Lol Ed On Jun 2, 2015 4:34 PM, "Kent, Larry J CTR USARMY 93 SIG BDE (US)" < [email protected]> wrote:
> Classification: UNCLASSIFIED > Caveats: FOUO > > Pervert :) > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Kennedy, Jim > Sent: Tuesday, June 02, 2015 3:59 PM > To: [email protected] > Subject: RE: [NTSysADM] Cryptlocker > > Done. I had to look up pants. > > > > From: [email protected] [mailto: > [email protected]] On Behalf Of Rankin, James R > Sent: Tuesday, June 2, 2015 3:52 PM > To: [email protected] > Subject: Re: [NTSysADM] Cryptlocker > > > > Knock yourself out, I'm short on blog visitors since doing BriForum (and > yes, you'd be pants if you didn't) > > ------- > > James Rankin | Director | TaloSys | 07809668579 Sent from my Blackberry > > ________________________________ > > From: "Kennedy, Jim" <[email protected]> > > Sender: "[email protected]" <[email protected]> > > Date: Tue, 2 Jun 2015 20:06:40 +0100 > > To: '[email protected]'<[email protected]> > > ReplyTo: "[email protected]" <[email protected]> > > Subject: RE: [NTSysADM] Cryptlocker > > > > Mind if I tweet this out? > > > > From: [email protected] [mailto: > [email protected]] On Behalf Of James Rankin > Sent: Tuesday, June 2, 2015 2:35 PM > To: [email protected] > Subject: RE: [NTSysADM] Cryptlocker > > > > OK, quick and dirty run-down, but I’m sure you can all get the gist of it > (hopefully!) > > > > > http://appsensebigot.blogspot.co.uk/2015/06/fslogix-first-look-1-managing-legacy-or.html > > > > > > From: [email protected] [mailto: > [email protected]] On Behalf Of Kurt Buff > Sent: 02 June 2015 17:38 > To: ntsysadm > Subject: Re: [NTSysADM] Cryptlocker > > > > Yes, please put up the link here when done. > > Kurt > > > > On Tue, Jun 2, 2015 at 8:43 AM, James Rankin <[email protected]> > wrote: > > I shall endeavour to finish this as soon as possible then! > > > > From: [email protected] [mailto: > [email protected]] On Behalf Of Maglinger, Paul > Sent: 02 June 2015 16:12 > To: '[email protected]' > Subject: RE: [NTSysADM] Cryptlocker > > > > Me too! > > > > -Paul > > > > From: [email protected] [mailto: > [email protected]] On Behalf Of Sean Martin > Sent: Tuesday, June 02, 2015 10:07 AM > > > To: [email protected] > Subject: Re: [NTSysADM] Cryptlocker > > > > Definitely interested. > > - Sean > > > On Jun 2, 2015, at 6:08 AM, James Rankin < > [email protected]> wrote: > > What you need is FSLogix Java Rules Manager, only allow > the vulnerable Java version to be seen when a specific URL is visited, > otherwise – it’s invisible to the user and OS, and the latest version is > used. > > > > I’m writing an article up on this today, if anyone’s > interested in Java version management (on a sysadmin list, who isn’t?) > > > > J > > > > > > From: [email protected] [mailto: > [email protected]] On Behalf Of Heaton, Joseph@Wildlife > Sent: 02 June 2015 14:51 > To: '[email protected]' > Subject: RE: [NTSysADM] Cryptlocker > > > > Update Java? That’s just crazy talk. We’re still at > 7u51, with no roadmap in place to go any higher. Not my choice, btw, it is > development issues with Oracle. > > > > From: [email protected] [mailto: > [email protected]] On Behalf Of Ed Ziots > Sent: Saturday, May 30, 2015 10:48 AM > To: [email protected] > Subject: RE: [NTSysADM] Cryptlocker > > > > Nice.strategy > > Ed > > On May 29, 2015 9:31 AM, "Robert Strong" < > [email protected]> wrote: > > Ensure you have the latest patches installed for Java and > Flash. Exploit kits like Angler, Nuclear and Magnitude are starting to > distribute Ransomware more frequently via drive-by download attacks and > malicious advertisements on common websites. > > > > We’ve had several ransomware incidents in the last few > months all due to unpatched systems. Host based detection is limited at > best, but one thing I have noticed in all incidents seen is that the > malware typically uses hxxp://ipinfo.io/ip to determine its public facing > IP