ODIN Ransomware Removal Guide

Threat Level:
Rate this Article:
Comments (0)
Article Views: 1202
Category: Trojans

ODIN Ransomware is a variant of Locky Ransomware. It does not differ much from other variants of Locky Ransomware, but it uses a new filename extension .ODIN instead of .ZEPTO or .LOCKY. This variant has been released recently by cyber criminals, but it is already rather prevalent, so you have to be careful. If you ever notice that all your personal files contain a new filename extension, your Desktop background is changed without your consent, and you can locate new .html and .bmp files, it means that you have failed to protect your system from harm. In most cases, such serious computer infections infect computers which do not have a reputable antimalware tool installed on their PCs. Also, threats can quickly appear on the computer if users are not careful at all as well because, as recent research has shown, they allow malicious software to enter their computers themselves by, for example, opening an attachment they have found in a spam email.

ODIN Ransomware has also been developed to obtain money from uses, so it locks all the files it finds on the computer, including .crw, .bay, .bank, .max, .pdf, .doc, .docx, .ppt, .xls, .exf, .drf, .dng, .wma, .mpeg, and other valuable files. It means that the file is encrypted if it has the .ODIN extension. The presence of a new filename extension is one of the major but definitely not the only symptom that indicates that ODIN Ransomware has successfully infiltrated the computer. Users who get infected with this ransomware also detect three new files on their screens: _HOWDO_text.html, _[number]_HOWDO_text.html, and HOWDO_text.bmp. These files work as ransom notes, for example, if you open one of the .html files, you will immediately notice a message that informs users that all their files have been encrypted with RSA-2048 and AES-128 ciphers. There are Wikipedia links placed there so that users could find out more about these encryption methods too. In addition, it is said that the private key and decryptor are hidden on a secret server to convince users that it is impossible to get them for free. Finally, you will find there two links that can be opened with the Tor Browser only. They lead to a website that contains information on how to decrypt files. Like other versions of Locky Ransomware, ODIN Ransomware demands a ransom. The amount of money it asks users to pay is really huge – 3 Bitcoins (approximately 1800 dollars). It is not worth making a payment to cyber criminals when nobody knows whether they really have the decryption tool. Also, as experience of specialists working at 411-spyware.com shows, it is risky to transfer the money because cyber crooks might not send the decryption key even though they really have it.

As you can see, ransomware infections might destroy your all files, so you should be careful in order not to allow a similar infection to enter the computer in the future. Researchers have managed to reveal that many ransomware infections are distributed via spam email attachments, so you should ignore the spam mail folder completely. ODIN Ransomware has probably entered your computer because you have double-clicked on the WS (Windows Script) or JS (Java Script) file that has been sent to you as an attachment in a spam email. Once a user clicks on one of these script files, the DLL installer is downloaded. Then, the Windows program Rundll32.exe is used to launch dll files. When ODIN Ransomware is finally inside the computer, it starts encrypting files immediately, so you will notice quickly that it is inside your computer.

You have to remove ODIN Ransomware as soon as possible even though your personal files will not be decrypted for you. To erase it fully, you have to remove the malicious file that has been sent to you in a spam email, remove .html and .bmp files from Desktop, and change the Desktop wallpaper. If you need help with the manual ODIN Ransomware removal, you should use our manual removal instructions (you will find them below the article). What else you can do to erase this threat quicker is to scan your computer with an automatic malware remover, such as SpyHunter. Feel free to download the free version of this scanner from our website.

How to delete ODIN Ransomware

  1. Locate the malicious WS or JS file you have opened (it might be on Desktop, in the Downloads folder, or somewhere else).
  2. Delete it.
  3. Open the Registry Editor (tap Win+R and enter regedit.exe in the box).
  4. Move to HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers.
  5. Right-click on the Value BackgroundHistoryPath0.
  6. Select Modify and empty the Value data field. Click OK.
  7. Open HKCU\Control Panel\Desktop.
  8. Right-click on the Wallpaper Value.
  9. Repeat the 6th step.
  10. Close the Registry Editor and press Win+E.
  11. Type %Temp%\MicroImageDir into the URL bar.
  12. Delete the file _HOWDO_text.bmp.
  13. Remove three files _HOWDO_text.html, _HOWDO_text.bmp, and _[number]_HOWDO_text.html from Desktop.
  14. Clear your Recycle bin.
Download Remover for ODIN Ransomware *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter.

ODIN Ransomware Screenshots:

ODIN Ransomware
ODIN Ransomware
ODIN Ransomware


Your email address will not be published.


Enter the numbers in the box to the right *