Odveta ransomware

Odveta ransomware – a file locking virus that attacks hospitals and other establishments via insecure RDP connections

Odveta ransomware
Odveta ransomware is a computer virus that has multiple variants and uses RSA + AES encryption algorithm to lock up files on the machine

Odveta ransomware
Odveta ransomware is a computer virus that has multiple variants and uses RSA + AES encryption algorithm to lock up files on the machine

Odveta ransomware is a type of malware goal of which is to make users pay a predetermined sum of money for locked data on the computer or a network. For that, it employs sophisticated encryption algorithms RSA + AES-256,[1] and each of the files is appended with .odveta marker after the process is complete. None of the data is accessible, as users need to acquire a unique set of keys in order to unlock it. Sadly, these are held hostage by cybercriminals who are asking to pay a ransom in Bitcoin in exchange for Odveta ransomware decryptor.

To ensure that victims of Odveta virus know what happened to their computers, hackers deliver a ransom note named HowToDecrypt.txt or Unlock-Files.txt. It asks uses to contact them via [email protected], [email protected], or other emails (depends on a version) for negotiations about the payment. Additionally, Odveta ransomware developers also state that the ransom size will increase steadily if it is not paid within a certain amount of time (two days, one week, etc.).

Odveta ransomware is one of the variants of Ouroboros ransomware/Zeropadypt ransomware, which was not capable of proper encryption. In any case, cybercriminals behind the strain are known to fail to deliver a working decryptor to victims who paid the ransom, so security experts highly discourage doing so.

Name Odveta ransomware
Type File locking virus, cryptomalware
Malware family This virus belongs to Ouroboros/Zeropadypt ransomware family
First spotted  October 2019
Encryption algorithm All non-system and non-executable files are encrypted with the help of AES + RSA ciphers
File extension 

Each of the affected file name is modified in the following pattern: filename.original_extension.Email=[email]ID=[id].odveta. Examples of encrypted files:

Ransom note  HowToDecrypt.txt, Unlock-Files.txt, or similar text file is droped into each of the affected file folders 
Contact emails  [email protected][email protected][email protected], [email protected], [email protected][email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], and others
Decryption possibilities  You should not try to pay the ransom to cybercriminals, as they are known to fail to deliver the decryptor to victims. Instead, you could try using BloodDolly’s free decryption tool [download link] or make use of methods that we describe at the bottom section of this article
Malware removal  Download and install anti-malware software to perform a full system scan (if required, you can access Safe Mode with Networking to perform the scan)  
System fix In case your system lags, randomly shuts down, returns errors, BSODs and suffers from other issues after malware removal, scan your system with Reimage Reimage Cleaner Intego to fix virus damage

Malware family that Odveta ransomware belongs to was first released in April 2019, and initially did not encrypt any files on the system (despite threat actors claiming so in the ransom note) but rather replaced all the contents with zeros, corrupting data in the process.

Nevertheless, several new versions were released over time – Zeropadypt NextGen, Kronos, Limbo, and others – and seems like crooks learned how to use cryptography properly during the time. While this variant uses a secure encryption method, a tool released by BloodDolly might be able to help recover data for free. However, you have first to remove Odveta ransomware from your system – employ anti-malware software that can detect the infection for that.[2]

Odveta ransomware is known to be mostly delivered with the help of weakly protected Remote Desktop connections to institutions in plane manufacturing, healthcare, and other industries. Additionally, malware can also attack regular users – mostly, they get infected after download software cracks and pirated program installers.

Nevertheless, Odveta ransomware may also be distributed using the following methods:

  • Malicious spam email attachments and embedded hyperlinks
  • Exploits and software vulnerabilities[3]
  • Repacked software
  • Fake updates
  • Malicious links on social media, etc.

Before the Odveta virus begins encrypted data, it will perform several changes to the Windows OS. For example, it will place executables into AppData, Temp, User or other folders, modify Windows registry, delete Shadow Volume Copies, create new processes, execute Shell commands, etc. These modifications might create difficulties after Odveta ransomware removal, as a system may start malfunctioning and crash, lag, return errors, etc. To fix these issues, you can employ tools like Reimage Reimage Cleaner Intego.

Odveta ransomware virus
Odveta ransomware is a file locking virus that stems from Ouroboros/Zeropadypt ransomware family

Odveta ransomware virus
Odveta ransomware is a file locking virus that stems from Ouroboros/Zeropadypt ransomware family

Since Odveta extension is used for many different versions of the Ouroboros, crooks use many different contact emails, ransom note names, compound extensions, etc. Therefore, depending on a version of the virus, you might be asked to contact crooks via different emails, and ransom sums may vary significantly.

