Solved

optimal method deal ransomware in files folders

Posted on 2016-11-10
9
60 Views
Last Modified: 2016-11-14
Have a drive locked that the files are inaccessible.  Our tech indicated probable RW attack.  Please adive.  Thank you in advance.
0
Comment
Question by:rayluvs
9 Comments
 
LVL 12

Accepted Solution

by:
Phil Phillips earned 300 total points
ID: 41882782
Optimal method is to restore from a backup. Otherwise, you're looking at purging the ransomware from the system and then attempting to decrypt (not fun! and not guaranteed to get your data back). If you have to go that route, you could start here: https://noransom.kaspersky.com/
0
 

Author Comment

by:rayluvs
ID: 41883138
Understood.  Unfortunately, the user wasn't too backup-friendly.  Besides kaspersky, any other apps or procedures based on your experience you can recommend?
0
 

Author Comment

by:rayluvs
ID: 41883224
Question, how can one know if the files are really encrypted?
0
 
LVL 12

Expert Comment

by:Phil Phillips
ID: 41884089
Sometimes the files get renamed with a different extension (it depends on the ransomware). https://id-ransomware.malwarehunterteam.com/ might be able to help you analyze a file to get more information.

Though, it's entirely possible that ransomware isn't the cause at all.. what type of error are you getting when you try to access a file?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:rayluvs
ID: 41884339
Hi, Thanx!

As far a we know, it's the Locky Ransomware variant extensions *.odin

Have you heard of it?  Any observation regarding this particular?
0
 
LVL 12

Assisted Solution

by:Phil Phillips
Phil Phillips earned 300 total points
ID: 41884348
The Odin variant is pretty new, and the encryption is pretty strong - RSA 2048-bit and AES 128-bit.  So, unfortunately there aren't any readily available decrypters out there :(.

Another good site where you can test files to see if there's a known good solution: https://www.nomoreransom.org

Though, again, I don't believe there's currently a readily available tool for Odin.. so you're sort of stuck at the moment unless you can locate a backup.
0
 

Author Comment

by:rayluvs
ID: 41884645
Thanx for the response.

Last question prior closing, the attack issued 2 html ('_4_HOWDO_text.html' & '_HOWDO_text.html').  One of tech sent the files to another who ask to see the contents.  Do those files contain the actual apps the encrypts everything? (we don't know and don't want others to get infect by trying to help us)
0
 
LVL 27

Assisted Solution

by:serialband
serialband earned 200 total points
ID: 41884761
It seems that there are odin decryptors.  Here's a link with removal and decryptor information.  Apparently, they allow you to decrypt one file for free and you can use that to get the keys to decrypt the rest.  Kapersky seems to have a tool.  https://www.bugsfighter.com/remove-odin-ransomware-and-decrypt-odin-files/
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 41886250
Hope this was resolved to your satisfaction.  Recommendation for the future:  force backup adherence by using simmering like Druva insync. Insync acts much like MAC time machine, but remotely. Versioning is the key, and backup not connected directly to the machine (insync versioning is like having a swapped out local HDD that always backs up). Code42's Crashplan is a similar solution)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now