Threat Database Ransomware Odveta Ransomware

Odveta Ransomware

By GoldSparrow in Ransomware

Cybercriminals have developed a new ransomware threat dubbed Odveta Ransomware. The Odveta Ransomware is a variant of the Zeropadypt Ransomware.

Propagation and Encryption

There are several propagation methods that authors of ransomware threats tend to utilize. Among them are bogus application downloads/updates, fake pirated copies of popular software tools, mass malvertising campaigns, and several others. However, the most popular infection vector is likely to be spam emails. The user would receive an email, which contains a fake message that tries to convince them to open the attached file. However, the attached file is corrupted and would compromise the user's system once it is launched. The Odveta Ransomware would perform a quick scan as soon as it compromises the targeted PC. This helps the threat locate the files of interest. The Odveta Ransomware is likely going to encrypt all the files present on the system, as data-locking Trojans are often programmed to target as many filetypes as possible to ensure maximum damage. By the time the encryption process of the Odveta Ransomware has been completed, all your documents, images, videos, audio files, archives, spreadsheets, presentations and other files will be locked permanently. Each copy of the Odveta Ransomware appends a different extension to the names of the locked files. Some of the reported extension so far include:

  • '.Email=[Honeylock@protonmail.com]ID=[VICTIM ID].odveta'
  • '.Email=[OdvetaSupport@elude.in]ID=[VICTIM ID].odveta'
  • '.Email=[luciferenc@tutanota.com]ID=[VICTIM ID].odveta'
  • '.Email=[Recoveryhelp2019@protonmail.com]ID=[VICTIM ID].odveta'

Odveta ransomware has popped up in several industrial networks as part of targeted attacks designed to steal confidential information. The ransomware doesn’t use an automated propagation method like other viruses. Cybercriminals use it in targeted attacks sent to specific victims. The virus creates a ransom note which it places in folders with infected files and on the desktop. This note tells victims where they can buy bitcoin and how they can use the cryptocurrency to pay the ransom.

Odveta falls into the King Ouroborous family of ransomware. King Ouroborous is based on the open-source ransomware CryptoWire. Odveta is different from other members of its family in that it uses both RSA and AES256 encryption together rather than just using AES. By taking this approach, the ransomware corrects an issue seen with earlier versions. All of those previous versions had a flaw that could decrypt files. Unfortunately, no such flaw exists when RSA and AES are used in combination like this. Security experts have yet to put together a public decryption key for Odveta.

Odveta Infection Methods

The ransomware spreads through the use of email spam campaigns, infected torrents, and malicious web ads. Hackers also distribute Odveta through the BlueKeep RDP exploit.

The first thing the ransomware does is create a unique ID to identify the victim. The ID is sent to the C&C server along with the encryption key. Hackers can use this key to decrypt a file and show the victim that they can do what they claim. Victims can send the attacker an email with an infected file and receive the decrypted file.

This method is standard. It reassures a victim that the hacker is genuine and means what they say. It’s no guarantee that they will deliver the decryption tool, though, or that such a tool will even work. Never pay the ransom and always turn to backups and data recovery programs to get your data back.

The Ransom Note

The Odveta Ransomware would drop a ransom note as soon as it completes its encryption algorithm. The ransom message of the creators of this Trojan is located in a file called 'Unlock-Files.txt' or 'HowToDecrypt.txt.' In the note, the attackers outline certain deadlines that need to be met so that the ransom fee does not double or triple. However, each copy of the Odveta Ransomware has set different deadlines for its victims. The ransom fee has to be paid with cryptocurrencies, as this helps the attackers protect their identity. Different variants of the Odveta Ransomware have provided users with different contact emails – ‘restoredata@airmail.cc,' ‘honeylock@protonmail.com,' ‘honeylock@cock.li, odvetasupport@elude.in,' ‘luciferenc@tutanota.com,' ‘recoveryhelp2019@protonmail.com,' etc.

The ransom note reads:

Your Files Has Been Locked
They Cant Get Restore or Decrypted Without Decryption Key + Tool
You Have 2days to Decide to Pay after 2 Days Decryption Price will Be Double
And after 1 week it will be triple Try to Contact late and You will know
You Can Send some Files that not Contains Valuable Data To make Sure That Your Files Can be Back with our Tool
The Payment Should Be with Cryptocurrerries Like Bitcoin(BTC) Send Email t the Price And Do an Agreement

Our Email: Encoder.Russian(iprotonmail.com
in Case , No Answer Contact : Decrypt.Russ@protonmail.com
Your Id: 3VQICI.M5L4PN63T
You Can Learn How to Buy Bitcoin From This links Below
https : //localbitcoins .com/buy_bitcoins https : //www. coindesk . com/information/how-can-i -buy-bitcoins

Do not give in to the demands of cyber crooks. If you pay them, your money will go to fund their future criminal activities. Furthermore, users who pay the ransom fee often do not receive the decryption tool they need. This is why, instead, you should look into obtaining a legitimate anti-virus application that will clear your system of the Odveta Ransomware.

Keep in mind that Odveta doesn’t propagate itself automatically. It is spread through hacking tools and dropped on to computers manually. As long as you practice good online habits, you should be safe. Don’t download anything from suspicious sources or emails and use legitimate software and updates to avoid infections. Have a good quality antivirus program for some extra protection. Your computer – and your wallet – will thank you for it.

Trending

Most Viewed

Loading...