jradwan Posted September 30, 2016 ID:1064839 Share Posted September 30, 2016 We were hit with the Odin ransomware yesterday so we purchased the Malwarebytes corporate solution. On a test laptop with AntiMalware, AntiExport, and AntiRansomware installed and fully updated, I was still able to get infected with Odin without a peep from the software that is supposed to prevent it. That being as it is, when I run an antimalware scan, MalwareBytes found a copy of the downloaded payload files as Locky.Ransomware, but not the actual copy of the payload (under C:\Users\<user>\Appdata\Local\Temp\hupoas.dll). Link to post Share on other sites More sharing options...
Aura Posted September 30, 2016 ID:1064846 Share Posted September 30, 2016 You can submit that file Newest Rogue-Ransomware Threats section (and include an URL to the VirusTotal report), so an employee can check it, add it to the database and they can forward it to the MBARW team so they can test the product against it. Link to post Share on other sites More sharing options...
flrancid Posted September 30, 2016 ID:1064851 Share Posted September 30, 2016 Unbelievable! We were just hit with Odin yesterday as well. Running MBAM and MBAE.. sitting here about to deploy anti-ransomware but was having second thoughts. Then I see your post. HA! not worth pushing out now!! Link to post Share on other sites More sharing options...
Aura Posted September 30, 2016 ID:1064855 Share Posted September 30, 2016 Quote sitting here about to deploy anti-ransomware but was having second thoughts. Then I see your post. HA! not worth pushing out now!! Malwarebytes Anti-Ransomware is still in beta, and it is not suggested to use it on production system yet (like every other beta ever). Link to post Share on other sites More sharing options...
flrancid Posted September 30, 2016 ID:1064857 Share Posted September 30, 2016 3 minutes ago, Aura said: Malwarebytes Anti-Ransomware is still in beta, and it is not suggested to use it on production system yet (like every other beta ever). Why is the support rep telling me to install it and why is it included in endpoint security v 1.7.1 ?? I knew it was in beta but assumed it's out now because of that? Link to post Share on other sites More sharing options...
Porthos Posted September 30, 2016 ID:1064858 Share Posted September 30, 2016 1 hour ago, jradwan said: On a test laptop with AntiMalware, AntiExport, and AntiRansomware installed and fully updated, What and where is your Anti Virus? Link to post Share on other sites More sharing options...
Aura Posted September 30, 2016 ID:1064859 Share Posted September 30, 2016 2 minutes ago, flrancid said: Why is the support rep telling me to install it and why is it included in endpoint security v 1.7.1 ?? I knew it was in beta but assumed it's out now because of that? Did you talk with a support rep. from Malwarebytes directly, or a third-party? Link to post Share on other sites More sharing options...
flrancid Posted September 30, 2016 ID:1064860 Share Posted September 30, 2016 Just now, Aura said: Did you talk with a support rep. from Malwarebytes directly, or a third-party? Directly. Link to post Share on other sites More sharing options...
Aura Posted September 30, 2016 ID:1064861 Share Posted September 30, 2016 Just saw on Endpoint Security's webpage that Ransomware protection is indeed bundled in, though I don't know if it's based on Anti-Ransomware or not. Only a Staff member will be able to answer you on that, so we'll just have to wait. Link to post Share on other sites More sharing options...
flrancid Posted September 30, 2016 ID:1064862 Share Posted September 30, 2016 1 minute ago, Aura said: Just saw on Endpoint Security's webpage that Ransomware protection is indeed bundled in, though I don't know if it's based on Anti-Ransomware or not. Only a Staff member will be able to answer you on that, so we'll just have to wait. It is Aura.. see the attached. No dis-respect but... please pay attention before throwing out your replies around. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted October 2, 2016 Staff ID:1065072 Share Posted October 2, 2016 Hi, Do you still have the payload ( hupoas.dll ) or the file that was spread that dropped this? (these are typically JS or WS files, but we have also seen these with an xls.exe extension spammed via mail). If so, please zip and attach to this thread (use password: "infected"), so we can have a look why this wasn't catched. Thanks! Link to post Share on other sites More sharing options...
jradwan Posted October 3, 2016 Author ID:1065244 Share Posted October 3, 2016 On 10/2/2016 at 3:44 AM, miekiemoes said: Hi, Do you still have the payload ( hupoas.dll ) or the file that was spread that dropped this? (these are typically JS or WS files, but we have also seen these with an xls.exe extension spammed via mail). If so, please zip and attach to this thread (use password: "infected"), so we can have a look why this wasn't catched. Thanks! Attached is a sample of the Excel attachment used to download the payload, and a file named "hrushki" (I added the .malware extension) which I believe is copied to "hupoas.dll" when it's being executed by rundll.exe. Like @flrancid mentioned above, the Anti-Ransomware product was bundled into our purchase of Endpoint Security and we were not necessarily aware it was considered a beta product. odin-ransomware-sample.zip Link to post Share on other sites More sharing options...
jradwan Posted October 3, 2016 Author ID:1065249 Share Posted October 3, 2016 On 9/30/2016 at 5:00 PM, Porthos said: What and where is your Anti Virus? It's Symantec Endpoint Protection, 12.1.6 MP6. But the definitions at the time of infection (9/29) didn't detect this Locky variant. The latest definitions now properly detect it. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted October 4, 2016 Staff ID:1065279 Share Posted October 4, 2016 Thanks for the sample! Link to post Share on other sites More sharing options...
Aura Posted October 25, 2016 ID:1068253 Share Posted October 25, 2016 Hi @Kulibaba This website is an affiliate of Enigma Software Group USA, LLC promoting SpyHunter. I tend to avoid these kind of websites since they auto-generate removal guides based on words that are entered in Google searches. Here's an example... http://remove-malware-tech.com/post/How-to-Remove-Retard-Completely-From-Your-PC_14_28747.html Obviously "Retard" isn't a real malware... There's currently no way to retrieve files encrypted with the .shit variant of Locky for free. If you have the payload on your system, you can attach it in this thread and it'll be added to MBARW. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now