-2

Can BitLocker be an effective protective measure against cryptolockers and ransomware class of attacks?

Were there evidences of (un)successful intrusion/encryption attempts on volumes with enabled BitLocker? If there were not, all experts are welcome to discuss though theoretical effectiveness of such measure.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Suncatcher
  • 282
  • 2
  • 13
  • 2
    I think you need to review what BitLocker is – schroeder May 22 '17 at 11:00
  • Of course, I reviewed this beforehand, that's why I asked this. In my attitude, fully-encrypted volumes can be an significant obstacle for the cryptolockers, but my knowledge is insufficient to (dis)approve my assumption. – Suncatcher May 22 '17 at 11:17
  • Why would BitLocker be an obstacle for cryptolockers? From what you know, how would it protect against ransomware? – schroeder May 22 '17 at 11:19
  • From what I've read, cryptolockers (e.g. Cryakl) use the most primitive schemes of enumerating filetypes to be encrypted. While BitLocker doesn't expose directory listings, and also checks disk integrity, it can be an obstacle against this type of attacks. – Suncatcher May 22 '17 at 11:32
  • how is encrypting a file a danger to disk integrity? – schroeder May 22 '17 at 11:34
  • Once you boot and run the computer with BitLocker, the drive is *decrypted*. That's how the OS and all the other programs are able to function. That means that ransomware is also able to function. BitLocker does nothing. – schroeder May 22 '17 at 11:37
  • A more general way of looking at it is ransomware would work even on encrypted files. If someone took your offline bitlocker'd drive, made an encrypted copy of the information, then they can still block access to your data by not giving you their encryption key. But if a drive is offline then its offline, it doesn't matter if it has bitlocker or not as someone would need physical access. – daniel May 22 '17 at 12:01

1 Answers1

1

Bitlocker is very unlikely to provide protection against Cryptolocker or similar ransomware.

If the bitlocker volume is mounted on the machine which is infected, the malware can just encrypt the files inside the volume, bypassing it's protection. In the same way as a user being able to access files on a bitlocker encrypted drive, the malware can do so.

Also there's nothing, in principle, to stop ransomware encrypting files which have already been encrypted.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217