That's my assessment as well. On Wed, Jul 8, 2015 at 12:17 PM, Susan Bradley <[email protected]> wrote:
> > If the infection occurred as soon as he attached to the network, I'm > guessing he was already nailed and he just brought it in when he came in. > > > On 7/8/2015 9:10 AM, Jonathan Link wrote: > >> Well, he wasn't in the office for much of the past two days, so firewall >> logs are ineffective in this instance. It appears that the infection >> started as soon as his computer attached to the network. Browser history >> is a good place to look, but I can't access the machine without it being >> turned on and on the network (I'm on vacation) and that would be >> counterproductive at this point. I am hoping I can recover some of his >> data that was on the computer, but made him no promises. >> >> >> On Wed, Jul 8, 2015 at 11:55 AM, Susan Bradley <[email protected] >> <mailto:[email protected]>> wrote: >> >> IE history >> Firewall logs >> >> Should help narrow it down. >> >> And we have a zero day flash being patched today. Expect a >> Microsoft patch for Windows 8 and above. >> >> >> On 7/8/2015 8:32 AM, Jonathan Link wrote: >> >> No, not yet. It's one of our directors, and he swears that >> the only site he visited within the last 24 hours was msn.com >> <http://msn.com> <http://msn.com>. So it could be the flash 0 >> day from an infected ad that wasn't caught? Of course, he >> might not be remembering something... >> >> It started working at around 8am this morning which is when he >> fired up his computer in the office. >> >> On Wed, Jul 8, 2015 at 11:08 AM, David McSpadden >> <[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> wrote: >> >> I know you are on vacation but do you know the attack vector? >> >> *From:*[email protected] >> <mailto:[email protected]> >> <mailto:[email protected] >> <mailto:[email protected]>> >> [mailto:[email protected] >> <mailto:[email protected]> >> <mailto:[email protected] >> <mailto:[email protected]>>] *On Behalf Of >> *Jonathan Link >> *Sent:* Wednesday, July 08, 2015 10:43 AM >> *To:* [email protected] >> <mailto:[email protected]> >> <mailto:[email protected] >> <mailto:[email protected]>> >> *Subject:* Re: [NTSysADM] OT: VirusScanning software >> >> So, we just got hit with a Croptywall variant with SRP in >> place. I didn't disbelieve you Susan, I was just hoping >> that we could >> avoid infection until I got a true whitelisting solution >> in place. >> >> Oh and I'm on vacation, so this is extra fun to restore >> backups >> via the VPN. Luckily we have other systems in place that >> mitigated the extent of damage, such as really good >> backups, and >> tested restore procedures. >> >> On Fri, Jul 3, 2015 at 3:36 PM, Susan Bradley >> <[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> >> wrote: >> >> I have many consultant stories of ransomware nailing >> clients with >> software restriction policies in place - especially the web >> cocktail variants. >> >> Applocker/whitelisting = Enterprise SKUs. Which I hardly >> ever see >> in my space, nor does the customer base afford the time >> and effort. >> >> Great if you have the budget to do it, sucks if you don't >> have the >> licenses and infrastructure. >> >> On 7/3/2015 11:54 AM, Jonathan Link wrote: >> >> I was posting from my phone in a hurry, DYAC. Software >> Restriction, not proper pixies. >> >> Susan, I haven't seen an executable run in any >> location that >> has been blocked by SRP. IF you have a very narrow >> whitelist, >> it helps a lot. >> >> On Fri, Jul 3, 2015 at 2:02 PM, Jonathan Link >> <[email protected] >> <mailto:[email protected]> >> <mailto:[email protected] >> <mailto:[email protected]>>> wrote: >> >> You can also use proper pixies to restrict where >> software >> can run. I've blocked the user profile folder and >> added an >> exception for the desktop and a couple of other places >> that I can't recall. Users have to move downloaded >> apps to >> ther desktop to install. I haven't had a Cryptowall >> infection in 2 years. >> >> On Friday, July 3, 2015, Susan Bradley >> <[email protected] >> <mailto:[email protected]> <mailto:[email protected] >> >> <mailto:[email protected]>>> wrote: >> >> It changes so fast that as soon as they do the bad >> guys code up something new. >> >> there's no silver bullet here. >> >> Silverlight/flash/java. Use it,patch it or >> lose it. >> >> Web filtering at the firewall. If your firewall >> doesn't provide web filtering/UTM options it's >> time to >> upgrade. Home users look at OpenDNS (yes even now >> that Cisco is buying them) >> >> Filter attachments/zips. >> >> Least priv/non admin. >> >> Block the app location (yes this impacts >> firefox and >> office installs) Google foolishit for non >> domain or >> cryptolocker group policy toolkit >> >> Education to your users that that email you >> got isn't >> a legit email. >> >> On 7/3/2015 10:09 AM, David McSpadden wrote: >> >> Quick, anyone know of a VirusScanning software >> that is catching CryptoWall 3.0 yet? >> >> *David McSpadden* >> >> Systems Administrator >> >> Indiana Members Credit Union >> >> P: 317.554.8190 <tel:317.554.8190> >> <tel:317.554.8190 <tel:317.554.8190>> |F: >> 317.554.8106 <tel:317.554.8106> <tel:317.554.8106 >> >> <tel:317.554.8106>> >> >> Description: imcu email icon >> <http://imcu.com/> >> Description: facebook email icon >> <https://www.facebook.com/IndianaMembersCU> >> Description: twitter email icon >> <https://twitter.com/IndMembersCU> >> >> Description: email logo >> >> mcp2 >> >> This e-mail and any files transmitted with >> it are >> property of Indiana Members Credit Union, are >> confidential, and are intended solely for >> the use >> of the individual or entity to whom this >> e-mail is >> addressed. If you are not one of the named >> recipient(s) or otherwise have reason to >> believe >> that you have received this message in error, >> please notify the sender and delete this >> message >> immediately from your computer. Any other use, >> retention, dissemination, forwarding, >> printing, or >> copying of this email is strictly prohibited. >> >> Please consider the environment before >> printing >> this email. >> >> This e-mail and any files transmitted with it are property of >> Indiana Members Credit Union, are confidential, and are >> intended >> solely for the use of the individual or entity to whom >> this e-mail >> is addressed. If you are not one of the named recipient(s) or >> otherwise have reason to believe that you have received this >> message in error, please notify the sender and delete this >> message >> immediately from your computer. Any other use, retention, >> dissemination, forwarding, printing, or copying of this >> email is >> strictly prohibited. >> >> >> Please consider the environment before printing this email. >> >> >> >> >> >> >> > > >
