Odin ransomware question

[adampd]

My friends business has suffered this ransomware, the original email came through on a client PC, which was opened, then by the sounds of it, they had a network share set up which stored their documents, which all got encrypted to the .odin format But, if the virus wasn't actually opened on the server itself, would that mean the shadow copies of the files on the server are still intact? Or does the virus delete the shadow copies remotely from the original infected client PC?
Trying to find the best way to try and recover the deleted files.

 

[USAFRet]

The only way to know is to try to resurrect those shadow copies.

 

[adampd]

The only way to know is to try to resurrect those shadow copies.

Yea I figured as much, but would a recovery program like Recvua, be able to restore the original files?
As I understand the ransomware, it copies the old files, encrypts them, then deletes the old ones?

 

[USAFRet]

The only way to know is to try to resurrect those shadow copies.

Yea I figured as much, but would a recovery program like Recvua, be able to restore the original files?
As I understand the ransomware, it copies the old files, encrypts them, then deletes the old ones?

No. Recuva will NOT resurrect the original files.
If it were that easy, the ransomware dudes would not be doing it.

 

[adampd]

No. Recuva will NOT resurrect the original files.
If it were that easy, the ransomware dudes would not be doing it.

Ahh I did wonder.
But if the virus wasn't activated on the server itself, would it have been able to delete the shadow copies from a client PC on the network?

 

[USAFRet]

No. Recuva will NOT resurrect the original files.
If it were that easy, the ransomware dudes would not be doing it.

Ahh I did wonder.
But if the virus wasn't activated on the server itself, would it have been able to delete the shadow copies from a client PC on the network?

All speculation. These things can mess with whatever is connected.
The only thing that matters is if you can retrieve your critical files from wherever.
Either the shadow copies, or the daily backups you've made.

Trying to unOdin those files, or discover what it might have done, is a useless exercise.
Wipe the systems, ALL the connected systems, and recover the files from your backups.

 

[adampd]

Thanks USAF
Yea I am just hoping for the best at this point, they only had ONE backup made and it's 2 months old and it wasn't complete
They've learnt a very hard lesson.

 

[USAFRet]

Thanks USAF
Yea I am just hoping for the best at this point, they only had ONE backup made and it's 2 months old and it wasn't complete
They've learnt a very hard lesson.

Multiple lessons:

the original email came through on a client PC, which was opened

they only had ONE backup made and it's 2 months old

 

[adampd]

Heh right

 

[ayalla]

I don't know about Recuva, but with a help of ShadowExplorer and this guide I managed to recover about 30% of encrypted by Odin files

 

[adampd]

Yea shadowexplorer was of no use, because the shadow copy system wasn't enabled (or the virus disabled it)
But, using Recuva, I was able to restore the lost data, hopefully all of it is intact.
Tested the most important bits and they work ok

 

[USAFRet]

Yea shadowexplorer was of no use, because the shadow copy system wasn't enabled (or the virus disabled it)
But, using Recuva, I was able to restore the lost data, hopefully all of it is intact.
Tested the most important bits and they work ok

Recuva worked? Interesting.

 

[adampd]

Actually it might've been R-Undelete.
Yea just checked, it was R-Undelete.