If the infection occurred as soon as he attached to the network, I'm
guessing he was already nailed and he just brought it in when he came in.
On 7/8/2015 9:10 AM, Jonathan Link wrote:
Well, he wasn't in the office for much of the past two days, so
firewall logs are ineffective in this instance. It appears that the
infection started as soon as his computer attached to the network.
Browser history is a good place to look, but I can't access the
machine without it being turned on and on the network (I'm on
vacation) and that would be counterproductive at this point. I am
hoping I can recover some of his data that was on the computer, but
made him no promises.
On Wed, Jul 8, 2015 at 11:55 AM, Susan Bradley <[email protected]
<mailto:[email protected]>> wrote:
IE history
Firewall logs
Should help narrow it down.
And we have a zero day flash being patched today. Expect a
Microsoft patch for Windows 8 and above.
On 7/8/2015 8:32 AM, Jonathan Link wrote:
No, not yet. It's one of our directors, and he swears that
the only site he visited within the last 24 hours was msn.com
<http://msn.com> <http://msn.com>. So it could be the flash 0
day from an infected ad that wasn't caught? Of course, he
might not be remembering something...
It started working at around 8am this morning which is when he
fired up his computer in the office.
On Wed, Jul 8, 2015 at 11:08 AM, David McSpadden
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
I know you are on vacation but do you know the attack vector?
*From:*[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
[mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>] *On Behalf Of
*Jonathan Link
*Sent:* Wednesday, July 08, 2015 10:43 AM
*To:* [email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
*Subject:* Re: [NTSysADM] OT: VirusScanning software
So, we just got hit with a Croptywall variant with SRP in
place. I didn't disbelieve you Susan, I was just hoping
that we could
avoid infection until I got a true whitelisting solution
in place.
Oh and I'm on vacation, so this is extra fun to restore
backups
via the VPN. Luckily we have other systems in place that
mitigated the extent of damage, such as really good
backups, and
tested restore procedures.
On Fri, Jul 3, 2015 at 3:36 PM, Susan Bradley
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>
wrote:
I have many consultant stories of ransomware nailing
clients with
software restriction policies in place - especially the web
cocktail variants.
Applocker/whitelisting = Enterprise SKUs. Which I hardly
ever see
in my space, nor does the customer base afford the time
and effort.
Great if you have the budget to do it, sucks if you don't
have the
licenses and infrastructure.
On 7/3/2015 11:54 AM, Jonathan Link wrote:
I was posting from my phone in a hurry, DYAC. Software
Restriction, not proper pixies.
Susan, I haven't seen an executable run in any
location that
has been blocked by SRP. IF you have a very narrow
whitelist,
it helps a lot.
On Fri, Jul 3, 2015 at 2:02 PM, Jonathan Link
<[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>> wrote:
You can also use proper pixies to restrict where
software
can run. I've blocked the user profile folder and
added an
exception for the desktop and a couple of other places
that I can't recall. Users have to move downloaded
apps to
ther desktop to install. I haven't had a Cryptowall
infection in 2 years.
On Friday, July 3, 2015, Susan Bradley
<[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>> wrote:
It changes so fast that as soon as they do the bad
guys code up something new.
there's no silver bullet here.
Silverlight/flash/java. Use it,patch it or
lose it.
Web filtering at the firewall. If your firewall
doesn't provide web filtering/UTM options it's
time to
upgrade. Home users look at OpenDNS (yes even now
that Cisco is buying them)
Filter attachments/zips.
Least priv/non admin.
Block the app location (yes this impacts
firefox and
office installs) Google foolishit for non
domain or
cryptolocker group policy toolkit
Education to your users that that email you
got isn't
a legit email.
On 7/3/2015 10:09 AM, David McSpadden wrote:
Quick, anyone know of a VirusScanning software
that is catching CryptoWall 3.0 yet?
*David McSpadden*
Systems Administrator
Indiana Members Credit Union
P: 317.554.8190 <tel:317.554.8190>
<tel:317.554.8190 <tel:317.554.8190>> |F:
317.554.8106 <tel:317.554.8106> <tel:317.554.8106
<tel:317.554.8106>>
Description: imcu email icon
<http://imcu.com/>
Description: facebook email icon
<https://www.facebook.com/IndianaMembersCU>
Description: twitter email icon
<https://twitter.com/IndMembersCU>
Description: email logo
mcp2
This e-mail and any files transmitted with
it are
property of Indiana Members Credit Union, are
confidential, and are intended solely for
the use
of the individual or entity to whom this
e-mail is
addressed. If you are not one of the named
recipient(s) or otherwise have reason to
believe
that you have received this message in error,
please notify the sender and delete this
message
immediately from your computer. Any other use,
retention, dissemination, forwarding,
printing, or
copying of this email is strictly prohibited.
Please consider the environment before
printing
this email.
This e-mail and any files transmitted with it are property of
Indiana Members Credit Union, are confidential, and are
intended
solely for the use of the individual or entity to whom
this e-mail
is addressed. If you are not one of the named recipient(s) or
otherwise have reason to believe that you have received this
message in error, please notify the sender and delete this
message
immediately from your computer. Any other use, retention,
dissemination, forwarding, printing, or copying of this
email is
strictly prohibited.
Please consider the environment before printing this email.
