Solved

How to remove Odin ransomware ?

Posted on 2016-10-04
11
233 Views
Last Modified: 2016-10-29
Hello Experts,
Has any body removed this ransomware successfully ? Most of the PC is infected by this virus even SEP 12.4 with latest update installed with none of the folder in the exception list.
Regards.
0
Comment
Question by:ibu1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 88

Accepted Solution

by:
rindi earned 250 total points
ID: 41827806
Lots of Ransomware type viruses automatically remove themselves from the PC after it has finished it's job. That could be one reason why you can't find it anymore. Besides, that, new viruses are often not detectable yet by Antivirus utilities, as they are always some steps behind and will have to find signatures for them.

On the other hand, if a PC gets infected by ransomware, it is very likely that it has also been compromised by other malware. The only really effective way to get rid of all malware is to setup the PC again, from a clean image or by reinstalling the OS. Any other removal methods tend to leave something behind that hasn't been detected, or they break other parts of the OS or installed software, and they take a lot more time by the person who does the cleaning, so that is more costly in the end to do.

So just do a clean installation of your OS and software.
0
 
LVL 12

Author Comment

by:ibu1
ID: 41827818
Hi Rindi,
It seems like this is not a virus because SEP specially removes all types of virus. Is this ransomware came by clicking some html attachment from the email ?
Regards.
0
 
LVL 88

Expert Comment

by:rindi
ID: 41827832
SEP won't be aware of all viruses. All AV tools miss some and aren't fool proof. A lot of ransomware gets delivered via email attachments, often it is an m$ office macro. Also visiting compromissed websites can cause the virus to start.
0
Get Actionable Data from Your Monitoring Solution

Your communication platform is only as good as the relevance of the information you send. Ensure your alerts get to the right people every time with actionable responses. Create escalation rules that ensure everyone follows the process and nothing is left to chance.

 
LVL 64

Assisted Solution

by:btan
btan earned 250 total points
ID: 41827943
SEP is signature based and not foolproof, they detect only what they know and if there is no signature for newly discovered ransomware or the exploit kit that brings in the ransomware, the latter will still be able to encrypt and the exploit kit can still re-infect if the ransomware is cleaned up.

For ODIN ransomware, it is a Locky Ransomware variant and SEP will not have all the signature for variant of Locky. It is a catch up game for SEP or any other AV software
Like previous variants, this sample is being spread through WS, JS, etc email attachments attached to SPAM emails. If a recipient double-clicks on one of these script files, it will download an encrypted DLL installer, decrypt it, and execute it using the legitimate Windows program called Rundll32.exe. Once executed, Locky will encrypt a victim's files, rename them, and then append the .ODIN extension.
One of my customers was hit with this today, it came in the form of a Word attachment for a "Receipt".
http://www.bleepingcomputer.com/news/security/locky-ransomware-now-uses-the-odin-extension-for-encrypted-files/

The best is to rebuild to a clean machine and employ the safeguard to reduce the exposure to exploit and threats - consider the application whitelisting strategy like using Applocker  and beef up SEP with Anti-Ransomware software such WinAntiRansom or MalwareBytes Anti-Ransomware.
0
 
LVL 12

Author Comment

by:ibu1
ID: 41830242
Hello Experts,
This is for sure that there is now way to recover this files but there is a way to prevent this from happening. Attached it the document which I got from Symantec Technical support which explains that by creating application policy, we can prevent to some extent from the similar incident.
SEP-12-1---How-to-fight-Ransomware.docx
0
 
LVL 64

Expert Comment

by:btan
ID: 41830262
in fact very similar to Applocker  (or its predecessor Software Restriction Policies), which can be used to allow or deny the execution of an application. CryptoLocker is usually spread via an executable email attachment, which then installs in %AppData%\*.exe, so preventing executables from launching from this path will help ward off CryptoLocker and other similarly structured malware.
https://4sysops.com/archives/stopping-cryptolocker-and-other-ransomware/
https://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx

Overall for preventing Locky
Below are a few Path Rules that are suggested you use to not only block the infections from running, but also to block attachments from being executed when opened in an e-mail client.

Block executables in %AppData%
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Block executables in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Block executables in %AppData%\[subfolder]\
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block executables in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block executables running from archive attachments opened with WinRAR:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.

Block executables running from archive attachments opened with 7zip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.

Block executables running from archive attachments opened with WinZip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.

Block executables running from archive attachments opened using Windows built-in Zip support:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.
http://www.bleepingcomputer.com/virus-removal/locky-ransomware-information-help#prevent
1
 
LVL 12

Author Comment

by:ibu1
ID: 41830292
Thanks expert Rindi and Btan for your help.
0
 

Expert Comment

by:Oliver Podim
ID: 41837250
One of my friends had problems with Odin ransomware and only thing that helped us was ShadowExplorer. With help of this tool we managed to recover 10% of locked files.
Rest of encrypted files was copied to USB in hope that decryptor will be released by NoMoreRansom team soon.
+1 to rindi. Clean system is the only way out
http://www.shadowexplorer.com/downloads.html
http://myspybot.com/odin-virus/
https://www.nomoreransom.org/decryption-tools.html
0
 

Expert Comment

by:Gabriel M
ID: 41839843
Shadow Explorer works  on one condition - only if this ransomware fails to remove Volume Shadow copies of your files. If it starts doing so, this option becomes useless. However, if System Restore function is enabled on the affected computer, you can always use  Windows Previous Version feature.
0
 
LVL 64

Expert Comment

by:btan
ID: 41840079
Taking example for this ransomware. This method is not fool proof, as these files may not be encrypted they also may not be the latest version of the file - but better than nothing assumed the most minimal chances.
CryptXXX will attempt to delete all shadow copies when you first start any executable on your computer after becoming infected. Thankfully, the infection is not always able to remove the shadow copies, so there is a small chance you may be able to restore your files using this method.
0
 
LVL 12

Author Comment

by:ibu1
ID: 41864956
Expert Gabriel M and btan,
I will try ShadowExplorer software with the infected PC if the user has not deleted the odin file. Thanks for your comments even after the post is closed.
0

Featured Post

Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Make the most of your online learning experience.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question