Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Protect external hardware from Ransomware


  • Please log in to reply
20 replies to this topic

#1 corigins

corigins

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 26 May 2017 - 09:27 PM

Hello

 

Despite this being more of a security question, I thought I'd start here as external hardware is related anyway.

 

I have a service for home and small business customers where I monitor and react to backup issues on their home computers and workstations. I currently deploy various versions of Acronis drive image products to service this need.

 

Currently however, finding a way to protect customers from both hardware failure and now ransonmware is becoming a bit of a challenge. Coupled with that is the reality that I rely on my customers to have everything in order remotely so backups can occur, having also offsite backups would be too difficult to accomplish at this point in time.

 

I have witnessed ransomware encrypt *.tib files (Acronis drive image files) in the past so I know that backups are not immune from encryption. As a majority of the customers are on simple USB connected drives it is easy to see how susceptible to encryption they really might be.

 

I have been (unsuccessfully) looking into ways that I can further protect customers. One way I thought was for a script to enable a USB device for the backup, then disable it soon after as Acronis supports pre and post backup scripts.

 

Another theory was the lock down a drive letter using some sort of user authentication, so Acronis logs on with different credentials than the current user and further protects the drive from write access. Unfortunately I have not been too successful with either.

 

I would certainly appreciate any advice about any software/techniques anybody has come across to meet this challenge?

 

Richard


Edited by hamluis, 27 May 2017 - 09:15 AM.
Moved from External Hardware to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 JaffaCakes

JaffaCakes

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:13 AM

Posted 31 May 2017 - 02:53 PM

Basically don't keep your external HD connected all the time. In this day and age you'd like to think people have a bit of knowledge on dodgy links. But anyway, most of the ransomeware i've dealt with encrypts any hard drive, usb connected to the system. I've known them to spread over LAN also.

 

I'm not sure if it would work, but locking down a partition/drive that needs auth could be a good route to go down.



#3 corigins

corigins
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 31 May 2017 - 07:01 PM

@JaffaCakes, I'm sure you meant well but please read my whole post before commenting.



#4 TheQuestion

TheQuestion

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:13 AM

Posted 01 June 2017 - 09:35 AM

Was there a particular issue you were having when attempting to use the alternate user configuration you mentioned?

 

Edit:

Do the users of the systems being backed up require the ability to use USB storage for their daily tasks?


Edited by TheQuestion, 01 June 2017 - 09:47 AM.


#5 GoofProg

GoofProg

  • Banned
  • 224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:13 PM

Posted 12 June 2017 - 01:57 PM

Basically don't keep your external HD connected all the time. In this day and age you'd like to think people have a bit of knowledge on dodgy links. But anyway, most of the ransomeware i've dealt with encrypts any hard drive, usb connected to the system. I've known them to spread over LAN also.

 

I'm not sure if it would work, but locking down a partition/drive that needs auth could be a good route to go down.

LOL yes I say keep it connected just like an internal hard drive.  The trick is not to use a drive letter for storage devices.  You may encounter a problem too because people get cranky that you know that trick.  I personally got file system permission errors.  That is because I also name the device $dwibe_320GB.  I had issues with that drive too.
I believe that ransomware can just be a hack to render your device useless by planting a password in the security module.

Personally I hate encrypted drives and BitLocker.  It is because they require another password to function.



#6 dantose

dantose

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 12 June 2017 - 07:26 PM

What size are we talking about for backups? How's your system for backing up? It sounds like you are remotely triggering a local backup on the same machine? 



#7 corigins

corigins
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 12 June 2017 - 09:03 PM

Hi and thanks everybody for your input.

 

Allow me to summarise a very long first post. How do we fool ransomware not to be able to access a USB drive when that USB drive is offsite and out of my control. Some of my thoughts were:

 

1. Emulate network authentication on local drive (if it even exists)

2. Yes unplug the drive when not in use, but that is a consistently difficult task for simple remote end users who pay me to monitor their backups in the first place.

3. Turn off USB port by script, turn back on for backup then turn off afterwards. Messy and couldn't get it to work.

 

I like @goofprog idea of not having drive mount letters. Would that be enough to fool ransomware in ignoring a USB drive? Just wondering how a imaging sofware would access it?

 

Richard



#8 dantose

dantose

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 12 June 2017 - 09:45 PM

Hi and thanks everybody for your input.

 

Allow me to summarise a very long first post. How do we fool ransomware not to be able to access a USB drive when that USB drive is offsite and out of my control. Some of my thoughts were:

 

1. Emulate network authentication on local drive (if it even exists)

2. Yes unplug the drive when not in use, but that is a consistently difficult task for simple remote end users who pay me to monitor their backups in the first place.

3. Turn off USB port by script, turn back on for backup then turn off afterwards. Messy and couldn't get it to work.

 

I like @goofprog idea of not having drive mount letters. Would that be enough to fool ransomware in ignoring a USB drive? Just wondering how a imaging sofware would access it?

 

Richard

Rather than a USB drive, could you deploy a local networked device to receive the backups? I'm not seeing how mounting without a drive letter would actually protect anything, seems to be just trying to obscure the setup rather than implementing proper security. 

 

Group policy to manage permissions to access the drives would be a good start. Not 100%, but it would at least require the ransomware to find some privilege escalation attack. 

 

Also, have you considered at least periodic off site backups? Even once a month or once a quarter would provide some fallback.



#9 corigins

corigins
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 12 June 2017 - 10:16 PM

Despite all the insightful feedback, I believe everybody might be missing the point I make about my customers being simple. I am not trying being derogatory, but these people are home and/or small business users who simply don't have the discipline, know how or time to implement offsite or group policies (wrong versions of Windows).

