ODIN ransomware - How to remove

ODIN ransomware

ODIN Ransomware is another variant of Locky ransomware that is infecting computers for months now. The later virus has a great success and it has been infecting computers since February 2016. It seems that cyber criminals do not want to stop here, so there are releasing new version of it.
The name of the new ransomware comes from the .odin extension it uses to name corrupted files. While removal of ODIN is not so complicated, the decryption of the files can be pretty challenging. To restore the files, you will have to remove ODIN Ransomware first.

About ODIN Ransomware

ODIN Ransomware uses common RSA-2048 and AES-128 encryption algorithms to lock personal files. It is very difficult to unlock files that were encrypted this way. To make things even worse, ODIN ransomware set a wide range or extensions to encrypt. Once the program manages to detect the files and lock them, it prepares three files where it discloses the situation of the victims. These files are named: _[2_digit_number]_HOWDO_text.html, _HOWDO_text.bmp, and _HOWDO_text.html.

The messages basically claim that in order to unlock your files, you must get a private key which is obviously not for free. Just like Locky virus and other version of this annoying program, ODIN ransomware asks users to download and install Tor browser to transfer the payment. You should never even consider this option, because you will only lose your money and most likely the problem in your computer will remain. You should instead remove ODIN Ransomware using Spyhunter or another anti-malware program. Then follow the instructions below this article and try to recover your data.

Distribution Methods of ODIN ransomware

Just like its predecessors, ODIN ransomware takes over computer through spam messages. Despite how much users are warned to never open attachments in their spam emails, it seems that this technique is still working. Some users have reported that they have received an infected receipt files that is named “Receipt [random numbers]”. Once you click on this file, you open a way for the infection to take over your system.

As you understand, you can avoid ODIN and other ransomware from this family really easily. You just have to be more careful with what attachments you open in your email. It is never to much to educate yourself about how computer infections spread and how to avoid them. Be sure you are more careful when you are online, as you never know what infection is there sneaking to enter your system.

How to decrypt files locked by ODIN Ransomware

The first thing you should do before trying to decrypt the files is to remove ODIN Ransowmare. We highly recommend doing it automatically, with a help of an anti-malware program, such as Spyhunter or Malwarebytes. Then follow the steps below and try to unlock the files.

UPDATE October 2016: ODIN Ransomware has become extremely active at the end of September. It main target is Europe, however, Asia, Africa and North America has experienced some attacks too. Honolulu’s Fire Department has reported that around 20 computers were hacked after on of their employees opened some email with ODIN Ransomware infection. Fortunately, the infection did not spread to emergency response system so Fire Department was still able to work. However, IT sector had a lot of job to do to eliminate ODIN Ransomware from the network. It took them the whole day to unlock ODIN files that completely paralyzed internal administrative duties and communication. The files were restored from a back up, which only proved how important it is to make backups regularly.

Latest attacks have showed that ODIN Ransomware no longer uses WSF or JS files to download virus executable. Instead of executable, DLL file is now used to deploy ODIN script. This small change ended to be a huge headache for security experts.

How to recover ODIN ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before ODIN ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of ODIN ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to ODIN ransomware. You can check other tools here.  

Step 3. Restore ODIN ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually ODIN ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover ODIN ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Removal guides in other languages

Leave a Reply

Your email address will not be published. Required fields are marked *