Serious Discussion Can / How can ransomware encrypt Macrium backups on a network share?

S

Studynxx

Level 8
Thread author
Verified
Well-known
Jan 20, 2023
429
368
667
I remember Support telling me a couple years back that if the backups are placed on a network share, MIG won't work to protect the backups from unauthorized access or modification.

How can ransomware do this if the backups are password-encrypted by a AES256 encryption and a strong, long password? I have been looking for an answer online to no avail, the password doesn't seem to be stored in any XML files unless I'm mistaken
 
  • Like
Reactions: Sorrento, simmerskool and Jack
Ransomware typically encrypts files it can access on a system, regardless of their original encryption. If the ransomware has infected a system with access to the network share, it can encrypt the backup files as well. The password encryption on the backups prevents unauthorized access, but it doesn't prevent the files from being further encrypted by ransomware. The password isn't stored in XML files, but the ransomware doesn't need it to encrypt the files, it just adds another layer of encryption.
 
  • Like
Reactions: Sorrento and simmerskool
I think Macrium RSW protection works only with physical drives plugged in the system:

1731261509361.png


It's fairles to think that Macrium can't protect a file located in a network shared device in a different system.

How can ransomware do this if the backups are password-encrypted by a AES256 encryption and a strong, long password? I have been looking for an answer online to no avail, the password doesn't seem to be stored in any XML files unless I'm mistaken
Click to expand...

For the same reason that you can compress an already compressed file, which in turn contains another compressed file 🤷‍♂️

That AES256 encrypted password only protects of that system image can be mounted / accessed for somebody that does not now the password :)

The Bot gave good reply this time ;)

My 2 image system backups are of course offline.
 
Last edited:
  • Like
  • Hundred Points
  • +Reputation
Reactions: roger_m, Berny, Sorrento and 2 others
Victor M said:
The key thing is to keep your backups offline until you perform backup and disconnect it afterwards. An online NAS is useless for backup purposes, ransomware will find it.
Click to expand...
Not sure what you mean by online, but for example my NAS has been online ever since I set it up, but it's never been exposed to the Internet (WAN). You need to auth into my VPN server thru the VPN client to access it if you're not on my LAN. I've never had ransomware to this day.
 
  • Like
Reactions: Sorrento
Studynxx said:
I remember Support telling me a couple years back that if the backups are placed on a network share, MIG won't work to protect the backups from unauthorized access or modification.

How can ransomware do this if the backups are password-encrypted by a AES256 encryption and a strong, long password? I have been looking for an answer online to no avail, the password doesn't seem to be stored in any XML files unless I'm mistaken
Click to expand...
Data that is already encrypted can be re-encrypted. If you do not have the decryption key, then you cannot decrypt the second round of encryption (ciphertext) to be able to then de-crypt the first round of encryption - which uses a different key (crypto variable).

Encryption is not a protection against additional encryption. The only protection there is against unwanted encryption is as follows:

1. Don't have the data in the first place.
2. Permit only trusted persons, processes, or technologies to access the data.
3. Use strict access control, permissions and privileges.
4. Use logical or physical separation (meaning that access through any means is not possible; no packet transfer between systems).

This is why storing your most valuable data on a 15 Euro USB Flash Drive is one of the most secure methods possible. But since people are lazy enough that they don't want to connect, transfer data, disconnect the USB flash drive, there are products like Macrium.
 
  • Like
Reactions: Sorrento and harlan4096
TuxTalk said:
I really dont see any use of backup programs, just make sure all your data is in the cloud ( Google or Onedrive ) and if infected just freshly reinstall your pc or laptop.
Click to expand...
It depends how much date you have & how valuable your data is though - I have several TB of Video, Photographs, Music (both MP3 & FLAC) most irreplaceable - It would be an impossible task to upload this or download it to the cloud, so I use external drives (4) that are not connected unless changing, + a few USB sticks I keep most of my programs, bookmarks etc on for quick access.

