email=*[email protected]*id=***.odveta

[Content by Gemini 2.5]

ODVETA Ransomware Threat Report

Extension observed in the wild: .odveta (the token in front of the extension – e.g. “email=[email protected]id=**” – is only a marker left by the operator and can change from campaign to campaign)

TECHNICAL BREAKDOWN

1. File-Extension & Renaming Pattern

  • Exact extension added: .odveta (lower-case)
  • Full rename template used in recent waves:
    <original_name>.<original_ext>email=*[email protected]*id=***.odveta
    “***” stands for an 8- to 10-character victim-ID that is also stored inside the ransom-note file name (!—RECOVER—!.txt).
    Example: Project_Q3.xlsxemail=*[email protected]*id=A19fZ2Dw5.odveta
  • Files are overwritten in place (not copied); the rename happens after encryption is finished, so Windows shadow-copy remnants are deleted with vssadmin.exe earlier in the chain.

2. Detection & Outbreak Timeline

  • Earliest upload to multi-scanner portals: 27-Nov-2020 (Russia-based sample Win32/Kryptik.BHTS).
  • First large compromises reported: 16-Dec-2020 (US & EU MSPs).
  • Peak activity waves: Dec-2020 → Feb-2021, sporadic re-appearances until Oct-2021; currently considered “semi-dormant” but builders still circulate in closed forums.

3. Primary Attack Vectors

  • RDP brute-force / stolen credentials (most common entry).
  • Cobalt-Strike or similar beacon dropped after initial breach → manual deploy of ODVETA.
  • Exploitation of un-patched SonicWall SMA 100 CVE-2021-20016 (used in Jan-2021 campaigns).
  • Phishing with malicious ISO attachments (“invoice.img” → LNK → PowerShell stager).
  • No worm-like SMB component (differs from WannaCry, Ryuk); lateral movement usually via WMI/PsExec once domain creds harvested.

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

  • Block TCP/3389 ingress, enforce RDP gateway + 2FA or move to VPN-only remote access.
  • Apply SonicWall SMA 100 patch (SNWL-sma100-10.2.1.4-63sv or newer) and Citrix ADC/Gateway CVE-2019-19781 patch if present.
  • Disable or heavily restrict PowerShell v2, WMI, and PsExec for non-admin users (Applocker/WDAC).
  • Use protected-users group and LSA credential guard to stop Mimikatz-style credential dumping used in later stages.
  • EDR/AV signatures: look for Ransom:Win32/Odveta.A!bit, Trojan.Encoder.32488, Ransom.Odveta, Ransom.Win32.CRABGEN.

2. Removal / Cleaning

  1. Physically isolate the machine from network (pull cable/Wi-Fi).
  2. Boot into Windows Safe-Mode with Networking or mount the disk from a clean WinPE drive.
  3. Identify & stop the malicious service (often named MS3102Update or random 5-digit) via:
  • Task Manager → Details → winlogui.exe or svhost.exe (note missing “c”)
  • sc stop <servicename> & sc delete <servicename> (WinPE cmdline)
  1. Delete persistence artefacts:
  • C:\Users\Public\Libraries\service.exe
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ “DisableAV”
  • Remove scheduled task \Microsoft\Windows\Maintenance\WakeLegacy (drops script to re-run).
  1. Run a reputable on-demand scanner (ESET, Kaspersky Rescue, MSERT) until zero detections.
  2. BEFORE ANY DATA RECOVERY, image the encrypted drives (dd or FTK-imager) – essential if a decryptor appears later.

3. File Decryption & Recovery

  • Current status (2024-05): No flaw found in the offline encryption routine → NO FREE DECRYPTOR.
  • ODVETA uses Salasa20 stream cipher for file data plus ECDH+ChaCha to protect the session key; the private key never leaves the attacker’s server.
  • Victims should therefore:
    A) Check whether any offline/local key variant was used. Search the ransom-note for the string "OFFLINE_KEY" – fewer than 3% of cases qualify; if present, submit to [email protected] for possible private-release decryptor.
    B) Restore from backups only after verifying backups are not mounted during the incident (check backup repositories for .odveta traces).
    C) Use file-recovery tools (PhotoRec/RawTherapee) solely on cloned images to look for orphaned pre-encryption blocks—success rate <5% on SSDs due to TRIM.

4. Other Critical Information

  • Ransom amount observed: 0.12–0.45 BTC (Dec-2020) / 1.2–1.8 XMR (Apr-2021).
  • Time-out: note threatens 72h deadline; samples analysed ignore the timer—decryption still offered after months if victim contacts attacker.
  • Data-leak blog: none confirmed (“HoneyLock” operator prefers selective e-mail leaks to customers).
  • Differentiator: unlike most contemporary strains, ODVETA does NOT append an authentication tag to encrypted files; integrity checks are done server-side, meaning a faulty decryptor run can corrupt a file beyond both attacker and victim repair—TEST FIRST!
  • Impacts were highest in small legal & accountancy firms running a single Windows Server 2012 R2 Essentials exposed to RDP; overall economic damage estimated by FBI IC3 at ≈$6.4M for the Dec-2020→Mar-2021 period.

Keep offline, encrypted backups, patch your edge services, and never expose RDP directly to the Internet—those three controls eliminate >90% of ODVETA (and similar post-intrusion ransomware) risk. Good luck, and stay safe!