Here is one of the examples of Odveta ransomware ransom note that you may receive once infected – Unlock-Files.txt:

All Your Files Has Been Locked
They Cant Get Restore or Decrypted Without Decryption Key + Tool
You Have 2days to Decide to Pay
after 2 Days Decryption Price will Be Double
And after 1 week it will be triple Try to Contact late and You will know
You Can Send some Files that not Contains Valuable Data To make Sure That Your Files Can be Back with our Tool
The Payment Should Be with Cryptocurrencies Like Bitcoin(BTC) Send Email to Know the Price And Do an Agreement

Our Email: [email protected]

Your Id:

You Can Learn How to Buy Bitcoin From This links Below

As mentioned above, paying cybercriminals behind the Odveta file virus is not recommended, as you are highly likely to lose the paid money as well. Besides, by paying the ransom, you will only encourage crooks to develop the malicious code even further, complicating recovery for other victims. Instead, you should employ existing free decryptor or apply alternative recovery methods listed below.

Before you do that, however, you should backup all the encrypted data – this is relevant to those who do not have backups which could be used to restore files. In case you do not copy locked files before trying the recovery, you might lose access to them forever. Once this is done, you can then run a full system scan with anti-malware to get rid of the Odveta ransomware.

Tips on avoiding ransomware infections

Currently, ransomware development and the infection rate is on the rise – more cybercriminal gangs are delivering new malware strains, and new versions emerge every day. The growth of ransomware can be attributed to its lucrative nature – by infecting thousands of users or high profile organizations, hackers receive a high amount of money, even if just a fraction of the affected do so. In the meantime, the users lose their files and money permanently, as malware’s termination does not retrieve the encrypted data.

Odveta ransomware encrypted files
Some versions of Odveta ransomware might be decryptable – try a free decryption tool by BloodDolly

Odveta ransomware encrypted files
Some versions of Odveta ransomware might be decryptable – try a free decryption tool by BloodDolly

Therefore, it is important not to get infected in the first place, although users who have to deal with file locking malware usually are doing it for the first time, and do not take warnings from cybersecurity experts seriously. Here are a few tips that would help you repel multiple different infections:

  • Never download software cracks or pirated application installers – these are typically booby-trapped with malware;
  • If using a Remote Desktop connection, make sure it is protected by a strong password. Additionally, do not use a default TCP/UDP port 3389 and employ VPN to increase protection;
  • When accessing your inbox, make sure that you carefully filter out any malicious emails. The ones that include attachments (.zip, .exe, .pdf, .exe) can pose the highest risk – so never allow macros to run when asked (“Allow content”). Additionally, do not click on hyperlinks that might look official – hover the mouse to see the real destination first;
  • Always update the software installed on your machine, along with the operating system as soon as new patches are shipped;
  • Employ sophisticated anti-malware software with real-time protection feature;
  • Backup your files on a regular basis – this will negate most of the negative effects of a ransomware infection.

Take control of your PC back by removing Odveta ransomware

Despite the popular belief, Odveta ransomware removal should not be performed immediately. Once inside the system, the malware modifies files in a way that its termination may permanently damage the data, and even a working decryption tool may not be helpful anymore. Thus, copy all the locked files over to a remote server or an external drive, such a USB flash. Nevertheless, if you have backups that could be used to restore all the locked files, do not hesitate and remove Odveta ransomware immediately.

To get rid of the Odveta virus from your system, you should perform a full system scan with the help of anti-malware software, such as SpyHunter 5Combo Cleaner, Malwarebytes, or another powerful tool. In case the malware is tampering with your security software, you can access Safe Mode with Networking and run a full scan from there.

Finally, you can connect your backups and recover the encrypted data. If you do not have them prepared, employ the methods we provide below.

Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

Remove Odveta using Safe Mode with Networking

If you need to access Safe Mode with Networking to eliminate Odveta file virus properly, follow these steps:

  • Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8

    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Odveta removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Odveta using System Restore

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Odveta from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Odveta, you can use several methods to restore them:

Data Recovery Pro method might be successful

Data recovery tools may sometimes be able to retrieve working copies of your files from the HDD. Thus, the less you use your machine after the infection, the higher the chances of it being successful.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Odveta ransomware;
  • Restore them.

Make use of Windows Previous Versions feature

If you had System Restore enabled before the attack, you might be able to restore files one-by-one.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer can sometimes recover your data for free

If the virus failed to delete Shadow Volume Copies, this tool should be able to help you.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Try using Ouroboros decoder

Ouroboros decoder [download link] provided by security expert BloodDolly might work for some variants of Odveta ransomware. 

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Odveta and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

This entry was posted on 2020-03-17 at 06:27 and is filed under Ransomware, Viruses.