[AusNOG] CryptoLocker Virus

Kelso kelsoge at gmail.com
Thu Oct 24 11:46:43 EST 2013


We had 2 clients get it. Managed to segregate one from the network after we
picked up alot of disk I/0. Damn thing navigates network drives.
Interestingly enough once you kill the exes you can use previous versions
to recover everything. Appears to be multiple varients of crypto locker now
though. Still a pain to deal with. My 2c
On 24/10/2013 11:28 AM, "Pinkerton, Eric (AU Sydney)" <
Eric.Pinkerton at baesystemsdetica.com> wrote:

> I can't believe anyone is still sending/or allowing for that matter, exe's
> in email in 2013! - That's like sooo 1998.
>
> I would have said malware is more likely to arrive by PDF these days for
> exactly that reason, but more to the point, clicking on a link is all it
> really takes to compromise a machine.
>
> If I want to infect you with an exe, and you block it, Then I will just
> put the file in a drop box(or whatever), and send you an invite - your
> users are well attuned to clicking on such links.
>
> IMHO, The 'best' policy is a combination of many things starting with
> training your end users to spot dodgy looking links, filtering egress
> traffic, patching patching and more patching, not using XP with IE6,
> monitoring your logs, changing your default password from 'password' and
> giving people permissions in line with their requirements (ie not making
> everyone a domain admin) etc etc.
>
> My 2c
>
> -----Original Message-----
> From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Thomas
> Jackson
> Sent: Thursday, 24 October 2013 10:29 AM
> To: 'AusNOG at lists.ausnog.net'
> Subject: Re: [AusNOG] CryptoLocker Virus
>
> The best policy is to just block all executables coming via email - we
> have all of ours go into a quarantine so someone from IT can get at them if
> needed (like updates to our payroll system that only are distributed via
> email for reasons that remain unclear to me). That stops the average user
> from randomly clicking on attachments and I often see viruses sitting in
> there that have managed to get through all of the other filters.
>
> From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Damian
> Guppy
> Sent: Thursday, 24 October 2013 12:00 AM
> To: Sean Slater
> Cc: AusNOG at lists.ausnog.net
> Subject: Re: [AusNOG] CryptoLocker Virus
>
> Very annoying, and from what I have seen around on forums, it has picked
> up a lot more this week. We decided to move ahead with blocking all
> executables in emails on the clients that didn't already have the policy.
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20131024/2b7a3b50/attachment.html>


More information about the AusNOG mailing list