Jump to content

Anti-Ransomware doesn't catch new Locky variant (Odin)


Recommended Posts

We were hit with the Odin ransomware yesterday so we purchased the Malwarebytes corporate solution. On a test laptop with AntiMalware, AntiExport, and AntiRansomware installed and fully updated, I was still able to get infected with Odin without a peep from the software that is supposed to prevent it. 

That being as it is, when I run an antimalware scan, MalwareBytes found a copy of the downloaded payload files as Locky.Ransomware, but not the actual copy of the payload (under C:\Users\<user>\Appdata\Local\Temp\hupoas.dll).

Link to post
Share on other sites

3 minutes ago, Aura said:

Malwarebytes Anti-Ransomware is still in beta, and it is not suggested to use it on production system yet (like every other beta ever).

Why is the support rep telling me to install it and why is it included in endpoint security v 1.7.1 ?? I knew it was in beta but assumed it's out now because of that?

Link to post
Share on other sites

1 minute ago, Aura said:

Just saw on Endpoint Security's webpage that Ransomware protection is indeed bundled in, though I don't know if it's based on Anti-Ransomware or not. Only a Staff member will be able to answer you on that, so we'll just have to wait.

It is Aura.. see the attached. No dis-respect but... please pay attention before throwing out your replies around.

mbar.png

Link to post
Share on other sites

  • Staff

Hi,

Do you still have the payload ( hupoas.dll ) or the file that was spread that dropped this? (these are typically JS or WS files, but we have also seen these with an xls.exe extension spammed via mail).

If so, please zip and attach to this thread (use password: "infected"), so we can have a look why this wasn't catched.

Thanks!

Link to post
Share on other sites

On 10/2/2016 at 3:44 AM, miekiemoes said:

Hi,

Do you still have the payload ( hupoas.dll ) or the file that was spread that dropped this? (these are typically JS or WS files, but we have also seen these with an xls.exe extension spammed via mail).

If so, please zip and attach to this thread (use password: "infected"), so we can have a look why this wasn't catched.

Thanks!

Attached is a sample of the Excel attachment used to download the payload, and a file named "hrushki" (I added the .malware extension) which I believe is copied to "hupoas.dll" when it's being executed by rundll.exe.

Like @flrancid mentioned above, the Anti-Ransomware product was bundled into our purchase of Endpoint Security and we were not necessarily aware it was considered a beta product.

odin-ransomware-sample.zip

Link to post
Share on other sites

  • 3 weeks later...

Hi @Kulibaba

This website is an affiliate of Enigma Software Group USA, LLC promoting SpyHunter. I tend to avoid these kind of websites since they auto-generate removal guides based on words that are entered in Google searches. Here's an example...

http://remove-malware-tech.com/post/How-to-Remove-Retard-Completely-From-Your-PC_14_28747.html

Obviously "Retard" isn't a real malware...

There's currently no way to retrieve files encrypted with the .shit variant of Locky for free. If you have the payload on your system, you can attach it in this thread and it'll be added to MBARW.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.