On the 3rd of October 2016 I received an urgent call from one of my customers. They had started one of their computers in the office and this triggered what landed up being the “ODIN RANSOMEWARE Virus”. It quickly spread to their Server infecting files on both computers. It appeared that a file called payment_receipt_contact_235142.zip contained a java script file (js) which contained the virus.
Read this article from Sophos ODIN Ransomeware Virus article
I immediately told them to disconnect their backup drive which was connected to the server in the hope that it had not yet spread to this device. Fortunately the drive was not infected. Very lucky!!
I determined once I was able to pickup the two infected computers, that the Antivirus that was “Running” on the first computer had been a trial version which had expired so was not updating itself.
Computer 1 had over 3000 infected files and the server had over 9000 files infected. Infected files were renamed filename.odin. Like the Viking God.
In addition when the computer started up, the following message was presented.
So, what had to happen from here.
The two infected computers did not have recovery disc’s or any record of the windows software licenses. I did determine that there was, what is called a recovery Partition on the computers hard drive.
I triggered a rebuild of the computers using this recovery partition which resulted in windows being reloaded. (No windows 10 pro product key required)
All other software would now need to be reinstalled. Office, Adobe, Chrome, Firefox etc.
I downloaded and installed a 30 day trial copy of Trend Micro Maximum 10 antivirus which could be activated within 30 days. This protected the two newly rebuild computers until activation would happen. The Workstation (i3 CPU) took over 10 hours to perform the rebuild and the Server (i5) took closer to 4 hours.
I have recommend that multiple backups be implemented with there always being a current backup which is not connected to the system/network. This is what is called a “Air Bridge” to prevent it from getting infected.
I have also recommended having a Full Image taken of each computer in the office and stored on a separate drive (Ideally two drives) to cover for a system crash or a drive failure where you would lose the recovery partition also. Easier to recover from this image.
It might be strange to say this, but it would have been so much worse.
- No backup or infected backup.
- Corrupted recovery partition or recovery partition.
- More computers could have been infected in the office if not detected as soon as it was. Other machines were turned off so not impacted.