Getting elevated permissions allow malware to set itself up in the registry to catch all users, to be able to delete volume shadow copies, to attempt to access even more resources than normal users can. But, without all that, it is perfectly capable of kidnapping all the files which the current user privileges allow. Regards,
ASB http://XeeMe.com/AndrewBaker Providing Expert Technology Consulting Services for the SMB market… GPG: 1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A On Wed, Jun 15, 2016 11:27 AM, David McSpadden [email protected] wrote: I have the SRP’s running. And I was under the impression (Apparently wrong.) that ransomeware used the unpatched flash, java, ie, etc to elevate itself to create the badness on local drives, mapped drives, and have I heard shortcuts to shares as well? We have the SA for Enterprise just getting it out to all the machines and then begin whitelisting is project that is underway. From: [email protected] [mailto:[email protected]] On Behalf Of James Rankin Sent: Wednesday, June 15, 2016 11:07 AM To: [email protected] Subject: [NTSysADM] RE: Owned by Crypz Don ’ t understand … all the ransomware needs to do is execute. Elevated or not, it will encrypt files it can access. Privilege elevation is not necessary for badness to ensue. If you can ’ t get AppLocker, what about old-fashioned SRPs (Software Restriction Policies) in Group Policy? Do you need Enterprise for those too? If you do, you may have to pony up for a bit of software that can do application management … From: [email protected] [ mailto:[email protected] ] On Behalf Of David McSpadden Sent: 15 June 2016 15:55 To: [email protected] Subject: [NTSysADM] RE: Owned by Crypz I mentioned admin rights,yes. But isn’t the issue is that the ransomeware gets an elevated priviliege from something that is not patched or securely set up. The applocker will be great when I get to put Enterprise versions of the OS on all our pc’s but until this patching and secure set up is all I have to go by. From: [email protected] [ mailto:[email protected] ] On Behalf Of James Rankin Sent: Wednesday, June 15, 2016 10:31 AM To: [email protected] Subject: [NTSysADM] RE: Owned by Crypz Precisely … .just access to files From: [email protected] [ mailto:[email protected] ] On Behalf Of Kennedy, Jim Sent: 15 June 2016 15:21 To: [email protected] Subject: [NTSysADM] RE: Owned by Crypz The ransomeware’s don’t need admin rights to ruin your day. From: [email protected] [ mailto:[email protected] ] On Behalf Of David McSpadden Sent: Wednesday, June 15, 2016 10:17 AM To: [email protected] Subject: [NTSysADM] RE: Owned by Crypz So is flash updated/uninstalled, Java up to date, macro’s disabled, virusscan up to date, local admin rights disabled? How are the three clients all installing and executing the crypz after it has been allowed admin access to the pc? From: [email protected] [ mailto:[email protected] ] On Behalf Of Kelsey, John Sent: Wednesday, June 15, 2016 10:00 AM To: '[email protected]' < [email protected] > Subject: [NTSysADM] RE: Owned by Crypz One was a URL in an email that was obvious spam, but the user thought she really did sign up for the Womens Justice League of America.. One appears to have come from a website, and the other is unknown..the user hasn’t fessed up to any specific activity. From: [email protected] [ mailto:[email protected] ] On Behalf Of Wolf, Daniel Sent: Tuesday, June 14, 2016 1:39 PM To: [email protected] Subject: [NTSysADM] RE: Owned by Crypz Potentially dangerous attachments were identified and removed from this message. If you believe this attachment is not dangerous and need it delivered, contact the helpdesk at x3070 or [email protected]. What’s the infection vector? What are people doing to get it? From: [email protected] [ mailto:[email protected] ] On Behalf Of Kelsey, John Sent: Tuesday, June 14, 2016 12:30 PM To: '[email protected]' < [email protected] > Subject: [NTSysADM] Owned by Crypz Anybody else getting crushed by the Crypz virus/ransomware? We’ve been hit 3 times in the last 3 days. Our Sophos email appliance isn’t catching it, nor is the Sophos endpoint software..or our Cisco FireSight…or any other products we have on the perimeter. :/ *************************************** John C. Kelsey Penn Highlands Healthcare ( : 814.375.3073 2 : 814.375.4005 * : [email protected] *************************************** This email and any attached files are sensitive in nature and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of Penn Highlands Healthcare or its affiliates.. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. This email and any attached files are sensitive in nature and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of Penn Highlands Healthcare or its affiliates.. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.
