Solved

How to remove Odin ransomware ?

Posted on 2016-10-04
11
156 Views
Last Modified: 2016-10-29
Hello Experts,
Has any body removed this ransomware successfully ? Most of the PC is infected by this virus even SEP 12.4 with latest update installed with none of the folder in the exception list.
Regards.
0
Comment
Question by:ibu1
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 87

Accepted Solution

by:
rindi earned 250 total points
ID: 41827806
Lots of Ransomware type viruses automatically remove themselves from the PC after it has finished it's job. That could be one reason why you can't find it anymore. Besides, that, new viruses are often not detectable yet by Antivirus utilities, as they are always some steps behind and will have to find signatures for them.

On the other hand, if a PC gets infected by ransomware, it is very likely that it has also been compromised by other malware. The only really effective way to get rid of all malware is to setup the PC again, from a clean image or by reinstalling the OS. Any other removal methods tend to leave something behind that hasn't been detected, or they break other parts of the OS or installed software, and they take a lot more time by the person who does the cleaning, so that is more costly in the end to do.

So just do a clean installation of your OS and software.
0
 
LVL 12

Author Comment

by:ibu1
ID: 41827818
Hi Rindi,
It seems like this is not a virus because SEP specially removes all types of virus. Is this ransomware came by clicking some html attachment from the email ?
Regards.
0
 
LVL 87

Expert Comment

by:rindi
ID: 41827832
SEP won't be aware of all viruses. All AV tools miss some and aren't fool proof. A lot of ransomware gets delivered via email attachments, often it is an m$ office macro. Also visiting compromissed websites can cause the virus to start.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 41827943
SEP is signature based and not foolproof, they detect only what they know and if there is no signature for newly discovered ransomware or the exploit kit that brings in the ransomware, the latter will still be able to encrypt and the exploit kit can still re-infect if the ransomware is cleaned up.

For ODIN ransomware, it is a Locky Ransomware variant and SEP will not have all the signature for variant of Locky. It is a catch up game for SEP or any other AV software
Like previous variants, this sample is being spread through WS, JS, etc email attachments attached to SPAM emails. If a recipient double-clicks on one of these script files, it will download an encrypted DLL installer, decrypt it, and execute it using the legitimate Windows program called Rundll32.exe. Once executed, Locky will encrypt a victim's files, rename them, and then append the .ODIN extension.
One of my customers was hit with this today, it came in the form of a Word attachment for a "Receipt".
http://www.bleepingcomputer.com/news/security/locky-ransomware-now-uses-the-odin-extension-for-encrypted-files/

The best is to rebuild to a clean machine and employ the safeguard to reduce the exposure to exploit and threats - consider the application whitelisting strategy like using Applocker  and beef up SEP with Anti-Ransomware software such WinAntiRansom or MalwareBytes Anti-Ransomware.
0
 
LVL 12

Author Comment

by:ibu1
ID: 41830242
Hello Experts,
This is for sure that there is now way to recover this files but there is a way to prevent this from happening. Attached it the document which I got from Symantec Technical support which explains that by creating application policy, we can prevent to some extent from the similar incident.
SEP-12-1---How-to-fight-Ransomware.docx
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 61

Expert Comment

by:btan
ID: 41830262
in fact very similar to Applocker  (or its predecessor Software Restriction Policies), which can be used to allow or deny the execution of an application. CryptoLocker is usually spread via an executable email attachment, which then installs in %AppData%\*.exe, so preventing executables from launching from this path will help ward off CryptoLocker and other similarly structured malware.
https://4sysops.com/archives/stopping-cryptolocker-and-other-ransomware/
https://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx

Overall for preventing Locky
Below are a few Path Rules that are suggested you use to not only block the infections from running, but also to block attachments from being executed when opened in an e-mail client.

Block executables in %AppData%
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Block executables in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Block executables in %AppData%\[subfolder]\
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block executables in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block executables running from archive attachments opened with WinRAR:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.

Block executables running from archive attachments opened with 7zip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.

Block executables running from archive attachments opened with WinZip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.

Block executables running from archive attachments opened using Windows built-in Zip support:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.
http://www.bleepingcomputer.com/virus-removal/locky-ransomware-information-help#prevent
1
 
LVL 12

Author Comment

by:ibu1
ID: 41830292
Thanks expert Rindi and Btan for your help.
0
 

Expert Comment

by:Oliver Podim
ID: 41837250
One of my friends had problems with Odin ransomware and only thing that helped us was ShadowExplorer. With help of this tool we managed to recover 10% of locked files.
Rest of encrypted files was copied to USB in hope that decryptor will be released by NoMoreRansom team soon.
+1 to rindi. Clean system is the only way out
http://www.shadowexplorer.com/downloads.html
http://myspybot.com/odin-virus/
https://www.nomoreransom.org/decryption-tools.html
0
 

Expert Comment

by:Gabriel M
ID: 41839843
Shadow Explorer works  on one condition - only if this ransomware fails to remove Volume Shadow copies of your files. If it starts doing so, this option becomes useless. However, if System Restore function is enabled on the affected computer, you can always use  Windows Previous Version feature.
0
 
LVL 61

Expert Comment

by:btan
ID: 41840079
Taking example for this ransomware. This method is not fool proof, as these files may not be encrypted they also may not be the latest version of the file - but better than nothing assumed the most minimal chances.
CryptXXX will attempt to delete all shadow copies when you first start any executable on your computer after becoming infected. Thankfully, the infection is not always able to remove the shadow copies, so there is a small chance you may be able to restore your files using this method.
0
 
LVL 12

Author Comment

by:ibu1
ID: 41864956
Expert Gabriel M and btan,
I will try ShadowExplorer software with the infected PC if the user has not deleted the odin file. Thanks for your comments even after the post is closed.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now