Odveta ransomware – a file locking virus that attacks hospitals and other establishments via insecure RDP connections

Odveta ransomware is a type of malware goal of which is to make users pay a predetermined sum of money for locked data on the computer or a network. For that, it employs sophisticated encryption algorithms RSA + AES-256,[1] and each of the files is appended with .odveta marker after the process is complete. None of the data is accessible, as users need to acquire a unique set of keys in order to unlock it. Sadly, these are held hostage by cybercriminals who are asking to pay a ransom in Bitcoin in exchange for Odveta ransomware decryptor.
To ensure that victims of Odveta virus know what happened to their computers, hackers deliver a ransom note named HowToDecrypt.txt or Unlock-Files.txt. It asks uses to contact them via josefrendal797@gmail.com, Filedecryptor@protonmail.com, or other emails (depends on a version) for negotiations about the payment. Additionally, Odveta ransomware developers also state that the ransom size will increase steadily if it is not paid within a certain amount of time (two days, one week, etc.).
Odveta ransomware is one of the variants of Ouroboros ransomware/Zeropadypt ransomware, which was not capable of proper encryption. In any case, cybercriminals behind the strain are known to fail to deliver a working decryptor to victims who paid the ransom, so security experts highly discourage doing so.
| Name | Odveta ransomware |
| Type | File locking virus, cryptomalware |
| Malware family | This virus belongs to Ouroboros/Zeropadypt ransomware family |
| First spotted | October 2019 |
| Encryption algorithm | All non-system and non-executable files are encrypted with the help of AES + RSA ciphers |
| File extension |
Each of the affected file name is modified in the following pattern: filename.original_extension.Email=[email]ID=[id].odveta. Examples of encrypted files:
|
| Ransom note | HowToDecrypt.txt, Unlock-Files.txt, or similar text file is droped into each of the affected file folders |
| Contact emails | fixallfiles@tuta.io, Recoveryhelp2019@protonmail.com, restoredata@airmail.cc, honeylock@protonmail.com, atarest0re@aol.com, TeslaBrain@cock.li, Mr.TeslaBrain@protonmail.com, josefrendal797@gmail.com, AdvancedBackup@protonmail.com, recover85@protonmail.com, unlock0101@protonmail.com, rdpmanager@airmail.cc, and others |
| Decryption possibilities | You should not try to pay the ransom to cybercriminals, as they are known to fail to deliver the decryptor to victims. Instead, you could try using BloodDolly's free decryption tool [download link] or make use of methods that we describe at the bottom section of this article |
| Malware removal | Download and install anti-malware software to perform a full system scan (if required, you can access Safe Mode with Networking to perform the scan) |
| System fix | In case your system lags, randomly shuts down, returns errors, BSODs and suffers from other issues after malware removal, scan your system with FortectIntego to fix virus damage |
Malware family that Odveta ransomware belongs to was first released in April 2019, and initially did not encrypt any files on the system (despite threat actors claiming so in the ransom note) but rather replaced all the contents with zeros, corrupting data in the process.
Nevertheless, several new versions were released over time – Zeropadypt NextGen, Kronos, Limbo, and others – and seems like crooks learned how to use cryptography properly during the time. While this variant uses a secure encryption method, a tool released by BloodDolly might be able to help recover data for free. However, you have first to remove Odveta ransomware from your system – employ anti-malware software that can detect the infection for that.[2]
Odveta ransomware is known to be mostly delivered with the help of weakly protected Remote Desktop connections to institutions in plane manufacturing, healthcare, and other industries. Additionally, malware can also attack regular users – mostly, they get infected after download software cracks and pirated program installers.
Nevertheless, Odveta ransomware may also be distributed using the following methods:
- Malicious spam email attachments and embedded hyperlinks
- Exploits and software vulnerabilities[3]
- Repacked software
- Fake updates
- Malicious links on social media, etc.
Before the Odveta virus begins encrypted data, it will perform several changes to the Windows OS. For example, it will place executables into AppData, Temp, User or other folders, modify Windows registry, delete Shadow Volume Copies, create new processes, execute Shell commands, etc. These modifications might create difficulties after Odveta ransomware removal, as a system may start malfunctioning and crash, lag, return errors, etc. To fix these issues, you can employ tools like FortectIntego.

