Locky Ransomware switches from .Zepto to .Odin – Watch Your Email!

Well it looks like there is a new variant of the Locky ransomware is hitting the streets changing files to .Odin. For those not familiar with Locky, see this post HERE. To summarize Locky, its malware that attacks through email and encrypts all your personal files using the typical ransomware format (don’t kill the system, just encrypt the documents and offer a fee to unecrypt so the victim can pay). Make sure you are using proper email security measures to protect your users!

Tripwire wrote a short article on this HERE. Here is that article.


Do you remember the .Zepto Ransomware? Of course, you do. Well, you can more or less put it in the rear-view mirror. However, there is very little in the way of actual reasons for celebration. A new threat is on the rise! It’s been tentatively called .Odin File Virus. It changes your files’ extensions to match the name of the one-eyed god from the Norse Mythology.

The first reports regarding the .Odin File Virus started appearing on 26 September, and early signs point to the ransomware affecting mostly U.S. users. Unfortunately, there is very little doubt that the virus is going to spread like a wildfire in an old forest, if not already.

Just like the .Zepto File Virus before it, this is the newest variant of the infamous and rather sinister Locky Ransomware. Again, the main distribution form is through contaminated spam e-mails. Be especially on the lookout for any WS and JS attachments.

If you are one of the unlucky ones to execute such a script, then the process that follows is more or less the same and there is very little you can do to prevent it from happening from that point onwards.

In such a scenario, a DLL installer is downloaded and executed using the perfectly legitimate Windows process called Rundll32.exe. Once inside your device, the .Odin Virus starts encrypting your most often used files. An interesting point of observation is that the whole file name of an encrypted file is changed and not just the .odin extension. A seemingly random string of numbers and letters appears instead of your regular files’ names, with the aforementioned .odin at the back.

Another important novelty is that the ransom “demands” are now being stored in files titled “_HOWDO_text.html” and “_HOWDO_text.bmp” instead of the “_HELP_instructions.html” file that was a part of the .Zepto contamination. Apparently, you will be again asked for 0.5 Bitcoins unless you are a big business or a large organization. In that case, the demanded ransom is substantially larger.

I feel it is important that you refrain from paying any ransom as this would only encourage the ransomware creators into making more and more variations of these extremely malicious programs. Instead look for alternatives to bring back your files. And don’t forget – prevention is key in the fight against computer viruses.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.