ODIN Ransomware Removal Guide

Do you know what ODIN Ransomware is?

ODIN Ransomware is a new variant of the infamous Locky Ransomware infection. The new version adds the “.odin” extension to the files it encrypts, and it is not yet decipherable. A list of decryption keys was made public for the victims of the old version of this ransomware, which is exactly why the new one was created. At this point in time, a legitimate decryption tool does not exist, which means that if this infection slithers in, you have very few options. In fact, there is a great possibility that you will end up losing your personal files. Have you already checked which files were encrypted by this infection? According to our information, it can corrupt all kinds of files, including audio and video files, pictures, documents, archives, and so on. Needless to say, removing ODIN Ransomware is not the first thing you should do. First, you should read this report to learn everything about this ransomware and its activity.

According to the analysts in our research team, ODIN Ransomware is spread via corrupted spam emails. When we analyzed Locky Ransomware in the past, its executable was camouflaged as fake invoice, and computer users unleashed the infection by opening the corrupted file. It is possible that the new version of this infection is distributed in the exact same manner. Once the launcher is unleashed, an encrypted DLL file is downloaded and executed using Rundll32.exe, which is a legitimate Windows process. As soon as the infection is fully executed, it starts encrypting your personal files, and because that is done silently, it is unlikely that you will notice anything. Nonetheless, right after the encryption is finished, additional files will be created to inform you about the situation. These files are _HOWDO_text.html, _[2 random numbers]_HOWDO_text.html, and _HOWDO_text.bmp. The HTML files inform that your files were encrypted using RSA and AES ciphers. In reality, it is most likely that RSA will be used for the encryption of the private key that you need to decrypt your files. The BMP file carries the same message, and it might take over your Desktop wallpaper. Do not delete these files until you figure out what you want to do next.ODIN Ransomware Removal GuideODIN Ransomware screenshot
Scroll down for full removal instructions

The files created by ODIN Ransomware are designed to make you follow one of the links provided. When you do, you are routed to the “Locky Decryptor Page” webpage where you are informed that you need to pay a ransom of 3 BTC (around 1810 USD or 1616 EUR). You are also provided with a Bitcoin Address that you need to transfer the money to. According to the message, as soon as you pay the ransom and confirm the transaction, the file decryptor will become available for you. Can you trust that cyber criminals will keep their promise after you pay the money? Well, we cannot vouch for that. In fact, it is quite possible that your money would be taken from you with nothing in return. Considering that the amount requested is very large, you have to think long and hard if you should take the risk at all. If you are cautious about your personal files, you will have them backed up, in which case, there is nothing else to do but to delete ODIN Ransomware. Keep in mind that, in reality, you are removing Locky Ransomware.

Our researchers have found that the removal of the new version of the Locky Ransomware is different. In fact, it is easier to erase this version. Obviously, if your files are held hostage, you might postpone the removal of ODIN Ransomware. Think things through, but do not waste your time. If you are trying to save time, the best thing you can do is download an anti-malware tool that will automatically eliminate the ransomware and keep your Windows operating system protected against all other threats. If you choose to erase the ransomware using the manual removal guide below, do not forget to employ reliable security software as soon as you get the chance, so as to prevent malware from slithering in.

Delete ODIN Ransomware

  1. Right-click and Delete the malicious launcher.
  2. Launch RUN by tapping Win+R keys.
  3. Enter regedit.exe into the dialog box to launch Registry Editor.
  4. Move to HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers.
  5. Double-click the value named BackgroundHistoryPath0.
  6. Erase the value data contents (e.g., C:\Users\{User name}\Desktop\_HOWDO_text.bmp).
  7. Move to HKCU\Control Panel\Desktop.
  8. Double-click the value named WallPaper and repeat step 6.
  9. Launch Explorer by tapping Win+E keys.
  10. Enter %Temp% into the address bar and then open the MicroImageDir folder.
  11. Right-click and Delete the file named _HOWDO_text.bmp.
  12. Right-click and Delete the HTML files (_HOWDO_text.html, _[2 random number]_HOWDO_text.html).
  13. Install a malware scanner to inspect your operating system.

In non-techie terms:

ODIN Ransomware is a version of the malicious Locky Ransomware, and it is incredibly malicious. This threat can lock your files by encrypting and renaming them. Unfortunately, removing the ransomware does not help with the decryption of the files. In order to decrypt them, you need a decryption key, but retrieving it is difficult. You are requested to pay a ransom in Bitcoins, but even if you do, there are no guarantees that this would work and grant you access to the decryption tool. Unfortunately, this means that you might lose your files, as well as your savings. Hopefully, backups exist, and you can delete ODIN Ransomware without further hesitation.