Bitlocker protection from ransomware

[andrewi84]

Hi. First post here. If a bitlocker protected external drive is in a locked state when ransomware infects a computer, would it still be able to compromise the drive/data?

Any advice is helpful. I have scoured the internet before posting. Thank you.

 

[Someone Somewhere]

I'm pretty sure 99% of ransomware would completely ignore it.

However, it would be possible for the drive to be wiped, and I guess if the keys for the drive were stored in the PC, it might be able to mount the drive then encrypt it.

 

[andrewi84]

I'm pretty sure 99% of ransomware would completely ignore it.

However, it would be possible for the drive to be wiped, and I guess if the keys for the drive were stored in the PC, it might be able to mount the drive then encrypt it.

Thx for the quick response! I've been pondering this for a couple days now. To be crystal clear, the drive has a letter assignment, but locked at the time of infection.

Printed the keys and kept off the computer to avoid unlocking.

 

[thor220]

Hi. First post here. If a bitlocker protected external drive is in a locked state when ransomware infects a computer, would it still be able to compromise the drive/data?

Any advice is helpful. I have scoured the internet before posting. Thank you.

Bitlocker is junk as far as encryption goes and modern ransom wear can completely bypasses the encryption in provides. Multiple methods of attack have already been found.

https/en.wikipedia.org/wiki/BitLocker

I'd suggest that if you have sensitive data, purchase a drive with native encryption. It'll cost more money but only a security expert will be able to get into.

You should also note that anyone who steals a drive or has unmitigated access to a Bitlocker drive will eventually crack it. It's very easy to brute force attack and even 256-bit, the highest encryption offered by bitlocker, can be cracked by simply renting a botnet or borrowing some resources.

 

[andrewi84]

Bitlocker is junk as far as encryption goes and modern ransom wear can completely bypasses the encryption in provides. Multiple methods of attack have already been found.

I'd suggest that if you have sensitive data, purchase a drive with native encryption. It'll cost more money but only a security expert will be able to get into.

Thx. I have family members with WD Passport Ultra which has the option to enable a password. Do you know of a way to unlock and lock drives like that via CMD? I wasn't able to find anything online.

 

[Someone Somewhere]

There's serious security flaws in many of the native encryption drives, and the remainder are probably only okay through obscurity.

They're probably OK as long as you're only trying to protect them from being read/modified from a compromised computer, but the moment someone can take them out of the caddy, the data is theirs. Not sure if they protect against a complete overwrite, but ransomware isn't going to do that, with the possible exception of you not paying the ransom.

 

[andrewi84]

There's serious security flaws in many of the native encryption drives, and the remainder are probably only okay through obscurity.

They're probably OK as long as you're only trying to protect them from being read/modified from a compromised computer, but the moment someone can take them out of the caddy, the data is theirs. Not sure if they protect against a complete overwrite, but ransomware isn't going to do that, with the possible exception of you not paying the ransom.

Fair enough. Theft excluded, I'm trying to make things as automated as possible for them in terms of backup while still keeping the backups somewhat protected from ransomware.

You are 99% sure ransomware would ignore the locked bitlocker external drive but thor220 disagrees. *sigh* haha. I'll wait for more responses from others. thx again!

 

[Someone Somewhere]

It appears there's a piece of ransomware actually called "Bit Locker", so the normally Almighty Google isn't quite so useful.

Most of the attacks I see in the Wikipedia page linked are focused on evil-maid style attacks.

The real question with encryption, IMHO, is always 'who handles the keys'? If you're storing the keys on the PC (even if you're only mounting it during the backup), then it would be pretty easy for ransomware to auto-mount any drives found. If a person is typing them in at 5PM every day, why not have them plug the drive in? What happens if the ransomware hits while the backup drive is mounted?

That said, from my understanding, it's very rarely the actual file server that's hit. A user gets hit, then it encrypts files on any shares it has write access to. If you lock down the users' permissions and ensure no-one can write to the backups except the daemon, this prevents damage unless your server somehow executes a file it's meant to be storing.

 

[andrewi84]

The real question with encryption, IMHO, is always 'who handles the keys'? If you're storing the keys on the PC (even if you're only mounting it during the backup), then it would be pretty easy for ransomware to auto-mount any drives found. If a person is typing them in at 5PM every day, why not have them plug the drive in? What happens if the ransomware hits while the backup drive is mounted?

That said, from my understanding, it's very rarely the actual file server that's hit. A user gets hit, then it encrypts files on any shares it has write access to. If you lock down the users' permissions and ensure no-one can write to the backups except the daemon, this prevents damage unless your server somehow executes a file it's meant to be storing.

Thanks again for having this discussion with me. I need someone to bounce ideas off of.

The key is not kept on the computer. I don't believe that they would be able to plug in the drive on specific dates at specified times, and then remember to unplug it hours later. Unfortunate, I know. haha

In terms of removing their write access to the external drive, can you provide me with a guide on how to do that? If I do that, does that mean that I don't need to apply bitlocker or a password on the external drive because it's now protected from ransomware?

