Re: [NTSysADM] Cryptlocker

[Andrew S. Baker]

Perhaps, if Microsoft acted like they believed this, it might have
happened.   Alas...






*ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker>
*Providing Virtual CIO Services (IT Operations & Information Security) for
the SMB market…*



On Thu, Jun 4, 2015 at 5:58 PM, Kurt Buff <kurt.b...@gmail.com> wrote:

> Silverlight? :)
>
> On Thu, Jun 4, 2015 at 1:25 PM, Andrew S. Baker <asbz...@gmail.com> wrote:
>
>> ​FTFY​
>>
>>
>>
>>
>>
>>
>> *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker>
>> *Providing Virtual CIO Services (IT Operations & Information Security)
>> for the SMB market…*
>>
>>
>>
>> On Thu, Jun 4, 2015 at 4:19 PM, Rankin, James R <
>> james.ran...@talosys.co.uk> wrote:
>>
>>> Sounds like my assertion that half the world's sysadmins are crying out
>>> for a decent Java
>>> ​replacement
>>> solution is correct...
>>>
>>>
>>> -------
>>>
>>> James Rankin | Director | TaloSys | 07809668579
>>> Sent from my Blackberry
>>>
>>> -----Original Message-----
>>> From: "Maglinger, Paul" <pmaglin...@scvl.com>
>>> Sender: <listsadmin@lists.myitforum.com>
>>> Date: Thu, 4 Jun 2015 19:54:57
>>> To: 'ntsys...@lists.myitforum.com'<ntsys...@lists.myitforum.com>
>>> Reply-To: <ntsys...@lists.myitforum.com>
>>> Subject: RE: [NTSysADM] Cryptlocker
>>>
>>> Updates would be fine... if they didn't break things.
>>> Reminds me of when we put in our latest Cisco IP Telephony solution.
>>> The phone system wanted me to upgrade my Java but then Cisco's web site
>>> wouldn't work with that version.
>>> *thunk* *thunk* *thunk*
>>> I LOATHE Java...
>>>
>>> -----Original Message-----
>>> From: listsadmin@lists.myitforum.com [mailto:
>>> listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff
>>> Sent: Thursday, June 04, 2015 2:34 PM
>>> To: ntsysadm
>>> Subject: Re: [NTSysADM] Cryptlocker
>>>
>>> Updates of Java? Hell no.
>>>
>>> Some of our users somehow get Java fubared, and when ADP can't find
>>> Java, they tell the user to install 6u29, so I've put in an exception in
>>> our AV to block the download,
>>>
>>> Kurt
>>>
>>> On Thu, Jun 4, 2015 at 10:30 AM, Kennedy, Jim <
>>> kennedy...@elyriaschools.org> wrote:
>>> > Nope, if they did I would be pushing hard to replace it.   Have they
>>> gotten
>>> > any better at keeping up with updates?
>>> >
>>> >
>>> >
>>> > From: listsadmin@lists.myitforum.com
>>> > [mailto:listsadmin@lists.myitforum.com]
>>> > On Behalf Of Kurt Buff
>>> > Sent: Thursday, June 4, 2015 1:28 PM
>>> >
>>> >
>>> > To: ntsysadm
>>> > Subject: Re: [NTSysADM] Cryptlocker
>>> >
>>> >
>>> >
>>> > Your users don't file their timecards with ADP, then...
>>> >
>>> > Kurt
>>> >
>>> >
>>> >
>>> > On Thu, Jun 4, 2015 at 9:52 AM, Kennedy, Jim
>>> > <kennedy...@elyriaschools.org>
>>> > wrote:
>>> >
>>> > 2 depends on Oracle, Chrome has been begging them for it for some time.
>>> > From Chrome’s perspective 1 and 2 are the same. That said, I honestly
>>> > do not think Firefox has any plans to discontinue NPAPI support. Their
>>> > approach is disabled by default….user beware if you enable it.
>>> >
>>> >
>>> >
>>> > Anecdotal but I can say that most of my users use Chrome, and they
>>> > have not missed Java.
