Well in this case I am a responder to the thread not the originator, thank God. Just wanting to have the best understanding of it.
From: [email protected] [mailto:[email protected]] On Behalf Of James Rankin Sent: Wednesday, June 15, 2016 11:41 AM To: [email protected] Subject: [NTSysADM] RE: Owned by Crypz So if you have restrictive SRPs (i.e. stuff that's not on the allowed list is disallowed from running), how did ransomware.exe run in the first place? The key is not stopping the exploit, it's stopping the initial execution that leads to the exploit. Of course, there are many other ways that execution can be done silently, and that's where you need to be on the ball with the patching. Security needs to be done in multiple layers, but to fight ransomware whitelisting application execution and having good offline backups are the main ones, IMHO. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of David McSpadden Sent: 15 June 2016 16:27 To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Owned by Crypz I have the SRP's running. And I was under the impression (Apparently wrong.) that ransomeware used the unpatched flash, java, ie, etc to elevate itself to create the badness on local drives, mapped drives, and have I heard shortcuts to shares as well? We have the SA for Enterprise just getting it out to all the machines and then begin whitelisting is project that is underway. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of James Rankin Sent: Wednesday, June 15, 2016 11:07 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Owned by Crypz Don't understand...all the ransomware needs to do is execute. Elevated or not, it will encrypt files it can access. Privilege elevation is not necessary for badness to ensue. If you can't get AppLocker, what about old-fashioned SRPs (Software Restriction Policies) in Group Policy? Do you need Enterprise for those too? If you do, you may have to pony up for a bit of software that can do application management... From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of David McSpadden Sent: 15 June 2016 15:55 To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Owned by Crypz I mentioned admin rights,yes. But isn't the issue is that the ransomeware gets an elevated priviliege from something that is not patched or securely set up. The applocker will be great when I get to put Enterprise versions of the OS on all our pc's but until this patching and secure set up is all I have to go by. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of James Rankin Sent: Wednesday, June 15, 2016 10:31 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Owned by Crypz Precisely....just access to files From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: 15 June 2016 15:21 To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Owned by Crypz The ransomeware's don't need admin rights to ruin your day. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of David McSpadden Sent: Wednesday, June 15, 2016 10:17 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Owned by Crypz So is flash updated/uninstalled, Java up to date, macro's disabled, virusscan up to date, local admin rights disabled? How are the three clients all installing and executing the crypz after it has been allowed admin access to the pc? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kelsey, John Sent: Wednesday, June 15, 2016 10:00 AM To: '[email protected]' <[email protected]<mailto:[email protected]>> Subject: [NTSysADM] RE: Owned by Crypz One was a URL in an email that was obvious spam, but the user thought she really did sign up for the Womens Justice League of America.. One appears to have come from a website, and the other is unknown..the user hasn't fessed up to any specific activity. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Wolf, Daniel Sent: Tuesday, June 14, 2016 1:39 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Owned by Crypz Potentially dangerous attachments were identified and removed from this message. If you believe this attachment is not dangerous and need it delivered, contact the helpdesk at x3070 or [email protected]<mailto:[email protected]>. What's the infection vector? What are people doing to get it? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kelsey, John Sent: Tuesday, June 14, 2016 12:30 PM To: '[email protected]' <[email protected]<mailto:[email protected]>> Subject: [NTSysADM] Owned by Crypz Anybody else getting crushed by the Crypz virus/ransomware? We've been hit 3 times in the last 3 days. Our Sophos email appliance isn't catching it, nor is the Sophos endpoint software..or our Cisco FireSight...or any other products we have on the perimeter. :/ *************************************** John C. Kelsey Penn Highlands Healthcare *: 814.375.3073 * : 814.375.4005 *: [email protected]<mailto:[email protected]> *************************************** [PHH ESig Logo 150dpi] This email and any attached files are sensitive in nature and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of Penn Highlands Healthcare or its affiliates.. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. This email and any attached files are sensitive in nature and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of Penn Highlands Healthcare or its affiliates.. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.
