ODCODC targets Windows OS and its distribution method is currently unknown. Once a system is infected, it contacts its C2 server to retrieve a unique key for each hard drive partition it encrypts. If a connection to the C2 server cannot be established, ODCODC pulls from its hardcoded list of 200 encryption keys to encrypt the targeted files. It adds “C-email” and an email address to the name of the encrypted file and appends .odcodc to the end of it. It also drops a ransom note named readthis.txt or HOW_TO_RESTORE_FILES.txt. The ransom payment demand is currently unknown.