'ODCODC' Ransomware Encryption Gets Cracked for Free
July 2016 gave many computer users a lot of problems, as cyber-criminals ramped up their efforts to cause trouble. Fortunately, the new developments are not all bad, as IT security researchers were not idle, either, and as a result of the efforts of BloodDolly, victims of 'ODCODC' Ransomware attacks can finally recover their encrypted files.
What is 'ODCODC' Ransomware?
'ODCODC' Ransomware is what security experts might call by-the-book-ransomware. It is a threat that targets machines running MS Windows OS almost exclusively, and uses a wide variety of vectors of infection – from spam e-mail attachments to drive-by downloads and getting dumped onto a device by exploit kits and freeware 'bundles'. Much like any other piece of ransomware, once 'ODCODC' Ransomware infects a device, it starts running in the background and encrypting all of the user's relevant files by using a complex RSA-2048 algorithm. Files targeted by 'ODCODC' Ransomware for encryption include any and all files with the following extensions:
.1cd, .3dm, .3ds, .3fr, 3g2, 3gp, .7z, .accdb, .accdc, .accde, .accdr, .accdt, .act, .adp, .ai, .arw, .asf , .asm, .asp, .asx, .avi, .backup, .bak, .bay, .bdb, .bik, .blend, .bmp, .c, .cdr, .cdr3, .cdr4, .cdr6,. cdrw, .cfg, .cgm, .ckp, .class, cpp, .cr2, .cs, .csv, .db, .db3, .dbf, .dc2, .dcs, .ddoc, .dds, .design, .dgc, .djvu, .doc, .docm, .docx, .dot, .dotx, .drw, .dt, .dwg, .dxb, .dxf, .eps, .erf, .fdb, .flac, .fpx , .h, .hbk, .hpp, .iiq, .indd, .java, .jpe, .jpeg, .jpg .kdc, .key, .m4v, .max, .mdb, .mdf, .mos, .mov , .mp3, .mp4, .mpg, .MYD, .nrw, .ns2, .ns3, .ns4, .nyf, .obj, .odb, ods, odt, .orf, .otg, .ott,. pages, .pas, .pcd, .pct, .pdb, .pdd, .pdf, .pfx, .php, .pl, .pps, .ppt, .pptm, .pptx, .ps, .psd, .ptx, py, .r3d, .rar, .raw, .rdb, .rm, .rtf, .rw2, .rwl, .sdf, .sql, .sqlite, .sqlilte3, .sqlitedb, .sr2, .srw, .stw , .stx, .svg, .swf, .sxd, .sxg, .sxw, .tex, .tga, .thm, .txt, .vdb, .veg, .wmv, .wpd, .wps, .x3f,. .xls, .xlsm, .xlsx, .zip
The files that 'ODCODC' Ransomware manages to get its hands on get encrypted, their names get augmented to %emailaddress%-%[originalfilename]%, and their extension gets changed to '.odcodc', which is where the threat gets its name. After 'ODCODC' Ransomware has finished encrypting all the files, it puts a ransom note on the desktop of the infected device. In some instances, any folder containing an encrypted file removes itself from the machine in question. 'ODCODC' Ransomware note is pretty standard, as far as ransomware notes go – it threatens the user and instructs him or her to pay a ransom in Bitcoin as its threat message reads below.
Your personal files are encrypted!
What happened to your files?
All of your files were protected by a strong encryption with RSA-2048. https://en.wikipedia.org/wiki/RSA_(cryptosystem)
What does this mean?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you cant restore them.
What to do?
We can recover your files. You can trust us, for proof of this we can decrypt some your files for free.
How to contact you?
Write us to email: abennaki@india.com
Ваши персональные файлы зашифрованы!
Что случилось с файлами?
Все ваши файлы зашищены криптостойким алгоритмом RSA-2048. https://en.wikipedia.org/wiki/RSA_(cryptosystem)
Что это значит?
Это значит, что структура и содержимое ваших файлов потерпили необратиме изменения, вы не можете с ними работать, читать или видеть, это тоже самое, что потерять их бесповоротно, но, с нашей помощью, вы можете их все восстановить.
Что мне делать?
Мы можем полностью восстановить доступ к вашим файлам. Вы можете нам доверять, доказать честность и серьезность наших намерений мы можем бесплатной расшифровкой нескольких файлов.
Как с вами связаться?
Напишите нам на почту: abennaki@india.com
The only thing that differentiates ODCODC's message from most ransom notes is that this one is bilingual, containing instructions in both English and Russian. Though, the broken grammar and clumsy language used in the note suggests that the person who wrote it is not a native speaker of either of those languages. It has been theorized that the cyber-criminal in question originates from Ukraine, but that hypothesis is yet to be proven. Interestingly enough, online communication with the cyber-criminals via the address provided in the ransom notes didn't bring IT security specialists closer to uncovering the identities of the hackers.
How Users Dealt with 'ODCODC' Ransomware in the Past
While it is an undisputed fact that 'ODCODC' Ransomware is a nasty piece of malware that should not have been underestimated even before BloodDolly's contribution, it wasn't infallible back then. For one, simple precautions – like not opening suspicious e-mails and browsing suspicious sites – minimized the risk of an 'ODCODC' Ransomware infection dramatically. Additionally, due to its relatively low level of code obfuscation, many legitimate anti-malware and anti-spyware programs were able to pick out the threat easy enough. Furthermore, 'ODCODC' Ransomware does not lock the desktop, which allows the user to clean it from a device by downloading an anti-malware program, or cleaning the registry manually, by removing it from the following registry keys:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Finally, although 'ODCODC' Ransomware's encryption was quite thorough, and the files that it left behind were completely unusable to the victim of the infected device, this particular piece of malware did nothing to attack MS Windows OS's habit of creating shadow copies of its files. By accessing the showdown copies, computer users would be able to recover many of the files that 'ODCODC' Ransomware' encrypted.
BloodDolly's 'ODCODC' Ransomware Decryption Tool Makes Things Easier
In order to encrypt the files on a device, 'ODCODC' Ransomware downloads a unique encryption key located on a Command & Control server. Fortunately, if the encryption was done while the computer was offline, 'ODCODC' Ransomware encrypts the files on the infected device with one of its 200 static encryption keys. The process is still a bothersome mess to undo but is reversible by an experienced IT specialist. Additionally, thanks to the efforts of BloodDolly, there is now also an application that can decrypt files that 'ODCODC' Ransomware has encrypted.
To prevent an 'ODCODC' Ransomware infection, a user needs to maintain a healthy dose of suspicion and caution regarding his/her e-mails and the places visited. It is also wise to keep an up to date anti-malware application running. If 'ODCODC' Ransomware does manage to infect a device, it is advisable for the user to install an adequate malware removal tool or contact an experienced IT specialist to eradicate the infection completely. Once that is done, the encrypted files can be recovered via shadow volume copies or by using the dedicated decryption tool that BloodDolly has provided free of charge. It goes without saying, actually paying the ransom that the cyber-criminals demand in return for the encrypted data is extremely ill-advised.