Odveta virus Removal Guide
What is Odveta ransomware?
Odveta ransomware – a file locking virus that attacks hospitals and other establishments via insecure RDP connections
Odveta ransomware is a computer virus that has multiple variants and uses RSA + AES encryption algorithm to lock up files on the machine
Odveta ransomware is a type of malware goal of which is to make users pay a predetermined sum of money for locked data on the computer or a network. For that, it employs sophisticated encryption algorithms RSA + AES-256, and each of the files is appended with .odveta marker after the process is complete. None of the data is accessible, as users need to acquire a unique set of keys in order to unlock it. Sadly, these are held hostage by cybercriminals who are asking to pay a ransom in Bitcoin in exchange for Odveta ransomware decryptor.
To ensure that victims of Odveta virus know what happened to their computers, hackers deliver a ransom note named HowToDecrypt.txt or Unlock-Files.txt. It asks uses to contact them via email@example.com, Filedecryptor@protonmail.com, or other emails (depends on a version) for negotiations about the payment. Additionally, Odveta ransomware developers also state that the ransom size will increase steadily if it is not paid within a certain amount of time (two days, one week, etc.).
Odveta ransomware is one of the variants of Ouroboros ransomware/Zeropadypt ransomware, which was not capable of proper encryption. In any case, cybercriminals behind the strain are known to fail to deliver a working decryptor to victims who paid the ransom, so security experts highly discourage doing so.
|Type||File locking virus, cryptomalware|
|Malware family||This virus belongs to Ouroboros/Zeropadypt ransomware family|
|First spotted||October 2019|
|Encryption algorithm||All non-system and non-executable files are encrypted with the help of AES + RSA ciphers|
Each of the affected file name is modified in the following pattern: filename.original_extension.Email=[email]ID=[id].odveta. Examples of encrypted files:
|Ransom note||HowToDecrypt.txt, Unlock-Files.txt, or similar text file is droped into each of the affected file folders|
|Contact firstname.lastname@example.org, Recoveryhelp2019@protonmail.com, email@example.com, firstname.lastname@example.org, email@example.com, TeslaBrain@cock.li, Mr.TeslaBrain@protonmail.com, firstname.lastname@example.org, AdvancedBackup@protonmail.com, email@example.com, firstname.lastname@example.org, email@example.com, and others|
|Decryption possibilities||You should not try to pay the ransom to cybercriminals, as they are known to fail to deliver the decryptor to victims. Instead, you could try using BloodDolly's free decryption tool [download link] or make use of methods that we describe at the bottom section of this article|
|Malware removal||Download and install anti-malware software to perform a full system scan (if required, you can access Safe Mode with Networking to perform the scan)|
|System fix||In case your system lags, randomly shuts down, returns errors, BSODs and suffers from other issues after malware removal, scan your system with ReimageIntego to fix virus damage|
Malware family that Odveta ransomware belongs to was first released in April 2019, and initially did not encrypt any files on the system (despite threat actors claiming so in the ransom note) but rather replaced all the contents with zeros, corrupting data in the process.
Nevertheless, several new versions were released over time – Zeropadypt NextGen, Kronos, Limbo, and others – and seems like crooks learned how to use cryptography properly during the time. While this variant uses a secure encryption method, a tool released by BloodDolly might be able to help recover data for free. However, you have first to remove Odveta ransomware from your system – employ anti-malware software that can detect the infection for that.
Odveta ransomware is known to be mostly delivered with the help of weakly protected Remote Desktop connections to institutions in plane manufacturing, healthcare, and other industries. Additionally, malware can also attack regular users – mostly, they get infected after download software cracks and pirated program installers.
Nevertheless, Odveta ransomware may also be distributed using the following methods:
- Malicious spam email attachments and embedded hyperlinks
- Exploits and software vulnerabilities
- Repacked software
- Fake updates
- Malicious links on social media, etc.
Before the Odveta virus begins encrypted data, it will perform several changes to the Windows OS. For example, it will place executables into AppData, Temp, User or other folders, modify Windows registry, delete Shadow Volume Copies, create new processes, execute Shell commands, etc. These modifications might create difficulties after Odveta ransomware removal, as a system may start malfunctioning and crash, lag, return errors, etc. To fix these issues, you can employ tools like ReimageIntego.
Odveta ransomware is a file locking virus that stems from Ouroboros/Zeropadypt ransomware family
Since Odveta extension is used for many different versions of the Ouroboros, crooks use many different contact emails, ransom note names, compound extensions, etc. Therefore, depending on a version of the virus, you might be asked to contact crooks via different emails, and ransom sums may vary significantly.
