Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 8 subscribers
  • Views 14770 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ODIN Ransomware

Bianson

Hello,

Lately Sophos has encountered multiple cases of the ODIN variant of the Locky ransomware family. This is the third version, with the first two being .locky and .zepto respectively. 

The good news is Sophos endpoint includes zero-day protection against this new variant and has been blocking it for about a week now, but in order for protection to work, you must have Malicious Traffic Detection (MTD) enabled. 

Our best practice settings for on premise users can be found here: Recommended settings for Anti-Virus and HIPS

On premise users can also easily check if they are following best practice by using our PET tool: Sophos Enterprise Console - Sophos Policy Evaluation Tool

For Sophos Central users, ensure you are protected by turning on Threat Protection. You can find this by going to Policies > Threat Protection tab > Tick the 'Use recommended settings' box

If you are a Sophos Intercept X user you are already protected with CryptoGuard. For more information on Intercept X, go here.

Please also check out our Naked Security blog post on ODIN and for more information on ransomware in general go here.

Thank you,

Bob Ianson | Sophos Community Manager 



This thread was automatically locked due to age.
  • 0

    For the Kaseya users out there, you can take a shot at preventing the .JS file execution part of the infection process with a one-liner script. (I'm sure this can be modified for whatever your command-and-control system might be.)

    This will make .JS files open with whatever the 'txtfile' handler is, Notepad by default. (Barring a user having set a specific handler themselves, of course. Which is unlikely!) Defense in depth, friends.

  • 0

    This is the first time i have noticed the Sophoes Policy Evaluation Tool,

    Might be a good idea to put it on the same download page as the SMC and Standalone consoles.

     

    Are there any plans to support non-local database installs?

    Regards,
    Bohdan

Unfiltered HTML