Macrium 6 and Cryptolocker


Author
Message
Merlin
Merlin
Talented Member
Talented Member (192 reputation)Talented Member (192 reputation)Talented Member (192 reputation)Talented Member (192 reputation)Talented Member (192 reputation)Talented Member (192 reputation)Talented Member (192 reputation)Talented Member (192 reputation)Talented Member (192 reputation)Talented Member (192 reputation)
Group: Forum Members
Posts: 114, Visits: 3.1K
GlennChambers (2/28/2015)
Can you just not unmount the drive? That's what I do. I have a powershell script that runs in the background and when my USB external drive is mounted it kicks off the backup script, after the backup completes the drive is unmounted automatically.

Yes, but anything can happen while it's mounted and vulnerable.

Seekforever
Seekforever
Master
Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)
Group: Forum Members
Posts: 1.1K, Visits: 24K
Probably the same level of vulnerability as using Bitlocker to unlock drive for backup then lock it again at end. I really think the risk would be very low.

The scenario would have to be something like:
The Cryptolocker malware is loaded on the machine and is searching for and encrypting files just as you start a backup and mount/unlock the drive. This is a fairly remote possibility and at present even less likely to be a problem because it doesn't look like the malware goes after anything other than "document" files.  I assume that once the Cryptolocker ransom message is displayed it stops searching but in any case, you wouldn't be running the machine anyway.

This scenario can't even be avoided by keeping the USB backup drive in a drawer until you need it because as soon as you plug it in it is vulnerable.

You could run Reflect from the USB rescue drive but that even entails the risk of backing up encrypted files and if you image the C drive you now have an image containing Cryptolocker. So, make sure you have more than one backup so you can roll-back!



Dreamer2004
Dreamer2004
Talented Member
Talented Member (175 reputation)Talented Member (175 reputation)Talented Member (175 reputation)Talented Member (175 reputation)Talented Member (175 reputation)Talented Member (175 reputation)Talented Member (175 reputation)Talented Member (175 reputation)Talented Member (175 reputation)Talented Member (175 reputation)
Group: Forum Members
Posts: 96, Visits: 382
My basic backup-device is an external HDD that is encrypted with BestCrypt. This software offers fast initial encryption!
If your CPU supports "AES-NI" you won't notice any speed differences at all!!


theo
theo
New Member
New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)New Member (21 reputation)
Group: Forum Members
Posts: 7, Visits: 98
http://forum.macrium.com/uploads/images/7aaaf9d3-f1d8-4621-8fcb-9b77.jpg
theo (2/27/2015)
Seekforever (2/27/2015)
I






the difficulty is configuring the mr winpe to carry the bitlocker drivers.  obviously you'd like to avoid unlocking the drive
if you have a know C:\ infection from within windows to restore.  wish they would configure the rescue media with the -bde drivers.



Found it.  SmileSmile




lovelyjubbly
lovelyjubbly
Proficient Member
Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)
Group: Forum Members
Posts: 131, Visits: 494
Hi everyone,

Thanks for all the comments and advice.

An update to my original post:

The trojan had encrypted a bunch of other files, including jpgs and avi files.

We think she noticed suspicious activity before all the files were encrypted, she ran her antivirus which nuked the trojan.

So I'm not sure whether the Macrium Files would have been safe.

I've also been thinking about network drives.

We use Synology Nas which are password protected. We do NOT map the drives.

However we do add these details in User Credentials so Macrium can access these network folders.

So I'm wondering whether this makes us vulnerable?

lovelyjubbly
lovelyjubbly
Proficient Member
Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)
Group: Forum Members
Posts: 131, Visits: 494
Bad news I'm afraid, it looks like even unmapped drives are at risk Sad

http://www.bleepingcomputer.com/forums/t/569157/cryptofortress-a-torrentlocker-clone-that-also-encrypts-unmapped-network-shares/

I'm not sure how we can protect networked drives?

Perhaps remove Windows User Credentials to the NAS from users and only use these credentials in Macrium:

Other Tasks>Edit Defaults>Network   ?

BTW, Macrium have responded to my request for a formal response to this problem. They've been watching this thread and have said they will post a guide on their blog next week Smile

Seekforever
Seekforever
Master
Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)
Group: Forum Members
Posts: 1.1K, Visits: 24K
Bad news alright, I was feeling pretty smug about my unmapped NAS.

Looking forward to the Macrium blog on this topic. Glad you raised the issue with Macrium.

Scott
Scott
Macrium Representative
Macrium Representative (32 reputation)Macrium Representative (32 reputation)Macrium Representative (32 reputation)Macrium Representative (32 reputation)Macrium Representative (32 reputation)Macrium Representative (32 reputation)Macrium Representative (32 reputation)Macrium Representative (32 reputation)Macrium Representative (32 reputation)Macrium Representative (32 reputation)
Group: Forum Members
Posts: 5, Visits: 256
Hi all.

Just to let you all know we have published an article in our Knowledgebase with some information and advice on this issue:

Protection Strategies Against Ransomware

Hope you find it useful.


Scott
Macrium Support
Richard V.
Richard V.
Most Valuable Professional
Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)
Group: Forum Members
Posts: 2K, Visits: 8.1K
So, basically, it's just endorsing what I said back at the beginning of this thread. The best protection strategy is to make your backups inaccessible to the threats. 

Regards, Richard V. ("Arvy")
https://forum.macrium.com/uploads/images/afc5d4fe-5d25-4e25-be94-185e.png

Seekforever
Seekforever
Master
Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)
Group: Forum Members
Posts: 1.1K, Visits: 24K
That's about it for the best protection. There are other ways of reducing the risk such as making sure things are setup with ACLs etc but you can never rely on them ultimately being compromised. That doesn't mean it isn't a good idea to use other mechanisms to reduce the possibility of malware access but you just can't say it will always give 100% protection.

I don't think anything protects you against the very remote possibility of making your backup with Cryptolocker running and you backup already encrypted files. This is where you need to ensure that you have available a history of backups or some other versioning mechanism.

I miss the days of being able to push the "write-lock" switch on a real disk drive - lot cooler than plugging and unplugging.



Edited 11 March 2015 3:46 PM by Seekforever
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search