>>> >
>>> >
>>> >
>>> > From: listsadmin@lists.myitforum.com
>>> > [mailto:listsadmin@lists.myitforum.com]
>>> > On Behalf Of Damien Solodow
>>> > Sent: Thursday, June 4, 2015 12:49 PM
>>> >
>>> >
>>> > To: ntsys...@lists.myitforum.com
>>> > Subject: RE: [NTSysADM] Cryptlocker
>>> >
>>> >
>>> >
>>> > Doubtful; I see one of two things happening:
>>> >
>>> > 1)      Oracle blinks and releases an updated JRE that doesn’t use
>>> NPAPI
>>> >
>>> > 2)      Chrome includes its own JRE like they did with Flash
>>> >
>>> >
>>> >
>>> > DAMIEN SOLODOW
>>> >
>>> > Senior Systems Engineer
>>> >
>>> > 317.447.6033 (office)
>>> >
>>> > 317.447.6014 (fax)
>>> >
>>> > HARRISON COLLEGE
>>> >
>>> >
>>> >
>>> > From: listsadmin@lists.myitforum.com
>>> > [mailto:listsadmin@lists.myitforum.com]
>>> > On Behalf Of Melvin Backus
>>> > Sent: Thursday, June 4, 2015 12:44 PM
>>> > To: ntsys...@lists.myitforum.com
>>> > Subject: RE: [NTSysADM] Cryptlocker
>>> >
>>> >
>>> >
>>> > So if I’m reading this correctly that would seem to mean that all the
>>> > thousands (millions?) of pages with Java embedded are going to be
>>> > relegated to IE only?  (And JAVA will finally DIE? Albeit a slow and
>>> > lingering death.)
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > There are 10 kinds of people in the world...
>>> >          those who understand binary and those who don't.
>>> >
>>> >
>>> >
>>> > From: listsadmin@lists.myitforum.com
>>> > [mailto:listsadmin@lists.myitforum.com]
>>> > On Behalf Of Kurt Buff
>>> > Sent: Thursday, June 4, 2015 10:41 AM
>>> > To: ntsysadm
>>> > Subject: Re: [NTSysADM] Cryptlocker
>>> >
>>> >
>>> >
>>> > Not Java specifically - the NPAPI interface.
>>> >
>>> > So is Firefox, and so will Edge...
>>> >
>>> > Kurt
>>> >
>>> >
>>> >
>>> > On Thu, Jun 4, 2015 at 6:42 AM, Heaton, Joseph@Wildlife
>>> > <joseph.hea...@wildlife.ca.gov> wrote:
>>> >
>>> > Interesting.  I didn’t realize that Chrome was doing away with Java
>>> > functionality.  Thanks for the update.
>>> >
>>> >
>>> >
>>> > From: listsadmin@lists.myitforum.com
>>> > [mailto:listsadmin@lists.myitforum.com]
>>> > On Behalf Of Kennedy, Jim
>>> > Sent: Thursday, June 04, 2015 5:12 AM
>>> >
>>> >
>>> > To: ntsys...@lists.myitforum.com
>>> > Subject: RE: [NTSysADM] Cryptlocker
>>> >
>>> >
>>> >
>>> > Demand for this in Chrome will dwindle to zero in September when there
>>> > isn’t any way to run Java in Chrome.  It’s already dwindling….we did
>>> > not bypass the block in the last patch for Chrome that disabled it.
>>> >
>>> >
>>> >
>>> > From: listsadmin@lists.myitforum.com
>>> > [mailto:listsadmin@lists.myitforum.com]
>>> > On Behalf Of James Rankin
>>> > Sent: Thursday, June 4, 2015 7:08 AM
>>> > To: ntsys...@lists.myitforum.com
>>> > Subject: RE: [NTSysADM] Cryptlocker
>>> >
>>> >
>>> >
>>> > OK, FSLogix confirm that currently the Java remediation only works
>>> with IE.
