The exploit kits.are.dropping.cryptowall 3.0 and.others due to 0 day in.flash which just.got.patched. I would.spend.time.dealing.with how many flash.installations are.not up.to spec.and.get.those.patched.first.the.deal.with additonal.srp controlls.
Ed On Jul 8, 2015 12:29 PM, "Kennedy, Jim" <[email protected]> wrote: > Chase down where the exe is as you dig through this. You will find it in > the users profile in appdata most likely. Applock the user profile, all of > it. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Jonathan Link > *Sent:* Wednesday, July 8, 2015 12:24 PM > *To:* [email protected] > *Subject:* Re: [NTSysADM] OT: VirusScanning software > > > > That's my assessment as well. > > > > On Wed, Jul 8, 2015 at 12:17 PM, Susan Bradley <[email protected]> > wrote: > > > If the infection occurred as soon as he attached to the network, I'm > guessing he was already nailed and he just brought it in when he came in. > > > On 7/8/2015 9:10 AM, Jonathan Link wrote: > > Well, he wasn't in the office for much of the past two days, so firewall > logs are ineffective in this instance. It appears that the infection > started as soon as his computer attached to the network. Browser history > is a good place to look, but I can't access the machine without it being > turned on and on the network (I'm on vacation) and that would be > counterproductive at this point. I am hoping I can recover some of his > data that was on the computer, but made him no promises. > > > On Wed, Jul 8, 2015 at 11:55 AM, Susan Bradley <[email protected] > <mailto:[email protected]>> wrote: > > IE history > Firewall logs > > Should help narrow it down. > > And we have a zero day flash being patched today. Expect a > Microsoft patch for Windows 8 and above. > > > On 7/8/2015 8:32 AM, Jonathan Link wrote: > > No, not yet. It's one of our directors, and he swears that > the only site he visited within the last 24 hours was msn.com > <http://msn.com> <http://msn.com>. So it could be the flash 0 > day from an infected ad that wasn't caught? Of course, he > might not be remembering something... > > It started working at around 8am this morning which is when he > fired up his computer in the office. > > On Wed, Jul 8, 2015 at 11:08 AM, David McSpadden > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > I know you are on vacation but do you know the attack vector? > > *From:*[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > [mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>] *On Behalf Of > *Jonathan Link > *Sent:* Wednesday, July 08, 2015 10:43 AM > *To:* [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > *Subject:* Re: [NTSysADM] OT: VirusScanning software > > So, we just got hit with a Croptywall variant with SRP in > place. I didn't disbelieve you Susan, I was just hoping > that we could > avoid infection until I got a true whitelisting solution > in place. > > Oh and I'm on vacation, so this is extra fun to restore > backups > via the VPN. Luckily we have other systems in place that > mitigated the extent of damage, such as really good > backups, and > tested restore procedures. > > On Fri, Jul 3, 2015 at 3:36 PM, Susan Bradley > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > wrote: > > I have many consultant stories of ransomware nailing > clients with > software restriction policies in place - especially the web > cocktail variants. > > Applocker/whitelisting = Enterprise SKUs. Which I hardly > ever see > in my space, nor does the customer base afford the time > and effort. > > Great if you have the budget to do it, sucks if you don't > have the > licenses and infrastructure. > > On 7/3/2015 11:54 AM, Jonathan Link wrote: > > I was posting from my phone in a hurry, DYAC. Software > Restriction, not proper pixies. > > Susan, I haven't seen an executable run in any > location that > has been blocked by SRP. IF you have a very narrow > whitelist, > it helps a lot. > > On Fri, Jul 3, 2015 at 2:02 PM, Jonathan Link > <[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>> wrote: > > You can also use proper pixies to restrict where > software > can run. I've blocked the user profile folder and > added an > exception for the desktop and a couple of other places > that I can't recall. Users have to move downloaded > apps to > ther desktop to install. I haven't had a Cryptowall > infection in 2 years. > > On Friday, July 3, 2015, Susan Bradley > <[email protected] > <mailto:[email protected]> <mailto:[email protected] > > > <mailto:[email protected]>>> wrote: > > It changes so fast that as soon as they do the bad > guys code up something new. > > there's no silver bullet here. > > Silverlight/flash/java. Use it,patch it or > lose it. > > Web filtering at the firewall. If your firewall > doesn't provide web filtering/UTM options it's > time to > upgrade. Home users look at OpenDNS (yes even now > that Cisco is buying them) > > Filter attachments/zips. > > Least priv/non admin. > > Block the app location (yes this impacts > firefox and > office installs) Google foolishit for non > domain or > cryptolocker group policy toolkit > > Education to your users that that email you > got isn't > a legit email. > > On 7/3/2015 10:09 AM, David McSpadden wrote: > > Quick, anyone know of a VirusScanning software > that is catching CryptoWall 3.0 yet? > > *David McSpadden* > > Systems Administrator > > Indiana Members Credit Union > > P: 317.554.8190 <tel:317.554.8190> > > <tel:317.554.8190 <tel:317.554.8190>> |F: > 317.554.8106 <tel:317.554.8106> <tel:317.554.8106 > > > <tel:317.554.8106>> > > Description: imcu email icon > <http://imcu.com/> > Description: facebook email icon > <https://www.facebook.com/IndianaMembersCU> > Description: twitter email icon > <https://twitter.com/IndMembersCU> > > Description: email logo > > mcp2 > > This e-mail and any files transmitted with > it are > property of Indiana Members Credit Union, are > confidential, and are intended solely for > the use > of the individual or entity to whom this > e-mail is > addressed. If you are not one of the named > recipient(s) or otherwise have reason to > believe > that you have received this message in error, > please notify the sender and delete this > message > immediately from your computer. Any other use, > retention, dissemination, forwarding, > printing, or > copying of this email is strictly prohibited. > > Please consider the environment before > printing > this email. > > This e-mail and any files transmitted with it are property of > Indiana Members Credit Union, are confidential, and are > intended > solely for the use of the individual or entity to whom > this e-mail > is addressed. If you are not one of the named recipient(s) or > otherwise have reason to believe that you have received this > message in error, please notify the sender and delete this > message > immediately from your computer. Any other use, retention, > dissemination, forwarding, printing, or copying of this > email is > strictly prohibited. > > > Please consider the environment before printing this email. > > > > > > > > >
