Nice.strategy Ed On May 29, 2015 9:31 AM, "Robert Strong" <[email protected]> wrote:
> Ensure you have the latest patches installed for Java and Flash. Exploit > kits like Angler, Nuclear and Magnitude are starting to distribute > Ransomware more frequently via drive-by download attacks and malicious > advertisements on common websites. > > > > We’ve had several ransomware incidents in the last few months all due to > unpatched systems. Host based detection is limited at best, but one thing I > have noticed in all incidents seen is that the malware typically uses > hxxp://ipinfo.io/ip to determine its public facing IP address. > > > > We have created correlation rules that detect users going to this domain > via our McAfee ESM SIEM, we then have an alarm that fires when that > correlation rule is seen and we can automatically apply an ePO tag to > enforce a policy that severely ‘disables’ the system (no R/W to network > shares, restricted HTTP/HTTPS going out). Our alarm also e-mails out some > key characteristics about the infected machine for easy identification by > our IT Service Desk team. > > > > Ransomware isn’t going away and it’s going to get worse. We’ve been able > to detect these IoC’s and have the issue remediated in under 7 minutes. > > > > Cheers, > > > > *Rob Strong* > > *Information Security Specialist* > > Equitable Life of Canada > > > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *David McSpadden > *Sent:* Thursday, May 28, 2015 7:17 PM > *To:* <[email protected]> > *Subject:* Re: [NTSysADM] Cryptlocker > > > > That's mine today. > > What variant was yours > > Sent from my iPhone > > > On May 28, 2015, at 7:14 PM, Heaton, Joseph@Wildlife < > [email protected]> wrote: > > We had that the other day. The files are getting encrypted, but the > extensions are not getting changed. > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Jonathan Link > *Sent:* Thursday, May 28, 2015 8:37 AM > *To:* [email protected] > *Subject:* Re: [NTSysADM] Cryptlocker > > > > The text files created should indicate the affected user with the Owner > attribute, no? > > > > > > On Thu, May 28, 2015 at 11:30 AM, David McSpadden <[email protected]> wrote: > > I am pretty sure I have pc with this on it in my network. > > I have ran scans on workstations. > > I still do not see it but I have the tell tale signs. > > The HELP_DECRYPT files in network folders. > > The word and excel files not being able to be opened etc. > > How do I remove something that Trend is not seeing? > > Nor Windows Endpoint protection? > > > > > > *David McSpadden* > > Systems Administrator > > Indiana Members Credit Union > > P: 317.554.8190 | F: 317.554.8106 > > [image: Description: imcu email icon] <http://imcu.com/> <image002.jpg> > <https://www.facebook.com/IndianaMembersCU> [image: Description: twitter > email icon] <https://twitter.com/IndMembersCU> > > > > [image: Description: email logo] > > [image: mcp2] > > > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited. > > > > Please consider the environment before printing this email. > > > > IMPORTANT NOTICE: Without the use of secure encryption, the Internet is > not a secure medium and privacy cannot be ensured. Internet e-mail is > vulnerable to interception, misuse and forging. Equitable cannot ensure the > privacy and authenticity of any information sent by way of the public > Internet. Equitable will not be responsible for any damages you may incur > if you communicate confidential and personal information to us over the > Internet or if we communicate such information to you at your request. This > e-mail and any attachments are confidential, may be covered by legal > professional privilege or exempt from disclosure under applicable law, and > are intended for the addressee only. If you are not the intended recipient, > you are not authorized to and must not disclose, copy, distribute or retain > any or part of this e-mail and any attachments without written permission > of The Equitable Life Insurance Company of Canada. >