>>> > You can restrict other browsers on a process basis only currently, so
>>> > you could force Chrome or Firefox to a specific Java version by
>>> > process, but not by URL.
>>> >
>>> >
>>> >
>>> > However, support for other browsers is on the roadmap. Any customer
>>> > demand (probably someone coming along with 5000 users and wanting it
>>> > to work in
>>> > Chrome) will “drive the roadmap forward”, i.e. they’ll do it ASAP if
>>> > there’s a big enough sale at the end of it J
>>> >
>>> >
>>> >
>>> > Hope this helps,
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > JR
>>> >
>>> >
>>> >
>>> > From: listsadmin@lists.myitforum.com
>>> > [mailto:listsadmin@lists.myitforum.com]
>>> > On Behalf Of James Rankin
>>> > Sent: 03 June 2015 18:56
>>> > To: ntsys...@lists.myitforum.com
>>> > Subject: RE: [NTSysADM] Cryptlocker
>>> >
>>> >
>>> >
>>> > OK, I tried to test with Chrome and found out that Chrome has disabled
>>> > just about all the plugins from the websites I was using for testing L
>>> >
>>> >
>>> >
>>> > Waiting for an answer from FSLogix support as I now have to put the
>>> > kids in the bath!
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > From: listsadmin@lists.myitforum.com
>>> > [mailto:listsadmin@lists.myitforum.com]
>>> > On Behalf Of Jonathan Link
>>> > Sent: 03 June 2015 18:44
>>> > To: ntsys...@lists.myitforum.com
>>> > Subject: Re: [NTSysADM] Cryptlocker
>>> >
>>> >
>>> >
>>> > Probably not pants.
>>> >
>>> >
>>> >
>>> > On Wed, Jun 3, 2015 at 12:26 PM, James Rankin
>>> > <james.ran...@talosys.co.uk>
>>> > wrote:
>>> >
>>> > Let me get you an answer on that…maybe something I should have tested
>>> >
>>> >
>>> >
>>> > From: listsadmin@lists.myitforum.com
>>> > [mailto:listsadmin@lists.myitforum.com]
>>> > On Behalf Of Heaton, Joseph@Wildlife
>>> > Sent: 03 June 2015 17:22
>>> > To: 'ntsys...@lists.myitforum.com'
>>> > Subject: RE: [NTSysADM] Cryptlocker
>>> >
>>> >
>>> >
>>> > So, it looks like FSLogix only works with IE?  Is that true?
>>> >
>>> >
>>> >
>>> > From: listsadmin@lists.myitforum.com
>>> > [mailto:listsadmin@lists.myitforum.com]
>>> > On Behalf Of James Rankin
>>> > Sent: Tuesday, June 02, 2015 11:16 AM
>>> > To: ntsys...@lists.myitforum.com
>>> > Subject: RE: [NTSysADM] Cryptlocker
>>> >
>>> >
>>> >
>>> > OK, quick and dirty run-down, but I’m sure you can all get the gist of
>>> > it
>>> > (hopefully!)
>>> >
>>> >
>>> >
>>> > http://appsensebigot.blogspot.co.uk/2015/06/fslogix-first-look-1-manag
>>> > ing-legacy-or.html
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > From: listsadmin@lists.myitforum.com
>>> > [mailto:listsadmin@lists.myitforum.com]
>>> > On Behalf Of Kurt Buff
>>> > Sent: 02 June 2015 17:38
>>> > To: ntsysadm
>>> > Subject: Re: [NTSysADM] Cryptlocker
>>> >
>>> >
>>> >
>>> > Yes, please put up the link here when done.
>>> >
>>> > Kurt
>>> >
>>> >
>>> >
>>> > On Tue, Jun 2, 2015 at 8:43 AM, James Rankin
>>> > <james.ran...@talosys.co.uk>
>>> > wrote:
>>> >
>>> > I shall endeavour to finish this as soon as possible then!
