Macrium 6 and Cryptolocker


Author
Message
theo
theo
New Member
New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)
Group: Forum Members
Posts: 7, Visits: 98
you can use MR with a couple of batch files inserted into a MR generated vbscript job to unlock and lock a bitlocker encrypted drive.  it may require you to be running as
an administrator and have a tpm module, idk.  but it's relatively simple to do.
Seekforever
Seekforever
Master
Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)
Group: Forum Members
Posts: 1.1K, Visits: 24K
I agree to a point except that the thinking part of the brain is notorious for falling asleep when we are dong something - how many times over the years have we gone click, click, click and then said something like, "darn, shouldn't have done that last click"? Also, the original poster is dealing with a number of clients whose computer knowledge may vary considerably and who see the PC as nothing more than a tool to accomplish something else and there is no way he can rely on their following good security practices. The clients have hired him to ensure their data is safe and if it gets lost, telling the boss-man that Charlie shouldn't have clicked on that message isn't going to cut it.



Richard V.
Richard V.
Most Valuable Professional
Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)
Group: Forum Members
Posts: 2K, Visits: 8.1K
Not knowing how this particular client service is currently organized, I'd still be strongly inclined to look for some kind of centralized or otherwise coordinated solution that allows for destination drive swapping and off-site protection.  But I suppose that's just my own "belt and suspenders" personality speaking.

Regards, Richard V. ("Arvy")
https://forum.macrium.com/uploads/images/afc5d4fe-5d25-4e25-be94-185e.png

Seekforever
Seekforever
Master
Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)
Group: Forum Members
Posts: 1.1K, Visits: 24K
theo (2/27/2015)
you can use MR with a couple of batch files inserted into a MR generated vbscript job to unlock and lock a bitlocker encrypted drive.  it may require you to be running as
an administrator and have a tpm module, idk.  but it's relatively simple to do.


I'm not certain this is a solution. Bitlocker is intended to make data inaccessible when a computer is stolen or lost. While the machine is running the files are essentially decrypted or at least decrypted on the fly. If the person clicks on the Cryptolocker deliver mechanism and can access the files then they are essentially plaintext but even if they weren't there is nothing that says an encrypted file can't be encrypted again.

From MS info on Bitlocker:
BitLocker cannot protect a computer against all possible attacks. For example, if malicious users, or programs such as viruses or rootkits, have access to the computer before it is lost or stolen, they might be able to introduce weaknesses through which they can later access encrypted data. And BitLocker protection can be compromised if the USB startup key is left in the computer, or if the PIN or Windows logon password are not kept secret.


Edited 27 February 2015 4:02 PM by Seekforever
Seekforever
Seekforever
Master
Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)
Group: Forum Members
Posts: 1.1K, Visits: 24K
Arvy (2/27/2015)
Not knowing how this particular client service is currently organized, I'd still be strongly inclined to look for some kind of centralized or otherwise coordinated solution that allows for destination drive swapping and off-site protection.  But I suppose that's just my own "belt and suspenders" personality speaking.


It's anything but your own "belt and suspenders" method especially if the data is important at least to you. As I've said before, your personally created data deserves the most protection since it cannot be purchased anywhere else at any price; OS and apps can.

 Anybody who is dealing with business data is a fool who doesn't have a similar approach and that sure means off-line and off-site protection. All it takes is a good lightning strike to wipe out a whole network and theft or fire to remove all your data from the premises. A theft can be even more catastrophic if the data pertains to other people's personal information (e.g., doctor's office, financial,etc) or sensitive proprietary product information. Bitlocker is a solution for the theft situation.

Edited 27 February 2015 4:34 PM by Seekforever
theo
theo
New Member
New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)
Group: Forum Members
Posts: 7, Visits: 98
Seekforever (2/27/2015)
theo (2/27/2015)
you can use MR with a couple of batch files inserted into a MR generated vbscript job to unlock and lock a bitlocker encrypted drive.  it may require you to be running as
an administrator and have a tpm module, idk.  but it's relatively simple to do.


I'm not certain this is a solution. Bitlocker is intended to make data inaccessible when a computer is stolen or lost. While the machine is running the files are essentially decrypted or at least decrypted on the fly. If the person clicks on the Cryptolocker deliver mechanism and can access the files then they are essentially plaintext but even if they weren't there is nothing that says an encrypted file can't be encrypted again.

