Link to home
Start Free TrialLog in
Avatar of Ibrahim Bazarwala
Ibrahim BazarwalaFlag for Kuwait

asked on

How to remove Odin ransomware ?

Hello Experts,
Has any body removed this ransomware successfully ? Most of the PC is infected by this virus even SEP 12.4 with latest update installed with none of the folder in the exception list.
Regards.
ASKER CERTIFIED SOLUTION
Avatar of rindi
rindi
Flag of Switzerland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Ibrahim Bazarwala

ASKER

Hi Rindi,
It seems like this is not a virus because SEP specially removes all types of virus. Is this ransomware came by clicking some html attachment from the email ?
Regards.
SEP won't be aware of all viruses. All AV tools miss some and aren't fool proof. A lot of ransomware gets delivered via email attachments, often it is an m$ office macro. Also visiting compromissed websites can cause the virus to start.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hello Experts,
This is for sure that there is now way to recover this files but there is a way to prevent this from happening. Attached it the document which I got from Symantec Technical support which explains that by creating application policy, we can prevent to some extent from the similar incident.
SEP-12-1---How-to-fight-Ransomware.docx
Avatar of btan
btan

in fact very similar to Applocker  (or its predecessor Software Restriction Policies), which can be used to allow or deny the execution of an application. CryptoLocker is usually spread via an executable email attachment, which then installs in %AppData%\*.exe, so preventing executables from launching from this path will help ward off CryptoLocker and other similarly structured malware.
https://4sysops.com/archives/stopping-cryptolocker-and-other-ransomware/
https://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx

Overall for preventing Locky
Below are a few Path Rules that are suggested you use to not only block the infections from running, but also to block attachments from being executed when opened in an e-mail client.

Block executables in %AppData%
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Block executables in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Block executables in %AppData%\[subfolder]\
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block executables in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block executables running from archive attachments opened with WinRAR:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.

Block executables running from archive attachments opened with 7zip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.

Block executables running from archive attachments opened with WinZip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.

Block executables running from archive attachments opened using Windows built-in Zip support:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.
http://www.bleepingcomputer.com/virus-removal/locky-ransomware-information-help#prevent
Thanks expert Rindi and Btan for your help.
One of my friends had problems with Odin ransomware and only thing that helped us was ShadowExplorer. With help of this tool we managed to recover 10% of locked files.
Rest of encrypted files was copied to USB in hope that decryptor will be released by NoMoreRansom team soon.
+1 to rindi. Clean system is the only way out
http://www.shadowexplorer.com/downloads.html
http://myspybot.com/odin-virus/
https://www.nomoreransom.org/decryption-tools.html
Shadow Explorer works  on one condition - only if this ransomware fails to remove Volume Shadow copies of your files. If it starts doing so, this option becomes useless. However, if System Restore function is enabled on the affected computer, you can always use  Windows Previous Version feature.
Taking example for this ransomware. This method is not fool proof, as these files may not be encrypted they also may not be the latest version of the file - but better than nothing assumed the most minimal chances.
CryptXXX will attempt to delete all shadow copies when you first start any executable on your computer after becoming infected. Thankfully, the infection is not always able to remove the shadow copies, so there is a small chance you may be able to restore your files using this method.
Expert Gabriel M and btan,
I will try ShadowExplorer software with the infected PC if the user has not deleted the odin file. Thanks for your comments even after the post is closed.