Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Making A Backup Disk CryptoLocker-Proof


  • Please log in to reply
19 replies to this topic

#1 valkyriebiker

valkyriebiker

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 16 November 2013 - 03:29 PM

Hi All,

 

Many of my clients have external USB hard drives attached to their computers for backups.   Since CryptoLocker can encrypt these drives, then how to protect these devices?  I’ve put together a simple process to do this.

 

I would appreciate it for other experts to examine my approach and find any flaws in it.

 

  1. Create a administrative user account “task” and assign a password “task$”.  Give this account “SeBatchLogonRight” using NTRights.exe so that it can login as a service for unattended backups.
  2. On the backup device, create a folder on the root “x:\Backups\” and assign the following ACL.  Make sure the ACL propagates.  Also, give ownership to "task".
    HOSTNAME\task:(OI)(CI)F
    Everyone:(OI)(CI)R       (user can read backup files)
  3. Create a suitable script that runs periodically (hourly, nightly, whatever) that copies user data to the backup device.  The script runs from the “task” userid.  Also give user a “backup now” icon that launches the backup script under the “task” account using PsExec.
  4. Demote the user’s account to standard user (a best practice in any event) so that CryptoLocker (running under the user’s security context) cannot take ownership nor change the ACLs on the external device.
  5. If user is responsible and trustworthy enough, then provide him/her the password to “task” so that s/he may login as necessary to install or update software that requires admin-level access.

 

In this context, CryptoLocker should be unable to encrypt the attached storage, keeping it safe.

 

If the user becomes infected with CryptoLocker and the nightly backup runs, then of course the most recent backup will be fully encrypted.  But by using VBackup’s versioning restore, it’s a simple matter to restore to a date and time prior to CryptoLocker infection.  Since CryptoLocker cannot directly touch the external hard drive, then previous backups should remain safe.

 

Utilities that I’m using:

   vbackup.exe  --  robocopy-like command line copy tool with versioning

   ntrights.exe  --  tool to grant login-as-a-service to the task userid

   psexec.exe  --  Sysinternals utility to allow running a process from alternate creds

 

Plus a few minor utilities that I wrote to assist in the script.

 

What do you guys think of this?


Edited by valkyriebiker, 16 November 2013 - 03:32 PM.


BC AdBot (Login to Remove)

 


#2 Chuck Devlin

Chuck Devlin

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 16 November 2013 - 03:38 PM

Wouldn't it be easier to download "HitmanPro.alert with cryptolock to protect you complete computer?  This is a question.  I have downloaded it, but obviously not sure how well it will protect without an actual event occuring.  The video shows it working.



#3 valkyriebiker

valkyriebiker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 16 November 2013 - 03:50 PM

I saw the CryptoGuard program and it does look promising.  I'm playing with it now, in fact.

 

These aren't mutually exclusive ideas.

 

My approach would protect a backup device in the event CryptoGuard failed or if running it was not possible or practical for whatever reason.  But it could also protect against other insults, such as a user accidentely deleting the backup directory or dragging a directory on top of another -- which I've seen happen a number of times.

 



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 PM

Posted 19 November 2013 - 06:49 PM

They could also just disconnect their external drive until its time to do a backup...then disconnect again once complete.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 valkyriebiker

valkyriebiker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 19 November 2013 - 07:03 PM

True, they can unplug the drive except during actual backup.   But, ahem, some of my clients cannot be trusted to do even that much.  Sad, I know, but true.  I try to serve everyone, even those who still have to ask "left button or right" when I say "now click on the icon".

 

I've analyzed my approach and can't see any flaw that would give CryptoLocker access to the backup data, so long as my process is setup correctly.

 

I posted here hoping fresh eyes might see something I missed.

 

thanks all!



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 PM

Posted 19 November 2013 - 07:11 PM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:04:07 AM

Posted 19 November 2013 - 07:57 PM

Many of my clients have external USB hard drives attached to their computers for backups.

