Search Control Panel for Recovery. Step 3 Select Recovery > Open System Restore > Next. open system restore-min_zps8mn3pvdj Step 4 Choose the restore point related to the problematic app, driver, or update, and then select Next > Finish. show creadted restore point finish Step 5 Click on Yes to make confirm for your actions. YES

How to Protect Your System from Getting Ransomware Like Odin

Given the extent of the damage a ransomware can do to your data, it is important that you follow the recommended security measures mentioned below. 1. Back up your files on a regular basis. A ransomware goes after your files when it infects your computer. If you have a backup of all your important files, there is no reason why you should give in to the ransomware’s demands. Remember to disconnect the Internet while you are backing up on an external hard drive. Unplug the drive before you go online again. Several free and paid Cloud backup services available on the market that can take data backup periodically. 2. Use a reliable antivirus software that can block infected emails, websites, and stop infections that can spread through USB drives. Keep the software up-to-date. 3. Apply recommended security updates for your computer’s Operating System and all other programs such as Adobe, Java, Internet Browsers, etc. 4. Do not click on links or download attachments that arrive in emails from unwanted or unexpected sources. Even if such emails seem to be from a known source, it is better to call up the sender and verify them first. Please be extra careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it. Make secondary confirmation if there are unexpected e-mails sent from your family and friends. Outdated computer systems are relatively more vulnerable to ransomware attacks. Installing effective antivirus software or a reputable security suite can help you detect and fight off malicious threats and give you an extra form of protection. download-pu-button


The following video offers a complete guide for Odin Ransomware removal. You’d better watch it in full-screen mode!

Share Button