jradwan

It's Symantec Endpoint Protection, 12.1.6 MP6. But the definitions at the time of infection (9/29) didn't detect this Locky variant. The latest definitions now properly detect it.

Attached is a sample of the Excel attachment used to download the payload, and a file named "hrushki" (I added the .malware extension) which I believe is copied to "hupoas.dll" when it's being executed by rundll.exe. Like @flrancid mentioned above, the Anti-Ransomware product was bundled into our purchase of Endpoint Security and we were not necessarily aware it was considered a beta product. odin-ransomware-sample.zip

We were hit with the Odin ransomware yesterday so we purchased the Malwarebytes corporate solution. On a test laptop with AntiMalware, AntiExport, and AntiRansomware installed and fully updated, I was still able to get infected with Odin without a peep from the software that is supposed to prevent it. That being as it is, when I run an antimalware scan, MalwareBytes found a copy of the downloaded payload files as Locky.Ransomware, but not the actual copy of the payload (under C:\Users\<user>\Appdata\Local\Temp\hupoas.dll).