Posted by Wreckage on 2016-03-15 21:03:08
I think you are the first person to mention a case like this.
To avoid this would be best to figure out what caused it. According to Christer this isn't really a thing. But of course you never know. If you are correct that would be a huge problem for everyone here.
There are of course plenty other possible causes, how did you conclude this was the path of infection?
One thing that can often cause infections is when your system is already compromised. One piece of malware creates a loophole for more to push through. And the only real way to get rid of an infection is to bring back the whole system to default settings.
To me the obvious conclusion would rather be that somehow your dropbox folder got infected and malware spread from there onto your computer. Since any type of file can be hosted there and interchange save, store and delete files from your hard drive it certainly is a vulnerability. But of course you will know that better.
Other than that any of the usual way malware spreads is possible. You know the usual, wrong websites, e-mail and whatnot.
If you are certain this was caused by the client, I recommend not to use it anymore until it was uncovered how this could be done.
Posted by mrt1212 on 2016-03-15 21:04:37
Sorry to hear that man - I just dealt with this at work. The problem with crypto virus stuff is that the vectors of infection can be anything - website, maliciously jacked advertising, email, thumb drive, doesn't matter. Similarly a lot of Anti-virus software is helpless to do anything about it because of the way they program is written and run.
If you are familiar with group policy (I will assume you're not) you can restrict applications from running in space that crypto viruses use to propagate - appdata.
Good luck with the restore!
Posted by mrt1212 on 2016-03-15 21:08:19
Wreckage, Dropbox was likely not the vector - the reason it got hit simultaneously is that the user permissions on the Dropbox folder allow the authenticated user the cryptolock is running under unfettered access to Dropbox. If he had any network shares where he wasn't authenticated or even user folders on the local machine the cryptolocker would skip over it.
This exact behavior played out at my org a few weeks ago.
Posted by icesmooth on 2016-03-15 21:42:28
To clarify, I am not blaming the client.
I think the issue came in the form of an outdated version of java that allowed for a "push" through. I squarely believe it is 100% my fault.
@mrt1212 you assume correctly but if you can bring it down to an idiot's cookbook I'd love to try as this shut down my entire office for the day
Posted by mrt1212 on 2016-03-15 22:11:57
1. On your Active Director Server open up the Group Policy Manager snap-in.
2. Open up the base GPO you are applying to all workstations
3. Under Computer Configuration, navigate down to Security Settings>Software Restriction Policies>Additional Policies
4. Right Click on Additional Policies and select "New Path Rule"
5. For the path enter %appdata%\*.exe and set the flag to dissallowed
6. Repeat 4 with path %appdata%\*\*.exe and set the flag to disallowed
7. Repeat 4 with path %LocalAppData%\Temp\wz*\*.exe and set the flag to disallowed
8. Repeat 4 with path %LocalAppData%\Temp\*.zip\*.exe and set the flag to dissalowed
9. On server open of command prompt and enter gpupdate /force
10. On client computers open command prompt and enter gpupdate /force
11. On computers where you can't run that for whatever reason, upon reboot they'll get the policy enforced.
Hope that helps.
Posted by pythrr on 2016-03-16 02:01:18
blergh, horribles