>>> >
>>> >
>>> >
>>> > From: listsadmin@lists.myitforum.com
>>> > [mailto:listsadmin@lists.myitforum.com]
>>> > On Behalf Of Maglinger, Paul
>>> > Sent: 02 June 2015 16:12
>>> > To: 'ntsys...@lists.myitforum.com'
>>> > Subject: RE: [NTSysADM] Cryptlocker
>>> >
>>> >
>>> >
>>> > Me too!
>>> >
>>> >
>>> >
>>> > -Paul
>>> >
>>> >
>>> >
>>> > From: listsadmin@lists.myitforum.com
>>> > [mailto:listsadmin@lists.myitforum.com]
>>> > On Behalf Of Sean Martin
>>> > Sent: Tuesday, June 02, 2015 10:07 AM
>>> >
>>> >
>>> > To: ntsys...@lists.myitforum.com
>>> > Subject: Re: [NTSysADM] Cryptlocker
>>> >
>>> >
>>> >
>>> > Definitely interested.
>>> >
>>> > - Sean
>>> >
>>> >
>>> > On Jun 2, 2015, at 6:08 AM, James Rankin <james.ran...@talosys.co.uk>
>>> wrote:
>>> >
>>> > What you need is FSLogix Java Rules Manager, only allow the vulnerable
>>> > Java version to be seen when a specific URL is visited, otherwise –
>>> > it’s invisible to the user and OS, and the latest version is used.
>>> >
>>> >
>>> >
>>> > I’m writing an article up on this today, if anyone’s interested in
>>> > Java version management (on a sysadmin list, who isn’t?)
>>> >
>>> >
>>> >
>>> > J
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > From: listsadmin@lists.myitforum.com
>>> > [mailto:listsadmin@lists.myitforum.com]
>>> > On Behalf Of Heaton, Joseph@Wildlife
>>> > Sent: 02 June 2015 14:51
>>> > To: 'ntsys...@lists.myitforum.com'
>>> > Subject: RE: [NTSysADM] Cryptlocker
>>> >
>>> >
>>> >
>>> > Update Java?  That’s just crazy talk.  We’re still at 7u51, with no
>>> > roadmap in place to go any higher.  Not my choice, btw, it is
>>> > development issues with Oracle.
>>> >
>>> >
>>> >
>>> > From: listsadmin@lists.myitforum.com
>>> > [mailto:listsadmin@lists.myitforum.com]
>>> > On Behalf Of Ed Ziots
>>> > Sent: Saturday, May 30, 2015 10:48 AM
>>> > To: ntsys...@lists.myitforum.com
>>> > Subject: RE: [NTSysADM] Cryptlocker
>>> >
>>> >
>>> >
>>> > Nice.strategy
>>> >
>>> > Ed
>>> >
>>> > On May 29, 2015 9:31 AM, "Robert Strong" <rstr...@equitable.ca> wrote:
>>> >
>>> > Ensure you have the latest patches installed for Java and Flash.
>>> > Exploit kits like Angler, Nuclear and Magnitude are starting to
>>> > distribute Ransomware more frequently via drive-by download attacks
>>> > and malicious advertisements on common websites.
>>> >
>>> >
>>> >
>>> > We’ve had several ransomware incidents in the last few months all due
>>> > to unpatched systems. Host based detection is limited at best, but one
>>> > thing I have noticed in all incidents seen is that the malware
>>> > typically uses hxxp://ipinfo.io/ip to determine its public facing IP
>>> address.
>>> >
>>> >
>>> >
>>> > We have created correlation rules that detect users going to this
>>> > domain via our McAfee ESM SIEM, we then have an alarm that fires when
>>> > that correlation rule is seen and we can automatically apply an ePO
>>> > tag to enforce a policy that severely ‘disables’ the system (no R/W to
>>> > network shares, restricted HTTP/HTTPS going out). Our alarm also
>>> > e-mails out some key characteristics about the infected machine for
>>> > easy identification by our IT Service Desk team.
>>> >
>>> >
>>> >
>>> > Ransomware isn’t going away and it’s going to get worse. We’ve been
>>> > able to detect these IoC’s and have the issue remediated in under 7
>>> minutes.