Your backup is good, and you can tell your clients about GiliSoft USB Lock http://www.snapfiles.com/get/giliusb.html | http://www.snapfiles.com/screenshots/giliusb.htm it does much more too.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#8 technonymous

technonymous

  • Members
  • 2,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:07 AM

Posted 24 November 2013 - 12:54 PM

Why not use bitlocker?



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 PM

Posted 24 November 2013 - 02:03 PM

OP was looking for an easy way to protect external drives for his clients, not himself. If those clients are like many others I have seen, bitlocker may be to complicated for them to use. Remember years ago when folks couldn't even unzip a file.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 valkyriebiker

valkyriebiker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 24 November 2013 - 02:12 PM

My previous reply apparently didn't take, I saw a BleepingComputer database error.

 

Bitlocker does nothing to prevent CryptoLocker from encrypting user data on the PC or a backup drive.  Bitlocker is designed to prevent data theft on a stolen computer or if the hard drive is yanked.

 

And quietman7 is right.  I wrote up this little procedure for securing external backup drives for my clients.  They don't have to understand a thing -- and believe me, they don't.  No complaint, mind you.  If they understood I.T., then I'd be out of a job.  They just click an icon that says "Backup Now".  Or in the case of a tower computer that stays put, it runs automatically.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 PM

Posted 24 November 2013 - 02:31 PM

@ valkyriebiker

FYI: I received the database error too so its nothing on your end.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 technonymous

technonymous

  • Members
  • 2,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:07 AM

Posted 24 November 2013 - 02:38 PM

My previous reply apparently didn't take, I saw a BleepingComputer database error.

 

Bitlocker does nothing to prevent CryptoLocker from encrypting user data on the PC or a backup drive.  Bitlocker is designed to prevent data theft on a stolen computer or if the hard drive is yanked.

 

And quietman7 is right.  I wrote up this little procedure for securing external backup drives for my clients.  They don't have to understand a thing -- and believe me, they don't.  No complaint, mind you.  If they understood I.T., then I'd be out of a job.  They just click an icon that says "Backup Now".  Or in the case of a tower computer that stays put, it runs automatically.

I don't see how cryptolocker can gain access to files on a full disk bitlocked drive. You have to enter a password/pin to unlock the drive so it mounts the files.



#13 erha

erha

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 26 November 2013 - 06:52 PM

My previous reply apparently didn't take, I saw a BleepingComputer database error.
 
Bitlocker does nothing to prevent CryptoLocker from encrypting user data on the PC or a backup drive.  Bitlocker is designed to prevent data theft on a stolen computer or if the hard drive is yanked.
 
And quietman7 is right.  I wrote up this little procedure for securing external backup drives for my clients.  They don't have to understand a thing -- and believe me, they don't.  No complaint, mind you.  If they understood I.T., then I'd be out of a job.  They just click an icon that says "Backup Now".  Or in the case of a tower computer that stays put, it runs automatically.

I don't see how cryptolocker can gain access to files on a full disk bitlocked drive. You have to enter a password/pin to unlock the drive so it mounts the files.
how if you mount it while cryptolocker is working encrypting your data? Yes, your data in the usb drive will be encrypted also.

#14 valkyriebiker

valkyriebiker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 26 November 2013 - 06:58 PM

BitLocker is designed to present minimal interaction to the user.  Indeed, BitLocker is authenticated at boot time, so everything is generally available once the desktop loads.

 

Again, BitLocker isn't intended to prevent data corruption by a rogue program.  It's intended to protect against data compromise in the event of equipment theft or unauthorized access.

 



#15 technonymous

technonymous

  • Members
  • 2,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:07 AM

Posted 29 November 2013 - 02:51 AM

Yes if you bit locker your entire HD and OS then you're screwed. I am talking about having one hd partitioned 50/50 C: and D:  C is the OS then fulldisk bitlock D and opt out of the auto authentication. So your files will be protected and not mount till you punch in the password. Maybe cryptolocker will destroy C, but it will not have access to your D that has your vital backup or any other files on there.


Edited by technonymous, 29 November 2013 - 03:19 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users