 

I created a service for people who were not backing up at all. I am also trying to avoid headaches for them and me by implementing simple workarounds for the ransomware threat. While I type this however, I've noticed that Acronis have released a new version of their drive image software called "New Generation" which is stating to be able to protect against Ransomware.


Edited by corigins, 12 June 2017 - 10:18 PM.


#10 dantose

dantose

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 13 June 2017 - 01:48 AM

Despite all the insightful feedback, I believe everybody might be missing the point I make about my customers being simple. I am not trying being derogatory, but these people are home and/or small business users who simply don't have the discipline, know how or time to implement offsite or group policies (wrong versions of Windows).

 

I created a service for people who were not backing up at all. I am also trying to avoid headaches for them and me by implementing simple workarounds for the ransomware threat. While I type this however, I've noticed that Acronis have released a new version of their drive image software called "New Generation" which is stating to be able to protect against Ransomware.

I do feel like we are stumbling around a bit as we don't fully know the setup, so i understand your frustration. You should always expect a bit of back and forth in these situations as we figure out exactly how you are set up and what you have the capability to do. 

 

i would consider deploying some small device on their network. $35 and an ethernet cable can get you a raspberry pi on the network to provide you with a separate device on which to keep the backups. That would effectively remove the risk of ransomware getting at those backups. You could even leave everything else the same and just use putty to transfer the backups over.

 

pscp backup.tib user@192.168.x.x:/backup/[date].tik 

 

Even manually doing it once a week would be a real value added I think. The device can be kept tucked away in some corner. 


Edited by dantose, 13 June 2017 - 01:58 AM.


#11 ccfallout

ccfallout

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 03 July 2017 - 08:29 AM

I'm curious to know if anyone has figured this out.  I recently had a customer hit with Cryakl ransomware.  We were doing a script-based backup to an external HDD, however the backups were encrypted too. I understand the OP's point about wanting to find a system that is easy to implement, and doesn't rely on the end user to do anything. Most small business and home customers are not tech-savy, and they've got enough going on with their own affairs that they will forget to do things, like unplug external devices, and plug them back in etc.

 

I've tried in the past to change file permissions on the backup drive.  I created a windows group called DISK-PROTECT, and restricted all read/write access to the external drive for any member of this group.  (I discovered that by only restricting Write access, I was still able to delete the files on the device, so I had to restrict Read access as well).  I then made the main PC user a member of this group. The idea was that any malware installed under that user account would be unable to access the disk, however the backup software would run as a different user which had access to the disk. It kind of worked, in restricting access to the main user account, while allowing the backup software to perform it's backup.  However, I introduced a whole slate of other problems with file permissions, and windows convinced that this user account is now the built-in administrator.  Very strange.  I'm also not sure that the malware or hacker couldn't figure out a way to bypass this.

 

Any possible solutions  out there that don't require expensive software, or relying on often forgetful end-users? 



#12 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 PM

Posted 03 July 2017 - 04:32 PM

I have been (unsuccessfully) looking into ways that I can further protect customers. One way I thought was for a script to enable a USB device for the backup, then disable it soon after as Acronis supports pre and post backup scripts.

 

You might take a look at USBDeview from Nirsoft...

 

http://www.nirsoft.net/utils/usb_devices_view.html

 

It has the ability in the UI to disconnect and connect USB drives.

 

It has command line options as well.

 

However, JaffaCakes has the best recommendation in post #2.

 

What if a script fails?

 

It's not difficult to teach users to do a Safe Removal of an external USB drive.

 

If you can turn your stove off after cooking dinner, you can do a Safe Removal.



#13 corigins

corigins
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 04 July 2017 - 03:39 AM

You might take a look at USBDeview from Nirsoft...

 

@jwoods this is proving very promising, more testing will expose potential issues however

 

Quote: "What if a script fails?"

 

I use Acronis on all of my customers PC's and in the advanced settings are options to run scripts and the option to set the conditions of execution failure.

 

However, JaffaCakes has the best recommendation in post #2.

 

Ideally yes I agree, but circumstances prevent this from happening consistently if at all.

 

It's not difficult to teach users to do a Safe Removal of an external USB drive.

 

If you can turn your stove off after cooking dinner, you can do a Safe Removal.

 

You were doing so well! Have you ever had to babysit 30+ inexperienced and (sorry to say) undisciplined customers from afar? In 5 years of providing a backup monitoring service in my hefty experience it is automation or nothing.


Edited by corigins, 04 July 2017 - 03:42 AM.


#14 corigins

corigins
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 04 July 2017 - 03:51 AM

Update:

I took @jwoods advice and the first test was very encouraging.

 

Using Nirsoft's USBDeview I was able to create 2 x command script files - one that enabled the USB drive before the backup and one that disabled it afterwards.

 

Acronis successfully enabled the drive by script prior to backup and disabled it afterwards. Now to infect the test computer and see if a disabled drive is accessible. More importantly that I can restore said backup so the system is encryption free.

 

Note: I totally agree and support offsite backups as being the "real" solution to my problem. However this is as close as I can achieve with my limited resources.



#15 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 PM

Posted 04 July 2017 - 03:08 PM

"You were doing so well! Have you ever had to babysit 30+ inexperienced and (sorry to say) undisciplined customers from afar? In 5 years of providing a backup monitoring service in my hefty experience it is automation or nothing."

 

Hundreds...

 

And the bottom line is, you can make things fool-proof, but you can't make them damn fool-proof.

 

 

Read the licensing agreement for USBDeview -

 

This utility is released as freeware. You are allowed to freely distribute this utility via floppy disk, CD-ROM, Internet, or in any other way, as long as you don't charge anything for this. If you distribute this utility, you must include all files in the distribution package, without any modification !


Edited by jwoods301, 04 July 2017 - 03:13 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users