[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 261
  • Last Modified:

How to remove Odin ransomware ?

Hello Experts,
Has any body removed this ransomware successfully ? Most of the PC is infected by this virus even SEP 12.4 with latest update installed with none of the folder in the exception list.
Regards.
0
ibu1
Asked:
ibu1
  • 4
  • 3
  • 2
  • +2
2 Solutions
 
rindiCommented:
Lots of Ransomware type viruses automatically remove themselves from the PC after it has finished it's job. That could be one reason why you can't find it anymore. Besides, that, new viruses are often not detectable yet by Antivirus utilities, as they are always some steps behind and will have to find signatures for them.

On the other hand, if a PC gets infected by ransomware, it is very likely that it has also been compromised by other malware. The only really effective way to get rid of all malware is to setup the PC again, from a clean image or by reinstalling the OS. Any other removal methods tend to leave something behind that hasn't been detected, or they break other parts of the OS or installed software, and they take a lot more time by the person who does the cleaning, so that is more costly in the end to do.

So just do a clean installation of your OS and software.
0
 
ibu1Author Commented:
Hi Rindi,
It seems like this is not a virus because SEP specially removes all types of virus. Is this ransomware came by clicking some html attachment from the email ?
Regards.
0
 
rindiCommented:
SEP won't be aware of all viruses. All AV tools miss some and aren't fool proof. A lot of ransomware gets delivered via email attachments, often it is an m$ office macro. Also visiting compromissed websites can cause the virus to start.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
btanExec ConsultantCommented:
SEP is signature based and not foolproof, they detect only what they know and if there is no signature for newly discovered ransomware or the exploit kit that brings in the ransomware, the latter will still be able to encrypt and the exploit kit can still re-infect if the ransomware is cleaned up.

For ODIN ransomware, it is a Locky Ransomware variant and SEP will not have all the signature for variant of Locky. It is a catch up game for SEP or any other AV software
Like previous variants, this sample is being spread through WS, JS, etc email attachments attached to SPAM emails. If a recipient double-clicks on one of these script files, it will download an encrypted DLL installer, decrypt it, and execute it using the legitimate Windows program called Rundll32.exe. Once executed, Locky will encrypt a victim's files, rename them, and then append the .ODIN extension.
One of my customers was hit with this today, it came in the form of a Word attachment for a "Receipt".
http://www.bleepingcomputer.com/news/security/locky-ransomware-now-uses-the-odin-extension-for-encrypted-files/

The best is to rebuild to a clean machine and employ the safeguard to reduce the exposure to exploit and threats - consider the application whitelisting strategy like using Applocker  and beef up SEP with Anti-Ransomware software such WinAntiRansom or MalwareBytes Anti-Ransomware.
0
 
ibu1Author Commented:
Hello Experts,
This is for sure that there is now way to recover this files but there is a way to prevent this from happening. Attached it the document which I got from Symantec Technical support which explains that by creating application policy, we can prevent to some extent from the similar incident.
SEP-12-1---How-to-fight-Ransomware.docx
0
 
btanExec ConsultantCommented:
in fact very similar to Applocker  (or its predecessor Software Restriction Policies), which can be used to allow or deny the execution of an application. CryptoLocker is usually spread via an executable email attachment, which then installs in %AppData%\*.exe, so preventing executables from launching from this path will help ward off CryptoLocker and other similarly structured malware.
https://4sysops.com/archives/stopping-cryptolocker-and-other-ransomware/
https://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx

Overall for preventing Locky
Below are a few Path Rules that are suggested you use to not only block the infections from running, but also to block attachments from being executed when opened in an e-mail client.

Block executables in %AppData%
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Block executables in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Block executables in %AppData%\[subfolder]\
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block executables in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block executables running from archive attachments opened with WinRAR:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.

Block executables running from archive attachments opened with 7zip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.

Block executables running from archive attachments opened with WinZip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.

Block executables running from archive attachments opened using Windows built-in Zip support:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.
http://www.bleepingcomputer.com/virus-removal/locky-ransomware-information-help#prevent
1
 
ibu1Author Commented:
Thanks expert Rindi and Btan for your help.
0
 
Oliver PodimIT engineerCommented:
One of my friends had problems with Odin ransomware and only thing that helped us was ShadowExplorer. With help of this tool we managed to recover 10% of locked files.
Rest of encrypted files was copied to USB in hope that decryptor will be released by NoMoreRansom team soon.
+1 to rindi. Clean system is the only way out
http://www.shadowexplorer.com/downloads.html
http://myspybot.com/odin-virus/
https://www.nomoreransom.org/decryption-tools.html
0
 
Gabriel MComputer security expertCommented:
Shadow Explorer works  on one condition - only if this ransomware fails to remove Volume Shadow copies of your files. If it starts doing so, this option becomes useless. However, if System Restore function is enabled on the affected computer, you can always use  Windows Previous Version feature.
0
 
btanExec ConsultantCommented:
Taking example for this ransomware. This method is not fool proof, as these files may not be encrypted they also may not be the latest version of the file - but better than nothing assumed the most minimal chances.
CryptXXX will attempt to delete all shadow copies when you first start any executable on your computer after becoming infected. Thankfully, the infection is not always able to remove the shadow copies, so there is a small chance you may be able to restore your files using this method.
0
 
ibu1Author Commented:
Expert Gabriel M and btan,
I will try ShadowExplorer software with the infected PC if the user has not deleted the odin file. Thanks for your comments even after the post is closed.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now