Here is one of the examples of Odveta ransomware ransom note that you may receive once infected – Unlock-Files.txt:
All Your Files Has Been Locked
They Cant Get Restore or Decrypted Without Decryption Key + Tool
You Have 2days to Decide to Pay
after 2 Days Decryption Price will Be Double
And after 1 week it will be triple Try to Contact late and You will know
You Can Send some Files that not Contains Valuable Data To make Sure That Your Files Can be Back with our Tool
The Payment Should Be with Cryptocurrencies Like Bitcoin(BTC) Send Email to Know the Price And Do an Agreement
Our Email: RestoreData@airmail.cc
You Can Learn How to Buy Bitcoin From This links Below
As mentioned above, paying cybercriminals behind the Odveta file virus is not recommended, as you are highly likely to lose the paid money as well. Besides, by paying the ransom, you will only encourage crooks to develop the malicious code even further, complicating recovery for other victims. Instead, you should employ existing free decryptor or apply alternative recovery methods listed below.
Before you do that, however, you should backup all the encrypted data – this is relevant to those who do not have backups which could be used to restore files. In case you do not copy locked files before trying the recovery, you might lose access to them forever. Once this is done, you can then run a full system scan with anti-malware to get rid of the Odveta ransomware.
Tips on avoiding ransomware infections
Currently, ransomware development and the infection rate is on the rise – more cybercriminal gangs are delivering new malware strains, and new versions emerge every day. The growth of ransomware can be attributed to its lucrative nature – by infecting thousands of users or high profile organizations, hackers receive a high amount of money, even if just a fraction of the affected do so. In the meantime, the users lose their files and money permanently, as malware's termination does not retrieve the encrypted data.
Some versions of Odveta ransomware might be decryptable - try a free decryption tool by BloodDolly
Therefore, it is important not to get infected in the first place, although users who have to deal with file locking malware usually are doing it for the first time, and do not take warnings from cybersecurity experts seriously. Here are a few tips that would help you repel multiple different infections:
- Never download software cracks or pirated application installers – these are typically booby-trapped with malware;
- If using a Remote Desktop connection, make sure it is protected by a strong password. Additionally, do not use a default TCP/UDP port 3389 and employ VPN to increase protection;
- When accessing your inbox, make sure that you carefully filter out any malicious emails. The ones that include attachments (.zip, .exe, .pdf, .exe) can pose the highest risk – so never allow macros to run when asked (“Allow content”). Additionally, do not click on hyperlinks that might look official – hover the mouse to see the real destination first;
- Always update the software installed on your machine, along with the operating system as soon as new patches are shipped;
- Employ sophisticated anti-malware software with real-time protection feature;
- Backup your files on a regular basis – this will negate most of the negative effects of a ransomware infection.
Take control of your PC back by removing Odveta ransomware
Despite the popular belief, Odveta ransomware removal should not be performed immediately. Once inside the system, the malware modifies files in a way that its termination may permanently damage the data, and even a working decryption tool may not be helpful anymore. Thus, copy all the locked files over to a remote server or an external drive, such a USB flash. Nevertheless, if you have backups that could be used to restore all the locked files, do not hesitate and remove Odveta ransomware immediately.
To get rid of the Odveta virus from your system, you should perform a full system scan with the help of anti-malware software, such as SpyHunter 5Combo Cleaner, Malwarebytes, or another powerful tool. In case the malware is tampering with your security software, you can access Safe Mode with Networking and run a full scan from there.
Finally, you can connect your backups and recover the encrypted data. If you do not have them prepared, employ the methods we provide below.
Getting rid of Odveta virus. Follow these steps
Manual removal using Safe Mode
If you need to access Safe Mode with Networking to eliminate Odveta file virus properly, follow these steps:
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove Odveta using System Restore
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of Odveta. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove Odveta from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
If your files are encrypted by Odveta, you can use several methods to restore them:
Data Recovery Pro method might be successful
Data recovery tools may sometimes be able to retrieve working copies of your files from the HDD. Thus, the less you use your machine after the infection, the higher the chances of it being successful.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Odveta ransomware;
- Restore them.
Make use of Windows Previous Versions feature
If you had System Restore enabled before the attack, you might be able to restore files one-by-one.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer can sometimes recover your data for free
If the virus failed to delete Shadow Volume Copies, this tool should be able to help you.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Try using Ouroboros decoder
Ouroboros decoder [download link] provided by security expert BloodDolly might work for some variants of Odveta ransomware.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Odveta and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Stream videos without limitations, no matter where you are
There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.
Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.
Data backups are important – recover your lost files
Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.
While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.