Crypto ransomware can still run if the user does not have administrative rights. It will stop the ransomware from messing with volume shadow copies and some other things but it will still be able to encrypt any file the user can write to.
Keeping all software (particularly the internet touching software like web browsers, flash, and email clients) fully up to date really helps. Application whitelisting is the best solution that I know of for stopping all kinds of malware. Just make sure you haven't left software out of date by blocking updaters. - Stephen From: [email protected] [mailto:[email protected]] On Behalf Of David McSpadden Sent: Wednesday, June 15, 2016 10:11 AM To: [email protected] Subject: [NTSysADM] RE: Owned by Crypz So is flash updated/uninstalled, Java up to date, macro's disabled, virusscan up to date, local admin rights disabled? How are the three clients all installing and executing the crypz after it has been allowed admin access to the pc? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kelsey, John Sent: Wednesday, June 15, 2016 10:00 AM To: '[email protected]' <[email protected]<mailto:[email protected]>> Subject: [NTSysADM] RE: Owned by Crypz One was a URL in an email that was obvious spam, but the user thought she really did sign up for the Womens Justice League of America.. One appears to have come from a website, and the other is unknown..the user hasn't fessed up to any specific activity. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Wolf, Daniel Sent: Tuesday, June 14, 2016 1:39 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Owned by Crypz Potentially dangerous attachments were identified and removed from this message. If you believe this attachment is not dangerous and need it delivered, contact the helpdesk at x3070 or [email protected]<mailto:[email protected]>. What's the infection vector? What are people doing to get it? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kelsey, John Sent: Tuesday, June 14, 2016 12:30 PM To: '[email protected]' <[email protected]<mailto:[email protected]>> Subject: [NTSysADM] Owned by Crypz Anybody else getting crushed by the Crypz virus/ransomware? We've been hit 3 times in the last 3 days. Our Sophos email appliance isn't catching it, nor is the Sophos endpoint software..or our Cisco FireSight...or any other products we have on the perimeter. :/ *************************************** John C. Kelsey Penn Highlands Healthcare *: 814.375.3073 * : 814.375.4005 *: [email protected]<mailto:[email protected]> *************************************** [PHH ESig Logo 150dpi] This email and any attached files are sensitive in nature and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of Penn Highlands Healthcare or its affiliates.. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. This email and any attached files are sensitive in nature and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of Penn Highlands Healthcare or its affiliates.. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.
