• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 203
  • Last Modified:

optimal method deal ransomware in files folders

Have a drive locked that the files are inaccessible.  Our tech indicated probable RW attack.  Please adive.  Thank you in advance.
0
rayluvs
Asked:
rayluvs
3 Solutions
 
Phil PhillipsDirector of DevOpsCommented:
Optimal method is to restore from a backup. Otherwise, you're looking at purging the ransomware from the system and then attempting to decrypt (not fun! and not guaranteed to get your data back). If you have to go that route, you could start here: https://noransom.kaspersky.com/
0
 
rayluvsAuthor Commented:
Understood.  Unfortunately, the user wasn't too backup-friendly.  Besides kaspersky, any other apps or procedures based on your experience you can recommend?
0
 
rayluvsAuthor Commented:
Question, how can one know if the files are really encrypted?
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
Phil PhillipsDirector of DevOpsCommented:
Sometimes the files get renamed with a different extension (it depends on the ransomware). https://id-ransomware.malwarehunterteam.com/ might be able to help you analyze a file to get more information.

Though, it's entirely possible that ransomware isn't the cause at all.. what type of error are you getting when you try to access a file?
0
 
rayluvsAuthor Commented:
Hi, Thanx!

As far a we know, it's the Locky Ransomware variant extensions *.odin

Have you heard of it?  Any observation regarding this particular?
0
 
Phil PhillipsDirector of DevOpsCommented:
The Odin variant is pretty new, and the encryption is pretty strong - RSA 2048-bit and AES 128-bit.  So, unfortunately there aren't any readily available decrypters out there :(.

Another good site where you can test files to see if there's a known good solution: https://www.nomoreransom.org

Though, again, I don't believe there's currently a readily available tool for Odin.. so you're sort of stuck at the moment unless you can locate a backup.
0
 
rayluvsAuthor Commented:
Thanx for the response.

Last question prior closing, the attack issued 2 html ('_4_HOWDO_text.html' & '_HOWDO_text.html').  One of tech sent the files to another who ask to see the contents.  Do those files contain the actual apps the encrypts everything? (we don't know and don't want others to get infect by trying to help us)
0
 
serialbandCommented:
It seems that there are odin decryptors.  Here's a link with removal and decryptor information.  Apparently, they allow you to decrypt one file for free and you can use that to get the keys to decrypt the rest.  Kapersky seems to have a tool.  https://www.bugsfighter.com/remove-odin-ransomware-and-decrypt-odin-files/
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Hope this was resolved to your satisfaction.  Recommendation for the future:  force backup adherence by using simmering like Druva insync. Insync acts much like MAC time machine, but remotely. Versioning is the key, and backup not connected directly to the machine (insync versioning is like having a swapped out local HDD that always backs up). Code42's Crashplan is a similar solution)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now