address. > > > > We have created correlation rules that detect users going > to this domain via our McAfee ESM SIEM, we then have an alarm that fires > when that correlation rule is seen and we can automatically apply an ePO > tag to enforce a policy that severely ‘disables’ the system (no R/W to > network shares, restricted HTTP/HTTPS going out). Our alarm also e-mails > out some key characteristics about the infected machine for easy > identification by our IT Service Desk team. > > > > Ransomware isn’t going away and it’s going to get worse. > We’ve been able to detect these IoC’s and have the issue remediated in > under 7 minutes. > > > > Cheers, > > > > Rob Strong > > Information Security Specialist > > Equitable Life of Canada > > > > > > > > From: [email protected] [mailto: > [email protected]] On Behalf Of David McSpadden > Sent: Thursday, May 28, 2015 7:17 PM > To: <[email protected]> > Subject: Re: [NTSysADM] Cryptlocker > > > > That's mine today. > > What variant was yours > > Sent from my iPhone > > > On May 28, 2015, at 7:14 PM, Heaton, Joseph@Wildlife < > [email protected]> wrote: > > We had that the other day. The files are getting > encrypted, but the extensions are not getting changed. > > > > From: [email protected] [mailto: > [email protected]] On Behalf Of Jonathan Link > Sent: Thursday, May 28, 2015 8:37 AM > To: [email protected] > Subject: Re: [NTSysADM] Cryptlocker > > > > The text files created should indicate the > affected user with the Owner attribute, no? > > > > > > On Thu, May 28, 2015 at 11:30 AM, David McSpadden < > [email protected]> wrote: > > I am pretty sure I have pc with this on it in my > network. > > I have ran scans on workstations. > > I still do not see it but I have the tell tale > signs. > > The HELP_DECRYPT files in network folders. > > The word and excel files not being able to be > opened etc. > > How do I remove something that Trend is not seeing? > > Nor Windows Endpoint protection? > > > > > > David McSpadden > > Systems Administrator > > Indiana Members Credit Union > > P: 317.554.8190 | F: 317.554.8106 > > Description: imcu email icon <http://imcu.com/> > <image002.jpg> <https://www.facebook.com/IndianaMembersCU> > Description: twitter email icon <https://twitter.com/IndMembersCU> > > > > <image003.jpg> > > <image004.png> > > > > This e-mail and any files transmitted with it are > property of Indiana Members Credit Union, are confidential, and are > intended solely for the use of the individual or entity to whom this e-mail > is addressed. If you are not one of the named recipient(s) or otherwise > have reason to believe that you have received this message in error, please > notify the sender and delete this message immediately from your computer. > Any other use, retention, dissemination, forwarding, printing, or copying > of this email is strictly prohibited. > > > > Please consider the environment before printing > this email. > > > > IMPORTANT NOTICE: Without the use of secure encryption, > the Internet is not a secure medium and privacy cannot be ensured. Internet > e-mail is vulnerable to interception, misuse and forging. Equitable cannot > ensure the privacy and authenticity of any information sent by way of the > public Internet. Equitable will not be responsible for any damages you may > incur if you communicate confidential and personal information to us over > the Internet or if we communicate such information to you at your request. > This e-mail and any attachments are confidential, may be covered by legal > professional privilege or exempt from disclosure under applicable law, and > are intended for the addressee only. If you are not the intended recipient, > you are not authorized to and must not disclose, copy, distribute or retain > any or part of this e-mail and any attachments without written permission > of The Equitable Life Insurance Company of Canada. > > > > > Classification: UNCLASSIFIED > Caveats: FOUO > > >
