Tech or Treat! Write an article about your scariest tech disaster to win gadgets!Learn more

x
?
Solved

How to remove Odin ransomware ?

Posted on 2016-10-04
11
Medium Priority
?
253 Views
Last Modified: 2016-10-29
Hello Experts,
Has any body removed this ransomware successfully ? Most of the PC is infected by this virus even SEP 12.4 with latest update installed with none of the folder in the exception list.
Regards.
0
Comment
Question by:ibu1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 88

Accepted Solution

by:
rindi earned 1000 total points
ID: 41827806
Lots of Ransomware type viruses automatically remove themselves from the PC after it has finished it's job. That could be one reason why you can't find it anymore. Besides, that, new viruses are often not detectable yet by Antivirus utilities, as they are always some steps behind and will have to find signatures for them.

On the other hand, if a PC gets infected by ransomware, it is very likely that it has also been compromised by other malware. The only really effective way to get rid of all malware is to setup the PC again, from a clean image or by reinstalling the OS. Any other removal methods tend to leave something behind that hasn't been detected, or they break other parts of the OS or installed software, and they take a lot more time by the person who does the cleaning, so that is more costly in the end to do.

So just do a clean installation of your OS and software.
0
 
LVL 12

Author Comment

by:ibu1
ID: 41827818
Hi Rindi,
It seems like this is not a virus because SEP specially removes all types of virus. Is this ransomware came by clicking some html attachment from the email ?
Regards.
0
 
LVL 88

Expert Comment

by:rindi
ID: 41827832
SEP won't be aware of all viruses. All AV tools miss some and aren't fool proof. A lot of ransomware gets delivered via email attachments, often it is an m$ office macro. Also visiting compromissed websites can cause the virus to start.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 65

Assisted Solution

by:btan
btan earned 1000 total points
ID: 41827943
SEP is signature based and not foolproof, they detect only what they know and if there is no signature for newly discovered ransomware or the exploit kit that brings in the ransomware, the latter will still be able to encrypt and the exploit kit can still re-infect if the ransomware is cleaned up.

For ODIN ransomware, it is a Locky Ransomware variant and SEP will not have all the signature for variant of Locky. It is a catch up game for SEP or any other AV software
Like previous variants, this sample is being spread through WS, JS, etc email attachments attached to SPAM emails. If a recipient double-clicks on one of these script files, it will download an encrypted DLL installer, decrypt it, and execute it using the legitimate Windows program called Rundll32.exe. Once executed, Locky will encrypt a victim's files, rename them, and then append the .ODIN extension.
One of my customers was hit with this today, it came in the form of a Word attachment for a "Receipt".
http://www.bleepingcomputer.com/news/security/locky-ransomware-now-uses-the-odin-extension-for-encrypted-files/

The best is to rebuild to a clean machine and employ the safeguard to reduce the exposure to exploit and threats - consider the application whitelisting strategy like using Applocker  and beef up SEP with Anti-Ransomware software such WinAntiRansom or MalwareBytes Anti-Ransomware.
0
 
LVL 12

Author Comment

by:ibu1
ID: 41830242
Hello Experts,
This is for sure that there is now way to recover this files but there is a way to prevent this from happening. Attached it the document which I got from Symantec Technical support which explains that by creating application policy, we can prevent to some extent from the similar incident.
SEP-12-1---How-to-fight-Ransomware.docx
0
 
LVL 65

Expert Comment

by:btan
ID: 41830262
in fact very similar to Applocker  (or its predecessor Software Restriction Policies), which can be used to allow or deny the execution of an application. CryptoLocker is usually spread via an executable email attachment, which then installs in %AppData%\*.exe, so preventing executables from launching from this path will help ward off CryptoLocker and other similarly structured malware.
https://4sysops.com/archives/stopping-cryptolocker-and-other-ransomware/
https://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx

Overall for preventing Locky
Below are a few Path Rules that are suggested you use to not only block the infections from running, but also to block attachments from being executed when opened in an e-mail client.

Block executables in %AppData%
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Block executables in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Block executables in %AppData%\[subfolder]\
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block executables in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block executables running from archive attachments opened with WinRAR:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.

Block executables running from archive attachments opened with 7zip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.

Block executables running from archive attachments opened with WinZip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.

Block executables running from archive attachments opened using Windows built-in Zip support:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.
http://www.bleepingcomputer.com/virus-removal/locky-ransomware-information-help#prevent
1
 
LVL 12

Author Comment

by:ibu1
ID: 41830292
Thanks expert Rindi and Btan for your help.
0
 

Expert Comment

by:Oliver Podim
ID: 41837250
One of my friends had problems with Odin ransomware and only thing that helped us was ShadowExplorer. With help of this tool we managed to recover 10% of locked files.
Rest of encrypted files was copied to USB in hope that decryptor will be released by NoMoreRansom team soon.
+1 to rindi. Clean system is the only way out
http://www.shadowexplorer.com/downloads.html
http://myspybot.com/odin-virus/
https://www.nomoreransom.org/decryption-tools.html
0
 

Expert Comment

by:Gabriel M
ID: 41839843
Shadow Explorer works  on one condition - only if this ransomware fails to remove Volume Shadow copies of your files. If it starts doing so, this option becomes useless. However, if System Restore function is enabled on the affected computer, you can always use  Windows Previous Version feature.
0
 
LVL 65

Expert Comment

by:btan
ID: 41840079
Taking example for this ransomware. This method is not fool proof, as these files may not be encrypted they also may not be the latest version of the file - but better than nothing assumed the most minimal chances.
CryptXXX will attempt to delete all shadow copies when you first start any executable on your computer after becoming infected. Thankfully, the infection is not always able to remove the shadow copies, so there is a small chance you may be able to restore your files using this method.
0
 
LVL 12

Author Comment

by:ibu1
ID: 41864956
Expert Gabriel M and btan,
I will try ShadowExplorer software with the infected PC if the user has not deleted the odin file. Thanks for your comments even after the post is closed.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out the latest tech news, community articles, and expert highlights in August's newsletter.
What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

647 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question