Not sure what you're refuting here, since I didn't claim this. My comment was specifically to Hank about infecting a lot of machines and how this software propagates itself. Not running with admin rights will severely limit its ability to access other computers and install itself on any network, even though it can run and do its damage under the current user context.
Infecting many machines with Cryptowall is different than infecting a single machine and it having access to a lot of shares. One computer can do a lot of damage, and Cryptowall works fast, because it doesn't actually encrypt the entire file, just the first few thousand bytes of it and it moves on. On Thu, May 28, 2015 at 3:57 PM, Charles F Sullivan < [email protected]> wrote: > That’s not necessarily true. If your position requires that you have write > access to lots of CIFS shares, then you can encrypt lots of data, often > including stuff that belongs to an entire department, not just to you. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Jonathan Link > *Sent:* Thursday, May 28, 2015 12:52 PM > *To:* [email protected] > *Subject:* Re: [NTSysADM] Cryptlocker > > > > Sure, if you run with everyone has admin rights. > > If you run without admin rights, the extent of infection is really low. > And then there's the fact that you can check which user account is > encrypting the files... > > > > On Thu, May 28, 2015 at 12:43 PM, HANK ARNOLD <[email protected]> > wrote: > > I'm dubious that the problem is retracted to a single computer. These > "crypto" packages are fast and furious about infecting any hard drive it > can access. > > Hank Arnold > Microsoft MVP - Consumer Securiy > > > On Thu, May 28, 2015 at 12:11 PM, David McSpadden wrote: > > > As soon as I find it. > > Off the network and down to me. > Re-image or dispose depending on the age. > > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Michael Leone > Sent: Thursday, May 28, 2015 12:07 PM > To: [email protected] > Subject: Re: [NTSysADM] Cryptlocker > > Oh, and we re-imaged the PC that was infected. Completely overwrote the > HD. The only way to be sure. > > On Thu, May 28, 2015 at 12:05 PM, Michael Leone wrote: > > We just had that happen last week. My boss ran scans with our Kaspersky > Enterprise AV to clean the PC in question; scanned everything else, and I > restored files from last week's backups. > > On Thu, May 28, 2015 at 11:44 AM, Susan Bradley wrote: > > First off be aware that the only way to really make sure something is gone > from an impacted machine is to rebuilt it. > > Cryptolocker (and it's variants) want to encrypt data, so how's your > backups as you'll need to restore that data and shadowcopies may be gone. > > > http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-i > nformation > > *_What should you do when you discover your computer is infected with > CryptoWall_* > > If you discover that your computer is infected with CryptoWall you should > immediately scan your computer with an anti-virus or anti-malware program. > Unfortunately, most people do not realize CryptoWall is on their computer > until it displays the ransom note and your files have already been > encrypted. The scans, though, will at least detect and remove any other > malware that may have been installed along with CryptoWall. > > Some of the files where associated malware have been found are: > > *%Temp% > C:\\.exe > %AppData% > %LocalAppData% > %ProgramData% > * > > * > * > > If trend is coming back with nothing, use malwarelbytes or even a > boot under the OS a/v tool to scan that system. > > > > MS wants feedback on patching: http://tinyurl.com/patchingsurvey On > 5/28/2015 8:30 AM, David McSpadden wrote: > > > > I am pretty sure I have pc with this on it in my network. > > I have ran scans on workstations. > > I still do not see it but I have the tell tale signs. > > The HELP_DECRYPT files in network folders. > > The word and excel files not being able to be opened etc. > > How do I remove something that Trend is not seeing? > > Nor Windows Endpoint protection? > > *David McSpadden* > > Systems Administrator > > Indiana Members Credit Union > > P: 317.554.8190 |F: 317.554.8106 > > Description: imcu email icon Description: facebook email icon > Description: twitter email icon > Description: email logo > > mcp2 > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited. > > > Please consider the environment before printing this email. > > > > > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited. > > Please consider the environment before printing this email. > > > > >