As for images it takes quite some time to set this PC up, & some programs require time to configure so imaging frequently makes sense & gives me the ability to try new things as I wish - I understand others requirements may be very different.
 
  • Like
Reactions: simmerskool and TuxTalk
Sorrento said:
It depends how much date you have & how valuable your data is though - I have several TB of Video, Photographs, Music (both MP3 & FLAC) most irreplaceable - It would be an impossible task to upload this or download it to the cloud, so I use external drives (4) that are not connected unless changing, + a few USB sticks I keep most of my programs, bookmarks etc on for quick access.

As for images it takes quite some time to set this PC up, & some programs require time to configure so imaging frequently makes sense & gives me the ability to try new things as I wish - I understand others requirements may be very different.
Click to expand...
My wife and me have more that 15.000 photos and video's all backed up in Google drive and Onedrive.
Same with our Documents.
No Music or Videos, since we dont watch TV, Music we stream through Youtube Music.

Bookmarks are synced in Edge. So no worries for us.
 
  • Like
Reactions: simmerskool and Sorrento
Sorrento said:
Out of interest how long does it take to upload, & don't you feel external drives are quicker (as backups) as well as keeping most of the data on the PC itself. It's not a competition though. :)
Click to expand...
No idea to be honest, it automatically uploads. I dont keep track of time. I never used any external drives or what, we only have 2 laptops here in the house.
3 smart phones and thats it, we need to be mobile since we travel between 2 countries.
 
  • Like
  • Applause
Reactions: simmerskool and Sorrento
TuxTalk said:
I really dont see any use of backup programs, just make sure all your data is in the cloud ( Google or Onedrive ) and if infected just freshly reinstall your pc or laptop.
Click to expand...
Ransomware will encrypt all of your cloud data if you use syncing - which virtually 100% of people do. Syncing grants access permissions to the shared directories.

The only effective way to truly protect cloud data is to keep it disconnected from the local system and manually perform uploads. Also, cloud storage cannot always revert to a prior version even if it has the ability to do so. You have to research the topic for all the reasons why this could happen.

Prior version roll-back has been tested many times and proven to be unreliable. When you need it the most it can and will fail you.

If you happen to notice that ransomware is running on the system, the best thing you can do is disconnect it from the network and then shut down the system. Then you can inspect how much damage was done to your cloud archive(s) from a different system. Next you will have to perform a clean install of the OS on the infected system.

For irreplaceable data, Cloud storage is not the safest, most reliable, most robust option.
 
  • Like
Reactions: simmerskool, Studynxx, harlan4096 and 2 others
bazang said:
Ransomware will encrypt all of your cloud data if you use syncing - which virtually 100% of people do. Syncing grants access permissions to the shared directories.

The only effective way to truly protect cloud data is to keep it disconnected from the local system and manually perform uploads. Also, cloud storage cannot always revert to a prior version even if it has the ability to do so. You have to research the topic for all the reasons why this could happen.

Prior version roll-back has been tested many times and proven to be unreliable. When you need it the most it can and will fail you.

If you happen to notice that ransomware is running on the system, the best thing you can do is disconnect it from the network and then shut down the system. Then you can inspect how much damage was done to your cloud archive(s) from a different system. Next you will have to perform a clean install of the OS on the infected system.

For irreplaceable data, Cloud storage is not the safest, most reliable, most robust option.
Click to expand...
Not with us, cloud data is 2FA protected.
 
  • Like
Reactions: simmerskool and Sorrento
bazang said:
Ransomware will encrypt all of your cloud data if you use syncing - which virtually 100% of people do. Syncing grants access permissions to the shared directories.

The only effective way to truly protect cloud data is to keep it disconnected from the local system and manually perform uploads. Also, cloud storage cannot always revert to a prior version even if it has the ability to do so. You have to research the topic for all the reasons why this could happen.

Prior version roll-back has been tested many times and proven to be unreliable. When you need it the most it can and will fail you.