From MS info on Bitlocker:
BitLocker cannot protect a computer against all possible attacks. For example, if malicious users, or programs such as viruses or rootkits, have access to the computer before it is lost or stolen, they might be able to introduce weaknesses through which they can later access encrypted data. And BitLocker protection can be compromised if the USB startup key is left in the computer, or if the PIN or Windows logon password are not kept secret.



we can imagine all sorts of senerios but while the machine is running  with a locked drive,  not just encrypted,  it still is inaccessible to even the administrator without the password. 

I just booted running as an administrator, password needed.  crypto could, I suppose, run the batch file to unlock d:\  but I doubt it. 

the true unkown is: when does malware reveal itself?  immediately?  when you attach an external drive?  Have you backed up your malware too.

http://forum.macrium.com/uploads/images/154778af-0791-4a2e-b062-9020.jpg





Seekforever
Seekforever
Master
Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)
Group: Forum Members
Posts: 1.1K, Visits: 24K
I
can see that but how do you lock up the internal HD after you've unlocked it and written your image or other data to it? I don't see a command other than shutting the machine down or perhaps logging off the account   
If an external USB drive was use and it was removed that would indeed do it but the original poster has a problem getting his clients to use externals.
-----------  OK I found "-lock" in manage-bde in command mode..----------------------------------
It appears that Bitlocker would do the job of protecting the backup files except for the time the drive is unlocked and that risk would be very small as long as the drive is kept locked until the backup is initiated. If a user has the password and unlocks it without locking it after use then the risk will increase.

I believe Cryptolocker reveals itself after the work is done. Backing up malware in images is always an issue which is why you should have a chronological history of several images available. IMO, it is also a reason not to use incremental image consolidation methods especially if you just keep re-working a chain based on one full image. I'm interested in opinions on this.

Edited 27 February 2015 7:13 PM by Seekforever
theo
theo
New Member
New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)
Group: Forum Members
Posts: 7, Visits: 98
Seekforever (2/27/2015)
I
can see that but how do you lock up the internal HD after you've unlocked it and written your image or other data to it? I don't see a command other than shutting the machine down or perhaps logging off the account   
If an external USB drive was use and it was removed that would indeed do it but the original poster has a problem getting his clients to use externals.
-----------  OK I found "-lock" in manage-bde in command mode..----------------------------------
It appears that Bitlocker would do the job of protecting the backup files except for the time the drive is unlocked and that risk would be very small.

I believe Cryptolocker reveals itself after the work is done. Backing up malware in images is always an issue which is why you should have a chronological history of several images available. IMO, it is also a reason not to use incremental image consolidation methods especially if you just keep re-working a chain based on one full image. I'm interested in opinions on this.


Notepad-----
c:\windows\system32\manage-bde -unlock d: -recoverypassword   xxxxxx-out to 48 digits-xxxxxx   name it unlock.bat
c:\windows\system32\manage-bde -lock d:  name it lock.bat

add the batch files to run before,  run after in macrium defaults for vbscripts'  
convert your mr backup definition to vbsript,  schedule the vb

the difficulty is configuring the mr winpe to carry the bitlocker drivers.  obviously you'd like to avoid unlocking the drive
if you have a know C:\ infection from within windows to restore.  wish they would configure the rescue media with the -bde drivers.


Edited 27 February 2015 7:43 PM by theo
Richard V.
Richard V.
Most Valuable Professional
Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)
Group: Forum Members
Posts: 2K, Visits: 8.1K
theo (2/27/2015)

 wish they would configure the rescue media with the -bde drivers.

Do the optional WinPE_OCs for Reflect's PE5 builds not cover what you're looking for?  They appear to include the manage-bde.exe executable along with related .DLL and .SYS files.

As an aside but closely related to this topic, I would suggest a glance or two at Microsoft's own Security TechCenter might be worthwhile for anyone seriously interested in Windows security issues.  There are some interesting tips in this month's newsletter regarding infrastructure management in particular.


Regards, Richard V. ("Arvy")
https://forum.macrium.com/uploads/images/afc5d4fe-5d25-4e25-be94-185e.png

GlennChambers
GlennChambers
Junior Member
Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)
Group: Forum Members
Posts: 12, Visits: 101
Can you just not unmount the drive? That's what I do. I have a powershell script that runs in the background and when my USB external drive is mounted it kicks off the backup script, after the backup completes the drive is unmounted automatically.

GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search