RE: [NTSysADM] OT: VirusScanning software

[Robert Strong]

1.       Patching is key.

2.       Monitor for key Indicators of Compromise

a.       https://bitbucket.org/jadacyrus/ransomwareremovalkit/overview

b.      Look for ipinfo.io/ip in your web logs

3.       There's some great discussions within the attached thread

4.       Block "Dynamic Content" on your proxy or newly registered domains


From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Susan Bradley
Sent: Friday, July 03, 2015 1:57 PM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] OT: VirusScanning software

It changes so fast that as soon as they do the bad guys code up something new.

there's no silver bullet here.

Silverlight/flash/java.  Use it,patch it or lose it.

Web filtering at the firewall.  If your firewall doesn't provide web 
filtering/UTM options it's time to upgrade.  Home users look at OpenDNS (yes 
even now that Cisco is buying them)

Filter attachments/zips.

Least priv/non admin.

Block the app location (yes this impacts firefox and office installs)  Google 
foolishit for non domain or cryptolocker group policy toolkit

Education to your users that that email you got isn't a legit email.
On 7/3/2015 10:09 AM, David McSpadden wrote:
Quick, anyone know of a VirusScanning software that is catching CryptoWall 3.0 
yet?


David McSpadden
Systems Administrator
Indiana Members Credit Union
P: 317.554.8190 | F: 317.554.8106
[Description: imcu email icon]<http://imcu.com/>  [Description: facebook email 
icon] <https://www.facebook.com/IndianaMembersCU>   [Description: twitter email 
icon] <https://twitter.com/IndMembersCU>

[Description: email logo]
[mcp2]


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

IMPORTANT NOTICE: Without the use of secure encryption, the Internet is not a 
secure medium and privacy cannot be ensured. Internet e-mail is vulnerable to 
interception, misuse and forging. Equitable cannot ensure the privacy and 
authenticity of any information sent by way of the public Internet. Equitable 
will not be responsible for any damages you may incur if you communicate 
confidential and personal information to us over the Internet or if we 
communicate such information to you at your request. This e-mail and any 
attachments are confidential, may be covered by legal professional privilege or 
exempt from disclosure under applicable law, and are intended for the addressee 
only. If you are not the intended recipient, you are not authorized to and must 
not disclose, copy, distribute or retain any or part of this e-mail and any 
attachments without written permission of The Equitable Life Insurance Company 
of Canada.

--- Begin Message ---

Ensure you have the latest patches installed for Java and Flash. Exploit kits 
like Angler, Nuclear and Magnitude are starting to distribute Ransomware more 
frequently via drive-by download attacks and malicious advertisements on common 
websites.



We've had several ransomware incidents in the last few months all due to 
unpatched systems. Host based detection is limited at best, but one thing I 
have noticed in all incidents seen is that the malware typically uses 
hxxp://ipinfo.io/ip to determine its public facing IP address.



We have created correlation rules that detect users going to this domain via 
our McAfee ESM SIEM, we then have an alarm that fires when that correlation 
rule is seen and we can automatically apply an ePO tag to enforce a policy that 
severely 'disables' the system (no R/W to network shares, restricted HTTP/HTTPS 
going out). Our alarm also e-mails out some key characteristics about the 
infected machine for easy identification by our IT Service Desk team.



Ransomware isn't going away and it's going to get worse. We've been able to 
detect these IoC's and have the issue remediated in under 7 minutes.



Cheers,



Rob Strong

Information Security Specialist

Equitable Life of Canada







From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Thursday, May 28, 2015 7:17 PM
To: <ntsys...@lists.myitforum.com>
Subject: Re: [NTSysADM] Cryptlocker



That's mine today.

What variant was yours

Sent from my iPhone


On May 28, 2015, at 7:14 PM, Heaton, Joseph@Wildlife 
<joseph.hea...@wildlife.ca.gov<mailto:joseph.hea...@wildlife.ca.gov>> wrote:

   We had that the other day.  The files are getting encrypted, but the 
extensions are not getting changed.



   From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Jonathan Link
   Sent: Thursday, May 28, 2015 8:37 AM
   To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
   Subject: Re: [NTSysADM] Cryptlocker



   The text files created should indicate the affected user with the Owner 
attribute, no?





   On Thu, May 28, 2015 at 11:30 AM, David McSpadden 
<dav...@imcu.com<mailto:dav...@imcu.com>> wrote:

   I am pretty sure I have pc with this on it in my network.

   I have ran scans on workstations.

   I still do not see it but I have the tell tale signs.

   The HELP_DECRYPT files in network folders.

   The word and excel files not being able to be opened etc.

   How do I remove something that Trend is not seeing?

   Nor Windows Endpoint protection?





   David McSpadden

   Systems Administrator

   Indiana Members Credit Union

   P: 317.554.8190<tel:317.554.8190> | F: 317.554.8106<tel:317.554.8106>

   Description: imcu email icon<http://imcu.com/>  
<image002.jpg><https://www.facebook.com/IndianaMembersCU>  Description: twitter 
email icon<https://twitter.com/IndMembersCU>



   Description: email logo

   mcp2



   This e-mail and any files transmitted with it are property of Indiana 
Members Credit Union, are confidential, and are intended solely for the use of 
the individual or entity to whom this e-mail is addressed. If you are not one 
of the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.



   Please consider the environment before printing this email.



   IMPORTANT NOTICE: Without the use of secure encryption, the Internet is not 
a secure medium and privacy cannot be ensured. Internet e-mail is vulnerable to 
interception, misuse and forging. Equitable cannot ensure the privacy and 
authenticity of any information sent by way of the public Internet. Equitable 
will not be responsible for any damages you may incur if you communicate 
confidential and personal information to us over the Internet or if we 
communicate such information to you at your request. This e-mail and any 
attachments are confidential, may be covered by legal professional privilege or 
exempt from disclosure under applicable law, and are intended for the addressee 
only. If you are not the intended recipient, you are not authorized to and must 
not disclose, copy, distribute or retain any or part of this e-mail and any 
attachments without written permission of The Equitable Life Insurance Company 
of Canada.

--- End Message ---