If you happen to notice that ransomware is running on the system, the best thing you can do is disconnect it from the network and then shut down the system. Then you can inspect how much damage was done to your cloud archive(s) from a different system. Next you will have to perform a clean install of the OS on the infected system.

For irreplaceable data, Cloud storage is not the safest, most reliable, most robust option.
Click to expand...
I like to look at Cloud Storage as High Availability, not a backup. It's not a backup. It's especially useful, for example, if the user is on a new, migrated PC, and needs access to all their documents that were uploaded to OneDrive. In this instance, OneDrive is incredibly useful. But for backups against ransomware, no.
 
  • Wow
Reactions: Sorrento
Studynxx said:
I like to look at Cloud Storage as High Availability, not a backup. It's not a backup. It's especially useful, for example, if the user is on a new, migrated PC, and needs access to all their documents that were uploaded to OneDrive. In this instance, OneDrive is incredibly useful. But for backups against ransomware, no.
Click to expand...
Not true, never seen any onedrive being encrypted and most AV ( Trend Micro ) now also protect Onedrive and Google Drive against any encryption.

And if so :

Additional OneDrive security features​

As a cloud storage service, OneDrive has many other security features. Those include:

  • Virus scanning on download for known threats - The Windows Defender anti-malware engine scans documents at download time for content matching an AV signature (updated hourly).
  • Suspicious activity monitoring - To prevent unauthorized access to your account, OneDrive monitors for and blocks suspicious sign-in attempts. Additionally, we’ll send you an email notification if we detect unusual activity, such as an attempt to sign in from a new device or location.
  • Ransomware detection and recovery - As an Microsoft 365 subscriber, you will get alerted if OneDrive detects a ransomware or malicious attack. You’ll be able to easily recover your files to a point in time before they were affected, up to 30 days after the attack. You can also your restore your entire OneDrive up to 30 days after a malicious attack or other types of data loss, such as file corruption, or accidental deletes and edits.
  • Version history for all file types - In the case of unwanted edits or accidental deletes, you can restore deleted files from the OneDrive recycle bin or restore a previous version of a file in OneDrive.
  • Password protected & expiring sharing links - As an Microsoft 365 subscriber, you can keep your shared files more secure by requiring a password to access them or setting an expiration date on the sharing link.
  • Mass file deletion notification and recovery - If you accidentally or intentionally delete a large number of files in your OneDrive cloud backup, we will alert you and provide you with steps to recover those files.
Click to expand...
 
Last edited by a moderator:
  • Like
  • Applause
Reactions: simmerskool and Sorrento
TuxTalk said:
Not true, never seen any onedrive being encrypted and most AV ( Trend Micro ) now also protect Onedrive and Google Drive against any encryption.

And if so :
Click to expand...
You might have never seen it, but it has been proven many times through testing that antivirus and internet security suites do a terrible job against New Day Ransomware.

It is trivial to encrypt cloud storage, whether you have 2FA in front of it or not. That is why cloud storage is not recommended as a backup solution. Enterprises use cloud storage as a backup solution because it is much more carefully and security configured. Plus there is redundancy such as completely separated backups that are essentially in the cloud, but not accessible without making a phone call and jumping through various hoops.

You can believe whatever you want, but you're wrong on a number of details. OneDrive or Google or DropBox or whatever cloud will work until they don't.
 
  • Like
  • +Reputation
Reactions: simmerskool, Sorrento and roger_m
bazang said:
You might have never seen it, but it has been proven many times through testing that antivirus and internet security suites do a terrible job against New Day Ransomware.

It is trivial to encrypt cloud storage, whether you have 2FA in front of it or not. That is why cloud storage is not recommended as a backup solution. Enterprises use cloud storage as a backup solution because it is much more carefully and security configured. Plus there is redundancy such as completely separated backups that are essentially in the cloud, but not accessible without making a phone call and jumping through various hoops.

You can believe whatever you want, but you're wrong on a number of details. OneDrive or Google or DropBox or whatever cloud will work until they don't.
Click to expand...
Sure whatever.
 
  • Like
Reactions: Sorrento

You may also like...