That’s not necessarily true. If your position requires that you have write access to lots of CIFS shares, then you can encrypt lots of data, often including stuff that belongs to an entire department, not just to you.
*From:* listsadmin@lists.myitforum.com [mailto: listsadmin@lists.myitforum.com] *On Behalf Of *Jonathan Link *Sent:* Thursday, May 28, 2015 12:52 PM *To:* ntsys...@lists.myitforum.com *Subject:* Re: [NTSysADM] Cryptlocker Sure, if you run with everyone has admin rights. If you run without admin rights, the extent of infection is really low. And then there's the fact that you can check which user account is encrypting the files... On Thu, May 28, 2015 at 12:43 PM, HANK ARNOLD <arnol...@optonline.net> wrote: I'm dubious that the problem is retracted to a single computer. These "crypto" packages are fast and furious about infecting any hard drive it can access. Hank Arnold Microsoft MVP - Consumer Securiy On Thu, May 28, 2015 at 12:11 PM, David McSpadden wrote: > As soon as I find it. Off the network and down to me. Re-image or dispose depending on the age. -----Original Message----- From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On Behalf Of Michael Leone Sent: Thursday, May 28, 2015 12:07 PM To: ntsys...@lists.myitforum.com Subject: Re: [NTSysADM] Cryptlocker Oh, and we re-imaged the PC that was infected. Completely overwrote the HD. The only way to be sure. On Thu, May 28, 2015 at 12:05 PM, Michael Leone wrote: We just had that happen last week. My boss ran scans with our Kaspersky Enterprise AV to clean the PC in question; scanned everything else, and I restored files from last week's backups. On Thu, May 28, 2015 at 11:44 AM, Susan Bradley wrote: First off be aware that the only way to really make sure something is gone from an impacted machine is to rebuilt it. Cryptolocker (and it's variants) want to encrypt data, so how's your backups as you'll need to restore that data and shadowcopies may be gone. http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-i nformation *_What should you do when you discover your computer is infected with CryptoWall_* If you discover that your computer is infected with CryptoWall you should immediately scan your computer with an anti-virus or anti-malware program. Unfortunately, most people do not realize CryptoWall is on their computer until it displays the ransom note and your files have already been encrypted. The scans, though, will at least detect and remove any other malware that may have been installed along with CryptoWall. Some of the files where associated malware have been found are: *%Temp% C:\\.exe %AppData% %LocalAppData% %ProgramData% * * * If trend is coming back with nothing, use malwarelbytes or even a boot under the OS a/v tool to scan that system. MS wants feedback on patching: http://tinyurl.com/patchingsurvey On 5/28/2015 8:30 AM, David McSpadden wrote: I am pretty sure I have pc with this on it in my network. I have ran scans on workstations. I still do not see it but I have the tell tale signs. The HELP_DECRYPT files in network folders. The word and excel files not being able to be opened etc. How do I remove something that Trend is not seeing? Nor Windows Endpoint protection? *David McSpadden* Systems Administrator Indiana Members Credit Union P: 317.554.8190 |F: 317.554.8106 Description: imcu email icon Description: facebook email icon Description: twitter email icon Description: email logo mcp2 This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.