Since Odveta extension is used for many different versions of the Ouroboros, crooks use many different contact emails, ransom note names, compound extensions, etc. Therefore, depending on a version of the virus, you might be asked to contact crooks via different emails, and ransom sums may vary significantly.
Here is one of the examples of Odveta ransomware ransom note that you may receive once infected – Unlock-Files.txt:
All Your Files Has Been Locked
They Cant Get Restore or Decrypted Without Decryption Key + Tool
You Have 2days to Decide to Pay
after 2 Days Decryption Price will Be Double
And after 1 week it will be triple Try to Contact late and You will know
You Can Send some Files that not Contains Valuable Data To make Sure That Your Files Can be Back with our Tool
The Payment Should Be with Cryptocurrencies Like Bitcoin(BTC) Send Email to Know the Price And Do an AgreementOur Email: RestoreData@airmail.cc
Your Id:
You Can Learn How to Buy Bitcoin From This links Below
As mentioned above, paying cybercriminals behind the Odveta file virus is not recommended, as you are highly likely to lose the paid money as well. Besides, by paying the ransom, you will only encourage crooks to develop the malicious code even further, complicating recovery for other victims. Instead, you should employ existing free decryptor or apply alternative recovery methods listed below.
Before you do that, however, you should backup all the encrypted data – this is relevant to those who do not have backups which could be used to restore files. In case you do not copy locked files before trying the recovery, you might lose access to them forever. Once this is done, you can then run a full system scan with anti-malware to get rid of the Odveta ransomware.
Tips on avoiding ransomware infections
Currently, ransomware development and the infection rate is on the rise – more cybercriminal gangs are delivering new malware strains, and new versions emerge every day. The growth of ransomware can be attributed to its lucrative nature – by infecting thousands of users or high profile organizations, hackers receive a high amount of money, even if just a fraction of the affected do so. In the meantime, the users lose their files and money permanently, as malware's termination does not retrieve the encrypted data.

Therefore, it is important not to get infected in the first place, although users who have to deal with file locking malware usually are doing it for the first time, and do not take warnings from cybersecurity experts seriously. Here are a few tips that would help you repel multiple different infections:
- Never download software cracks or pirated application installers – these are typically booby-trapped with malware;
- If using a Remote Desktop connection, make sure it is protected by a strong password. Additionally, do not use a default TCP/UDP port 3389 and employ VPN to increase protection;
- When accessing your inbox, make sure that you carefully filter out any malicious emails. The ones that include attachments (.zip, .exe, .pdf, .exe) can pose the highest risk – so never allow macros to run when asked (“Allow content”). Additionally, do not click on hyperlinks that might look official – hover the mouse to see the real destination first;
- Always update the software installed on your machine, along with the operating system as soon as new patches are shipped;
- Employ sophisticated anti-malware software with real-time protection feature;
- Backup your files on a regular basis – this will negate most of the negative effects of a ransomware infection.
Take control of your PC back by removing Odveta ransomware
Despite the popular belief, Odveta ransomware removal should not be performed immediately. Once inside the system, the malware modifies files in a way that its termination may permanently damage the data, and even a working decryption tool may not be helpful anymore. Thus, copy all the locked files over to a remote server or an external drive, such a USB flash. Nevertheless, if you have backups that could be used to restore all the locked files, do not hesitate and remove Odveta ransomware immediately.
To get rid of the Odveta virus from your system, you should perform a full system scan with the help of anti-malware software, such as SpyHunterCombo Cleaner, MalwarebytesMalwarebytes, or another powerful tool. In case the malware is tampering with your security software, you can access Safe Mode with Networking and run a full scan from there.
Finally, you can connect your backups and recover the encrypted data. If you do not have them prepared, employ the methods we provide below.
Was this guide helpful?
Be the first to comment