Bitlocker protection from ransomware

Status
Not open for further replies.

andrewi84

Distinguished
Jan 7, 2012
8
0
18,510
Hi. First post here. If a bitlocker protected external drive is in a locked state when ransomware infects a computer, would it still be able to compromise the drive/data?

Any advice is helpful. I have scoured the internet before posting. Thank you.
 

andrewi84

Distinguished
Jan 7, 2012
8
0
18,510


Thx for the quick response! I've been pondering this for a couple days now. To be crystal clear, the drive has a letter assignment, but locked at the time of infection.

Printed the keys and kept off the computer to avoid unlocking.
 

thor220

Distinguished
Dec 15, 2009
252
0
19,010


Bitlocker is junk as far as encryption goes and modern ransom wear can completely bypasses the encryption in provides. Multiple methods of attack have already been found.

https://en.wikipedia.org/wiki/BitLocker

I'd suggest that if you have sensitive data, purchase a drive with native encryption. It'll cost more money but only a security expert will be able to get into.

You should also note that anyone who steals a drive or has unmitigated access to a Bitlocker drive will eventually crack it. It's very easy to brute force attack and even 256-bit, the highest encryption offered by bitlocker, can be cracked by simply renting a botnet or borrowing some resources.
 

andrewi84

Distinguished
Jan 7, 2012
8
0
18,510


Thx. I have family members with WD Passport Ultra which has the option to enable a password. Do you know of a way to unlock and lock drives like that via CMD? I wasn't able to find anything online.
 
There's serious security flaws in many of the native encryption drives, and the remainder are probably only okay through obscurity.

They're probably OK as long as you're only trying to protect them from being read/modified from a compromised computer, but the moment someone can take them out of the caddy, the data is theirs. Not sure if they protect against a complete overwrite, but ransomware isn't going to do that, with the possible exception of you not paying the ransom.
 

andrewi84

Distinguished
Jan 7, 2012
8
0
18,510


Fair enough. Theft excluded, I'm trying to make things as automated as possible for them in terms of backup while still keeping the backups somewhat protected from ransomware.

You are 99% sure ransomware would ignore the locked bitlocker external drive but thor220 disagrees. *sigh* haha. I'll wait for more responses from others. :) thx again!
 
It appears there's a piece of ransomware actually called "Bit Locker", so the normally Almighty Google isn't quite so useful.

Most of the attacks I see in the Wikipedia page linked are focused on evil-maid style attacks.

The real question with encryption, IMHO, is always 'who handles the keys'? If you're storing the keys on the PC (even if you're only mounting it during the backup), then it would be pretty easy for ransomware to auto-mount any drives found. If a person is typing them in at 5PM every day, why not have them plug the drive in? What happens if the ransomware hits while the backup drive is mounted?

That said, from my understanding, it's very rarely the actual file server that's hit. A user gets hit, then it encrypts files on any shares it has write access to. If you lock down the users' permissions and ensure no-one can write to the backups except the daemon, this prevents damage unless your server somehow executes a file it's meant to be storing.
 

andrewi84

Distinguished
Jan 7, 2012
8
0
18,510


Thanks again for having this discussion with me. I need someone to bounce ideas off of.

The key is not kept on the computer. I don't believe that they would be able to plug in the drive on specific dates at specified times, and then remember to unplug it hours later. Unfortunate, I know. haha

In terms of removing their write access to the external drive, can you provide me with a guide on how to do that? If I do that, does that mean that I don't need to apply bitlocker or a password on the external drive because it's now protected from ransomware?
 
The key is not kept on the computer.
Then where is it?

By removing their write access, I mean having a file server with username/password authentication. Users do not have write access to unnecessary areas of this server, including any places where backups are stored - you'd probably just have a separate internal drive, though really you want offsite.

I'm assuming small/medium business here... just realised that might not be the case.
 

andrewi84

Distinguished
Jan 7, 2012
8
0
18,510


The key has been printed and kept in a secure location. You're right, there is no server, just an external hard drive responsible for one thing, storing a system image.
 
Does anyone touch the machine for anything other than maintainence? If no, it's generally safe from ransomware I'd say.

If the only copy of the key is in a secure location, you won't ever be able to unlock the drive without getting the key out of that location (someone typing it in). There's another copy somewhere.
 

andrewi84

Distinguished
Jan 7, 2012
8
0
18,510


The machine is used on a Monday-Friday basis and has just as good a chance as any to get infected in my opinion.

The key is only on paper. When it asked me how I wanted to save the key, I chose to print it.

All in all, it seems that the best solution is to have them plug the drive in on a specified day and unplug it hours later. I guess if they don't want to do that or can't, not sure what else I can do. Apparently nothing is safe. haha My automated solution of have the drive bitlocker encrypted and keeping the drive locked was going to be good too!
 

eatmypie

Honorable
Sep 12, 2013
139
0
10,710
Bitdefender is now offering protection from ransomware in some of the AV products 'Paid only'. The simple solution is to download https://www.foolishit.com/cryptoprevent-malware-prevention/ which will protect your computer and it's external drives from becoming encrypted in the first place. It won't stop the malware from running, just the encryption part. The free version of this doesn't do automatic updates, so you would need to check for updates very month or so. This really does work well. I do analysis work for a majority of my living and I test different pieces of malware all the time and D7 that I linked is the only thing that really has provided outstanding protection from it as far as not allowing the encryption to take place. Works on all ransomware.
 

andrewi84

Distinguished
Jan 7, 2012
8
0
18,510


thanks! Which option did you choose in that software? Set it and forget it?
 

Ru1Sous4

Estimable
Aug 4, 2014
1
0
4,510


Do you wanna give me some links? o_O

 
Encryption doesn't protect (and isn't designed to protect) against ransomware, because the ransomware has the same rights as the user, and unlocked encryption won't stop you deleting or modifying your own files.

The only defense against ransomware running as your user is backups that it can't access - offline, or ones on a different PC that your PC can't directly access.
 

thr2013

Prominent
Oct 31, 2017
1
0
510


Saying it's junk and easy to crack is very arrogant as well as incredibly ignorant if you think a botnet will crack a proper alphanumeric + special sign password of at least 15 length in any near future. I'd challenge you to crack mine in the next 100 years. The weakness is in how its used (weak password) in any case, NOT with bitlocker.
 
Status
Not open for further replies.