Odin ransomware takes over from Zepto and Locky

Thanks to Fraser Howard and Dorka Palotay of SophosLabs for thir behind-the-scenes work on this article.

First it was Locky, then it morphed into Zepto, and now it’s become Odin.

That’s the latest reinvention of the Locky-turned-Zepto strain of ransomware.

If you’re unfortunate enough to get hit by this one, you’ll see its Locky heritage as soon as you reach the Dark Web “buy page” where the crooks tell you how to pay their extortion demand.

(Sophos products block this malware as Troj/Locky-NP, another reminder of its Locky roots.)

You don’t need to be able to understand English to get the message, because the crooks are offering localised “buy page” advice in many languages:

So far, we’ve only seen Odin pushed out by email, with a vaguely grammatical English text body telling you that your order has been processed, and a ZIP attachment that claims to contain the order itself:

If you open the email, you’ll see two files, one of which claims to be a cancellation form.

The other item in the ZIP is a dummy file with a single-letter filename that contains a random byte repeated a few thousand times, presumably to make things look a little different from ransomware you may have seen before:

When we opened the ZIP on Windows 10, the dummy file did not show up, but a file looking very much like a text document called Cancellation Form did:

Just like many other recent malware samples, including Zepto, the cancellation form that the crooks want you to open is a JavaScript program.

When opened outside your browser, the Cancellation Form malware file isn’t limited by the browser’s sandbox, so it can download and launch the Odin ransomware program without popping up any warning dialogs.

As we’ve recommended regularly before, you can give yourself a better chance of spotting this sort of treachery by using File Explorer’s View | File name extensions option to reveal extensions that are otherwise suppressed:

(If you’re on a company network, your sysadmins can turn on File name extensions for everyone using a Microsoft Group Policy setting.)

Opening the Cancellation Form runs the first stage of the Odin malware, which:

  • Unscrambles its own JavaScript to produce a second obfuscated JavaScript program.
  • Runs the second JavaScript stage to download a scrambled DLL (a special form of Windows program).
  • Unscrambles the downloaded DLL.
  • Loads and runs the DLL using the Windows utility rundll32.exe.

At this point, the ransomware component of Odin is active, and file encryption starts:

Just as with Zepto, each data file is encrypted using AES with a randomly chosen key, and each file’s AES key is encrypted with an RSA public key.

Remember that although AES is a symmetric algorithm, with the same key used to lock and unlock your data, the RSA algorithm uses two keys, one for locking (the public key), and the other for unlocking (the private key).

The reason for using a two-layer encryption system of this sort, with a symmetric cipher for the bulk shrouding of files, followed by asymmetric (public key) encryption for shrouding the symmetric keys, is performance. Public key cryptography is thousands of times slower than symmetric encryption.

Because the crooks have the only copy of the RSA private key, and because the AES key used for each file is only ever saved to disk after it has been locked with the corresponding RSA public key…

…then only the crooks can unlock the keys needed to unlock your files, and that’s why they feel confident to squeeze you for $300 to buy back access to your data:

As has become common in ransomware attacks, the crooks not only open a file in your browser, but also change your wallpaper to an image that makes sure you know where to go to pay the extortion money:

What to do?

We regularly offer advice on preventing (and recovering from) attacks by ransomware and other nasties.

Here are some links we think you’ll find useful:


(Audio player above not working? Listen on Soundcloud or access via iTunes.)