This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ODIN Ransomware

Hello,

Lately Sophos has encountered multiple cases of the ODIN variant of the Locky ransomware family. This is the third version, with the first two being .locky and .zepto respectively. 

The good news is Sophos endpoint includes zero-day protection against this new variant and has been blocking it for about a week now, but in order for protection to work, you must have Malicious Traffic Detection (MTD) enabled. 

Our best practice settings for on premise users can be found here: Recommended settings for Anti-Virus and HIPS

On premise users can also easily check if they are following best practice by using our PET tool: Sophos Enterprise Console - Sophos Policy Evaluation Tool

For Sophos Central users, ensure you are protected by turning on Threat Protection. You can find this by going to Policies > Threat Protection tab > Tick the 'Use recommended settings' box

If you are a Sophos Intercept X user you are already protected with CryptoGuard. For more information on Intercept X, go here.

Please also check out our Naked Security blog post on ODIN and for more information on ransomware in general go here.

Thank you,

Bob Ianson | Sophos Community Manager 



This thread was automatically locked due to age.
Parents
  • For the Kaseya users out there, you can take a shot at preventing the .JS file execution part of the infection process with a one-liner script. (I'm sure this can be modified for whatever your command-and-control system might be.)

    This will make .JS files open with whatever the 'txtfile' handler is, Notepad by default. (Barring a user having set a specific handler themselves, of course. Which is unlikely!) Defense in depth, friends.

Reply
  • For the Kaseya users out there, you can take a shot at preventing the .JS file execution part of the infection process with a one-liner script. (I'm sure this can be modified for whatever your command-and-control system might be.)

    This will make .JS files open with whatever the 'txtfile' handler is, Notepad by default. (Barring a user having set a specific handler themselves, of course. Which is unlikely!) Defense in depth, friends.

Children
No Data