 

[Someone Somewhere]

The key is not kept on the computer.

Then where is it?

By removing their write access, I mean having a file server with username/password authentication. Users do not have write access to unnecessary areas of this server, including any places where backups are stored - you'd probably just have a separate internal drive, though really you want offsite.

I'm assuming small/medium business here... just realised that might not be the case.

 

[andrewi84]

The key is not kept on the computer.

Then where is it?

By removing their write access, I mean having a file server with username/password authentication. Users do not have write access to unnecessary areas of this server, including any places where backups are stored - you'd probably just have a separate internal drive, though really you want offsite.

I'm assuming small/medium business here... just realised that might not be the case.

The key has been printed and kept in a secure location. You're right, there is no server, just an external hard drive responsible for one thing, storing a system image.

 

[Someone Somewhere]

Does anyone touch the machine for anything other than maintainence? If no, it's generally safe from ransomware I'd say.

If the only copy of the key is in a secure location, you won't ever be able to unlock the drive without getting the key out of that location (someone typing it in). There's another copy somewhere.

 

[andrewi84]

Does anyone touch the machine for anything other than maintenance? If no, it's generally safe from ransomware I'd say.

If the only copy of the key is in a secure location, you won't ever be able to unlock the drive without getting the key out of that location (someone typing it in). There's another copy somewhere.

The machine is used on a Monday-Friday basis and has just as good a chance as any to get infected in my opinion.

The key is only on paper. When it asked me how I wanted to save the key, I chose to print it.

All in all, it seems that the best solution is to have them plug the drive in on a specified day and unplug it hours later. I guess if they don't want to do that or can't, not sure what else I can do. Apparently nothing is safe. haha My automated solution of have the drive bitlocker encrypted and keeping the drive locked was going to be good too!

 

[Someone Somewhere]

If you keep the drive locked, you realize you can't read/write to it? How do you unlock it? With the key. The key may be stored in Windows' memory, in which case I expect ransomware could unlock it.

 

[eatmypie]

Bitdefender is now offering protection from ransomware in some of the AV products 'Paid only'. The simple solution is to download https/www.foolishit.com/cryptoprevent-malware-prevention/ which will protect your computer and it's external drives from becoming encrypted in the first place. It won't stop the malware from running, just the encryption part. The free version of this doesn't do automatic updates, so you would need to check for updates very month or so. This really does work well. I do analysis work for a majority of my living and I test different pieces of malware all the time and D7 that I linked is the only thing that really has provided outstanding protection from it as far as not allowing the encryption to take place. Works on all ransomware.

 

[andrewi84]

Bitdefender is now offering protection from ransomware in some of the AV products 'Paid only'. The simple solution is to download https/www.foolishit.com/cryptoprevent-malware-prevention/ which will protect your computer and it's external drives from becoming encrypted in the first place. It won't stop the malware from running, just the encryption part. The free version of this doesn't do automatic updates, so you would need to check for updates very month or so. This really does work well. I do analysis work for a majority of my living and I test different pieces of malware all the time and D7 that I linked is the only thing that really has provided outstanding protection from it as far as not allowing the encryption to take place. Works on all ransomware.

thanks! Which option did you choose in that software? Set it and forget it?

 

[eatmypie]

Yes I would recommend just using the default option.

 

[Ru1Sous4]

Bitlocker is junk as far as encryption goes and modern ransom wear can completely bypasses the encryption in provides. Multiple methods of attack have already been found..

Do you wanna give me some links?

 

[Someone Somewhere]

Encryption doesn't protect (and isn't designed to protect) against ransomware, because the ransomware has the same rights as the user, and unlocked encryption won't stop you deleting or modifying your own files.

The only defense against ransomware running as your user is backups that it can't access - offline, or ones on a different PC that your PC can't directly access.

 

[thr2013]

Hi. First post here. If a bitlocker protected external drive is in a locked state when ransomware infects a computer, would it still be able to compromise the drive/data?

Any advice is helpful. I have scoured the internet before posting. Thank you.

Bitlocker is junk as far as encryption goes and modern ransom wear can completely bypasses the encryption in provides. Multiple methods of attack have already been found.

https/en.wikipedia.org/wiki/BitLocker

I'd suggest that if you have sensitive data, purchase a drive with native encryption. It'll cost more money but only a security expert will be able to get into.

You should also note that anyone who steals a drive or has unmitigated access to a Bitlocker drive will eventually crack it. It's very easy to brute force attack and even 256-bit, the highest encryption offered by bitlocker, can be cracked by simply renting a botnet or borrowing some resources.

Saying it's junk and easy to crack is very arrogant as well as incredibly ignorant if you think a botnet will crack a proper alphanumeric + special sign password of at least 15 length in any near future. I'd challenge you to crack mine in the next 100 years. The weakness is in how its used (weak password) in any case, NOT with bitlocker.