In my career I’ve had encounters with Ransomware a few times. A few months ago we were attacked again. And rather than just recover from the effects, I decided to do some more investigation as to how the virus got into our network. The strain we were faced with this time is the ODIN Locky Ransomware.
First we were notified by one of our end users that several folders on our shared drive have missing files that were replaced with a strange looking file with the .odin extension. I was not familiar with the ODIN extension but as soon as I saw the files, I knew exactly what they were. Ransomware.
You may notice the first file listed is an html file. This is the ransom note. Typically it would also be displayed on the users desktop wallpaper but since this is on a network drive, we are unsure who the exact user that triggered the virus. The ransom HOWDO_ HTML looks like this:
By investigating the security permissions on the folders and files, you should be able to figure out who the end user is that triggered the virus. However, in our case, there was a security group that had access with a large member base so it would take forever to track down who caused it.
I did a little research on the ODIN extension and found some great articles
Information on the Ransomware variants that caused this:
Steps Taken to recover:
- Deleted all affected folders/files
- If you have identified the computer that spawned the ransomeware, then it’d be a good idea to wipe it because there’s a good chance that some of the OS files have been corrupted.
- Restored from backup
- Performed a Full antivirus scan on the storage server
In our case we received a help desk call a day later from an end user that couldn’t access some of their files. I remoted into their PC and found she was referring to her local My Documents folder. They were all encrypted by the Locky virus. I ran a search of the C: drive to see whereelse the virus had touched. The ODIN file extension was in several directories. My Documents, ProgramData, etc. I noticed the time stamp on the files was one minute prior to the infected files on our storage server. So her workstation is very likely the root of the ransomware infection.
I found this in the registry. I didn’t get a screenshot of the command key value but I looked at it and it was calling Word.exe.
I then decided to see how it got into our network. I searched our IPS for events with her computers IP address during the time frame of the infection. And lo and behold I found it. There was a botnet that was allowed from URL logwudorlghdou.info/apache_handler.php
Google searches on the URL logwudorlghdou.info came up with nothing. However, google search on apache_handler.php resulted in the top results being blogs talking about ODIN Locky Ransomware. Here’s an example.
If this was a “High Risk” reputation with URL Category “Bot Nets” then why was it allowed?? We found we had several URL categories blocked but Bot Nets was not on the list. So, we added Bot Nets and another one that looked like a good idea to block named Keyloggers and Monitoring.
I ran a search on the our email archiver and spam firewall. The only message I see sent to our end uers that is questionable is one that has an xls attachment. The from address is firstname.lastname@example.org so I googled sunshinecash.com.au and found it is some website and has various other websites with the same company name in it (ie. Facebook page) but I was scared to click on it. So then I ran a search for emails sent from that domain. Nothing. So then I ran another serach of emails to anyone but with that subject line. Bam! We received several with the same subject pattern. The emails all contain xls attachments but are from completely different domains. I also looked at the body of the email and all of them have the same body “Sent with Genius Scan for iOS”.
Moral of the story? Education is so important. Train your end users NOT to click on links in emails they don’t recognize! And add as many layers of security that you can. Antivirus, antispam, antimalware, intrusion prevention, firewall, dns protection, and the list goes on.