>>> >
>>> >
>>> >
>>> > Cheers,
>>> >
>>> >
>>> >
>>> > Rob Strong
>>> >
>>> > Information Security Specialist
>>> >
>>> > Equitable Life of Canada
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > From: listsadmin@lists.myitforum.com
>>> > [mailto:listsadmin@lists.myitforum.com]
>>> > On Behalf Of David McSpadden
>>> > Sent: Thursday, May 28, 2015 7:17 PM
>>> > To: <ntsys...@lists.myitforum.com>
>>> > Subject: Re: [NTSysADM] Cryptlocker
>>> >
>>> >
>>> >
>>> > That's mine today.
>>> >
>>> > What variant was yours
>>> >
>>> > Sent from my iPhone
>>> >
>>> >
>>> > On May 28, 2015, at 7:14 PM, Heaton, Joseph@Wildlife
>>> > <joseph.hea...@wildlife.ca.gov> wrote:
>>> >
>>> > We had that the other day.  The files are getting encrypted, but the
>>> > extensions are not getting changed.
>>> >
>>> >
>>> >
>>> > From: listsadmin@lists.myitforum.com
>>> > [mailto:listsadmin@lists.myitforum.com]
>>> > On Behalf Of Jonathan Link
>>> > Sent: Thursday, May 28, 2015 8:37 AM
>>> > To: ntsys...@lists.myitforum.com
>>> > Subject: Re: [NTSysADM] Cryptlocker
>>> >
>>> >
>>> >
>>> > The text files created should indicate the affected user with the
>>> > Owner attribute, no?
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > On Thu, May 28, 2015 at 11:30 AM, David McSpadden <dav...@imcu.com>
>>> wrote:
>>> >
>>> > I am pretty sure I have pc with this on it in my network.
>>> >
>>> > I have ran scans on workstations.
>>> >
>>> > I still do not see it but I have the tell tale signs.
>>> >
>>> > The HELP_DECRYPT files in network folders.
>>> >
>>> > The word and excel files not being able to be opened etc.
>>> >
>>> > How do I remove something that Trend is not seeing?
>>> >
>>> > Nor Windows Endpoint protection?
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > David McSpadden
>>> >
>>> > Systems Administrator
>>> >
>>> > Indiana Members Credit Union
>>> >
>>> > P: 317.554.8190 | F: 317.554.8106
>>> >
>>> >   <image002.jpg>
>>> >
>>> >
>>> >
>>> > <image003.jpg>
>>> >
>>> > <image004.png>
>>> >
>>> >
>>> >
>>> > This e-mail and any files transmitted with it are property of Indiana
>>> > Members Credit Union, are confidential, and are intended solely for
>>> > the use of the individual or entity to whom this e-mail is addressed.
>>> > If you are not one of the named recipient(s) or otherwise have reason
>>> > to believe that you have received this message in error, please notify
>>> > the sender and delete this message immediately from your computer. Any
>>> > other use, retention, dissemination, forwarding, printing, or copying
>>> > of this email is strictly prohibited.
>>> >
>>> >
>>> >
>>> > Please consider the environment before printing this email.
>>> >
>>> >
>>> >
>>> > IMPORTANT NOTICE: Without the use of secure encryption, the Internet
>>> > is not a secure medium and privacy cannot be ensured. Internet e-mail
>>> > is vulnerable to interception, misuse and forging. Equitable cannot
>>> > ensure the privacy and authenticity of any information sent by way of
>>> the public Internet.
>>> > Equitable will not be responsible for any damages you may incur if you
>>> > communicate confidential and personal information to us over the
>>> > Internet or if we communicate such information to you at your request.
>>> > This e-mail and any attachments are confidential, may be covered by
>>> > legal professional privilege or exempt from disclosure under
>>> > applicable law, and are intended for the addressee only. If you are
>>> > not the intended recipient, you are not authorized to and must not
>>> > disclose, copy, distribute or retain any or part of this e-mail and
>>> > any attachments without written permission of The Equitable Life
>>> Insurance Company of Canada.
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>>
>>>
>>>
>>
>