Classification: UNCLASSIFIED Caveats: FOUO Pervert :)
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Tuesday, June 02, 2015 3:59 PM To: [email protected] Subject: RE: [NTSysADM] Cryptlocker Done. I had to look up pants. From: [email protected] [mailto:[email protected]] On Behalf Of Rankin, James R Sent: Tuesday, June 2, 2015 3:52 PM To: [email protected] Subject: Re: [NTSysADM] Cryptlocker Knock yourself out, I'm short on blog visitors since doing BriForum (and yes, you'd be pants if you didn't) ------- James Rankin | Director | TaloSys | 07809668579 Sent from my Blackberry ________________________________ From: "Kennedy, Jim" <[email protected]> Sender: "[email protected]" <[email protected]> Date: Tue, 2 Jun 2015 20:06:40 +0100 To: '[email protected]'<[email protected]> ReplyTo: "[email protected]" <[email protected]> Subject: RE: [NTSysADM] Cryptlocker Mind if I tweet this out? From: [email protected] [mailto:[email protected]] On Behalf Of James Rankin Sent: Tuesday, June 2, 2015 2:35 PM To: [email protected] Subject: RE: [NTSysADM] Cryptlocker OK, quick and dirty run-down, but I’m sure you can all get the gist of it (hopefully!) http://appsensebigot.blogspot.co.uk/2015/06/fslogix-first-look-1-managing-legacy-or.html From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Buff Sent: 02 June 2015 17:38 To: ntsysadm Subject: Re: [NTSysADM] Cryptlocker Yes, please put up the link here when done. Kurt On Tue, Jun 2, 2015 at 8:43 AM, James Rankin <[email protected]> wrote: I shall endeavour to finish this as soon as possible then! From: [email protected] [mailto:[email protected]] On Behalf Of Maglinger, Paul Sent: 02 June 2015 16:12 To: '[email protected]' Subject: RE: [NTSysADM] Cryptlocker Me too! -Paul From: [email protected] [mailto:[email protected]] On Behalf Of Sean Martin Sent: Tuesday, June 02, 2015 10:07 AM To: [email protected] Subject: Re: [NTSysADM] Cryptlocker Definitely interested. - Sean On Jun 2, 2015, at 6:08 AM, James Rankin <[email protected]> wrote: What you need is FSLogix Java Rules Manager, only allow the vulnerable Java version to be seen when a specific URL is visited, otherwise – it’s invisible to the user and OS, and the latest version is used. I’m writing an article up on this today, if anyone’s interested in Java version management (on a sysadmin list, who isn’t?) J From: [email protected] [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: 02 June 2015 14:51 To: '[email protected]' Subject: RE: [NTSysADM] Cryptlocker Update Java? That’s just crazy talk. We’re still at 7u51, with no roadmap in place to go any higher. Not my choice, btw, it is development issues with Oracle. From: [email protected] [mailto:[email protected]] On Behalf Of Ed Ziots Sent: Saturday, May 30, 2015 10:48 AM To: [email protected] Subject: RE: [NTSysADM] Cryptlocker Nice.strategy Ed On May 29, 2015 9:31 AM, "Robert Strong" <[email protected]> wrote: Ensure you have the latest patches installed for Java and Flash. Exploit kits like Angler, Nuclear and Magnitude are starting to distribute Ransomware more frequently via drive-by download attacks and malicious advertisements on common websites. We’ve had several ransomware incidents in the last few months all due to unpatched systems. Host based detection is limited at best, but one thing I have noticed in all incidents seen is that the malware typically uses hxxp://ipinfo.io/ip to determine its public facing IP address. We have created correlation rules that detect users going to this domain via our McAfee ESM SIEM, we then have an alarm that fires when that correlation rule is seen and we can automatically apply an ePO tag to enforce a policy that severely ‘disables’ the system (no R/W to network shares, restricted HTTP/HTTPS going out). Our alarm also e-mails out some key characteristics about the infected machine for easy identification by our IT Service Desk team. Ransomware isn’t going away and it’s going to get worse. We’ve been able to detect these IoC’s and have the issue remediated in under 7 minutes. Cheers, Rob Strong Information Security Specialist Equitable Life of Canada From: [email protected] [mailto:[email protected]] On Behalf Of David McSpadden Sent: Thursday, May 28, 2015 7:17 PM To: <[email protected]> Subject: Re: [NTSysADM] Cryptlocker That's mine today. What variant was yours Sent from my iPhone On May 28, 2015, at 7:14 PM, Heaton, Joseph@Wildlife <[email protected]> wrote: We had that the other day. The files are getting encrypted, but the extensions are not getting changed. From: [email protected] [mailto:[email protected]] On Behalf Of Jonathan Link Sent: Thursday, May 28, 2015 8:37 AM To: [email protected] Subject: Re: [NTSysADM] Cryptlocker The text files created should indicate the affected user with the Owner attribute, no? On Thu, May 28, 2015 at 11:30 AM, David McSpadden <[email protected]> wrote: I am pretty sure I have pc with this on it in my network. I have ran scans on workstations. I still do not see it but I have the tell tale signs. The HELP_DECRYPT files in network folders. The word and excel files not being able to be opened etc. How do I remove something that Trend is not seeing? Nor Windows Endpoint protection? David McSpadden Systems Administrator Indiana Members Credit Union P: 317.554.8190 | F: 317.554.8106 Description: imcu email icon <http://imcu.com/> <image002.jpg> <https://www.facebook.com/IndianaMembersCU> Description: twitter email icon <https://twitter.com/IndMembersCU> <image003.jpg> <image004.png> This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. IMPORTANT NOTICE: Without the use of secure encryption, the Internet is not a secure medium and privacy cannot be ensured. Internet e-mail is vulnerable to interception, misuse and forging. Equitable cannot ensure the privacy and authenticity of any information sent by way of the public Internet. Equitable will not be responsible for any damages you may incur if you communicate confidential and personal information to us over the Internet or if we communicate such information to you at your request. This e-mail and any attachments are confidential, may be covered by legal professional privilege or exempt from disclosure under applicable law, and are intended for the addressee only. If you are not the intended recipient, you are not authorized to and must not disclose, copy, distribute or retain any or part of this e-mail and any attachments without written permission of The Equitable Life Insurance Company of Canada. Classification: UNCLASSIFIED Caveats: FOUO
