Could be another cdn compromise.and.those malvertisements.through known good.sites are.the issue.
Ed On Jul 8, 2015 12:11 PM, "Jonathan Link" <[email protected]> wrote: > Well, he wasn't in the office for much of the past two days, so firewall > logs are ineffective in this instance. It appears that the infection > started as soon as his computer attached to the network. Browser history > is a good place to look, but I can't access the machine without it being > turned on and on the network (I'm on vacation) and that would be > counterproductive at this point. I am hoping I can recover some of his > data that was on the computer, but made him no promises. > > > On Wed, Jul 8, 2015 at 11:55 AM, Susan Bradley <[email protected]> > wrote: > >> IE history >> Firewall logs >> >> Should help narrow it down. >> >> And we have a zero day flash being patched today. Expect a Microsoft >> patch for Windows 8 and above. >> >> >> On 7/8/2015 8:32 AM, Jonathan Link wrote: >> >>> No, not yet. It's one of our directors, and he swears that the only >>> site he visited within the last 24 hours was msn.com <http://msn.com>. >>> So it could be the flash 0 day from an infected ad that wasn't caught? Of >>> course, he might not be remembering something... >>> >>> It started working at around 8am this morning which is when he fired up >>> his computer in the office. >>> >>> On Wed, Jul 8, 2015 at 11:08 AM, David McSpadden <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> I know you are on vacation but do you know the attack vector? >>> >>> *From:*[email protected] >>> <mailto:[email protected]> >>> [mailto:[email protected] >>> <mailto:[email protected]>] *On Behalf Of *Jonathan >>> Link >>> *Sent:* Wednesday, July 08, 2015 10:43 AM >>> *To:* [email protected] >>> <mailto:[email protected]> >>> *Subject:* Re: [NTSysADM] OT: VirusScanning software >>> >>> So, we just got hit with a Croptywall variant with SRP in place. >>> I didn't disbelieve you Susan, I was just hoping that we could >>> avoid infection until I got a true whitelisting solution in place. >>> >>> Oh and I'm on vacation, so this is extra fun to restore backups >>> via the VPN. Luckily we have other systems in place that >>> mitigated the extent of damage, such as really good backups, and >>> tested restore procedures. >>> >>> On Fri, Jul 3, 2015 at 3:36 PM, Susan Bradley >>> <[email protected] <mailto:[email protected]>> wrote: >>> >>> I have many consultant stories of ransomware nailing clients with >>> software restriction policies in place - especially the web >>> cocktail variants. >>> >>> Applocker/whitelisting = Enterprise SKUs. Which I hardly ever see >>> in my space, nor does the customer base afford the time and effort. >>> >>> Great if you have the budget to do it, sucks if you don't have the >>> licenses and infrastructure. >>> >>> On 7/3/2015 11:54 AM, Jonathan Link wrote: >>> >>> I was posting from my phone in a hurry, DYAC. Software >>> Restriction, not proper pixies. >>> >>> Susan, I haven't seen an executable run in any location that >>> has been blocked by SRP. IF you have a very narrow whitelist, >>> it helps a lot. >>> >>> On Fri, Jul 3, 2015 at 2:02 PM, Jonathan Link >>> <[email protected] <mailto:[email protected]>> >>> wrote: >>> >>> You can also use proper pixies to restrict where software >>> can run. I've blocked the user profile folder and added an >>> exception for the desktop and a couple of other places >>> that I can't recall. Users have to move downloaded apps to >>> ther desktop to install. I haven't had a Cryptowall >>> infection in 2 years. >>> >>> On Friday, July 3, 2015, Susan Bradley >>> <[email protected] <mailto:[email protected]>> wrote: >>> >>> It changes so fast that as soon as they do the bad >>> guys code up something new. >>> >>> there's no silver bullet here. >>> >>> Silverlight/flash/java. Use it,patch it or lose it. >>> >>> Web filtering at the firewall. If your firewall >>> doesn't provide web filtering/UTM options it's time to >>> upgrade. Home users look at OpenDNS (yes even now >>> that Cisco is buying them) >>> >>> Filter attachments/zips. >>> >>> Least priv/non admin. >>> >>> Block the app location (yes this impacts firefox and >>> office installs) Google foolishit for non domain or >>> cryptolocker group policy toolkit >>> >>> Education to your users that that email you got isn't >>> a legit email. >>> >>> On 7/3/2015 10:09 AM, David McSpadden wrote: >>> >>> Quick, anyone know of a VirusScanning software >>> that is catching CryptoWall 3.0 yet? >>> >>> *David McSpadden* >>> >>> Systems Administrator >>> >>> Indiana Members Credit Union >>> >>> P: 317.554.8190 <tel:317.554.8190> |F: >>> 317.554.8106 <tel:317.554.8106> >>> >>> Description: imcu email icon <http://imcu.com/> >>> Description: facebook email icon >>> <https://www.facebook.com/IndianaMembersCU> >>> Description: twitter email icon >>> <https://twitter.com/IndMembersCU> >>> >>> Description: email logo >>> >>> mcp2 >>> >>> This e-mail and any files transmitted with it are >>> property of Indiana Members Credit Union, are >>> confidential, and are intended solely for the use >>> of the individual or entity to whom this e-mail is >>> addressed. If you are not one of the named >>> recipient(s) or otherwise have reason to believe >>> that you have received this message in error, >>> please notify the sender and delete this message >>> immediately from your computer. Any other use, >>> retention, dissemination, forwarding, printing, or >>> copying of this email is strictly prohibited. >>> >>> Please consider the environment before printing >>> this email. >>> >>> This e-mail and any files transmitted with it are property of >>> Indiana Members Credit Union, are confidential, and are intended >>> solely for the use of the individual or entity to whom this e-mail >>> is addressed. If you are not one of the named recipient(s) or >>> otherwise have reason to believe that you have received this >>> message in error, please notify the sender and delete this message >>> immediately from your computer. Any other use, retention, >>> dissemination, forwarding, printing, or copying of this email is >>> strictly prohibited. >>> >>> >>> Please consider the environment before printing this email. >>> >>> >>> >> >> >> >
