Odin Ransomware

Odin Ransomware

On the 3rd of October 2016 I received an urgent call from one of my customers. They had started one of their computers in the office and this triggered what landed up being the “ODIN RANSOMEWARE Virus”.  It quickly spread to their Server infecting files on both computers.  It appeared that a file called payment_receipt_contact_235142.zip contained a java script file (js) which contained the virus.

Read this article from   Sophos ODIN Ransomeware Virus article

payment-receipt-file

I immediately told them to disconnect their backup drive which was connected to the server in the hope that it had not yet spread to this device.  Fortunately the drive was not infected.  Very lucky!!

I determined once I was able to pickup the two infected computers, that the Antivirus that was “Running” on the first computer had been a trial version which had expired so was not updating itself.

expired-trial-tm

Computer 1 had over 3000 infected files and the server had over 9000 files infected.  Infected files were renamed  filename.odin.  Like the Viking God.

In addition when the computer started up, the following message was presented.

locky-virus

So, what had to happen from here.

The two infected computers did not have recovery disc’s or any record of the windows software licenses.  I did determine that there was, what is called a recovery Partition on the computers hard drive.

recovery-partition

I triggered a rebuild of the computers using this recovery partition which resulted in windows being reloaded.  (No windows 10 pro product key required)

All other software would now need to be reinstalled.  Office, Adobe, Chrome, Firefox etc.

I downloaded and installed a 30 day trial copy of Trend Micro Maximum 10 antivirus which could be activated within 30 days.  This protected the two newly rebuild computers until activation would happen.  The Workstation (i3 CPU) took over 10 hours to perform the rebuild and the Server (i5) took closer to 4 hours.

I have recommend that multiple backups be implemented with there always being a current backup which is not connected to the system/network.  This is what is called a “Air Bridge” to prevent it from getting infected.

I have also recommended having a Full Image taken of each computer in the office and stored on a separate drive (Ideally two drives) to cover for a system crash or a drive failure where you would lose the recovery partition also.  Easier to recover from this image.

It might be strange to say this, but it would have been so much worse.

  • No backup or infected backup.
  • Corrupted recovery partition or recovery partition.
  • More computers could have been infected in the office if not detected as soon as it was.  Other machines were turned off so not impacted.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s