How secure are the Macrium Reflect encrypted backups?


CSharpDev

Member
Member
Local time
6:25 AM
Posts
180
OS
Win11
The essence of my enquiry is as follows: Macrium Reflect allows for encrypted backups, you add a complex long password to the backup and you hope that no 3rd party will be able to access them, including malware (ransomware)

I remember emailing Support about this a year or 2 ago back when Macrium Reflect Home Edition still came with email tech support. They said that the Image Guardian (iirc) module "works" only if the backup is stored on a physical (so NOT Cloud/NAS) drive (so NOT a network share).

I asked back, "Does that mean that if I were to store the backup on a network share, if I got a ransomware attack, they could decrypt the encrypted image / file / folder backup?" They replied "Yes, that's correct".

So I hope this has changed, but I beg the question: How secure are the Macrium Reflect encrypted backups really, then? This is an interesting thread I have found from 4 years ago, I hope it's changed ever since: Retreive password from configuration XML file

Specifically, these excerpts:

Ah, never mind. I found a naughty way to get the password: dump the process memory and extract all the strings with the given length.
Tongue
Recognised it instantly after going through all the possibilities! Haha!

Glad that worked for you, although I'm not thrilled to hear that it was apparently that relatively easy. I realize that Macrium recommends that XML be stored in a locked down location and that sensitive information has to live in memory at least for a while, but I'd still hope that there might be something that could be done so that discovering a cleartext password from the ciphertext version in an XML file would take someone more than an hour from asking the question to having the answer.

Hello @john.p, thanks for weighing in. And just to clarify, I don't deserve credit for these findings. That belongs to Spatial here.

But speaking here as an observer and an IT consultant who has implemented Reflect for some of his clients, my concern is your last sentence that "If a the xml file can be accessed, so can the data to be protected." Before you wrote that, I would not have suspected that was so clearly the case. I certainly acknowledge the importance of storing definition files in a secure location to prevent unauthorized tampering, e.g. changing the source data selection, redirecting backups to a different location, configuring a malicious retention policy, etc. In fact I even delved into those types of threat scenarios in another thread where someone else brought to light that at the time, Reflect made it possible for regular users to launch Reflect interactively with SYSTEM-level privileges and also to leverage its pre-and post-VSS commands capability to do things such as starting an interactive PowerShell session. In short, Reflect back then could be used as a vector for a low-effort but high-impact privilege escalation attack.

However, even then I would not have guessed that an attacker who somehow gained access to an XML file containing an encrypted version of a backup password would be able to gain access to the cleartext so easily. I knew that Macrium would be able to do that trivially by virtue of having the key that Reflect uses to encrypt and decrypt that password -- although due to the risk of social engineering, I would hope that Macrium would have a blanket policy against providing that "service" to customers who might request -- but I would not have guessed that the plaintext password would be stored in memory in such a way that a user could get to it within an hour.

In terms of mitigations, I haven't attempted to reproduce Spatial's work myself and therefore don't know all of the technical details, but if this isn't already being done, would it be possible to purge the plaintext password from memory after it has been used to derive the actual AES key that will be used to encrypt the backup? That would at least limit the time during which the plaintext password is there to be retrieved in memory. Or would an attacker still be able to use software tools to capture data that was in memory even only briefly? (Note: I do realize that the AES key is a valuable bit of data in its own right, but since that must be available for the duration of the operation, I don't see as much opportunity to protect that. And I also realize that this risk isn't unique to Reflect, since whole disk encryption solutions for example must keep in memory the key for the unlocked disk.)
 

My Computer

System One

  • OS
    Win11
When you ask "how secure", I would think that no one could put any kind of percentage number on "how" secure such backups would be. Encrypting backups is just one thing a user can do but other things in one's backup plan are more important than whether a backup is encrypted or not. (None of mine are, by the way, nor or any of my drives but that's just me.) Keeping multiple backups using multiple drives, testing that recovery media works and that the backups one makes are restorable, keeping at least one image stored in an off site safe place such as a safety deposit box or the cloud, and NEVER keeping the drive where your images are stored connected to the computer.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3447
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
There are a lot of things that can be done to protect your data. I'm particularly paranoid about protecting my data so I have several strategies I use. I am describing this simply as an example.

First, I use a dedicated backup server (just a small, cheap Mini PC) for my Macrium backups. That Mini PC automatically turns on at 6:55 AM and my desktop performs a backup to it at 7:00 AM. After the backup is done, the Mini PC shuts down. This way nothing can get to that backup server since it's not even on.

In addition to doing a Macrium backup, I also use FreeFileSync to replicate the same data to yet another machine. To ensure that I'm not just replicating bad data, you can set FreeFileSync to archive any files that are deleted or changed on the destination. I keep the archived copies of files for 90 days.

My point is simply that you can perform backups in multiple ways to ensure that the data is protected, and you can backup to multiple locations such as different machines, the cloud, etc.
 

My Computers

System One System Two

  • OS
    Win11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    CPU
    Intel i7-11700K
    Motherboard
    ASUS Prime Z590-A
    Memory
    128GB Crucial Ballistix 3200MHz DRAM
    Graphics Card(s)
    No GPU - CPU graphics only (for now)
    Sound Card
    Realtek (on motherboard)
    Monitor(s) Displays
    HP Envy 32
    Screen Resolution
    2560 x 1440
    Hard Drives
    1 x 1TB NVMe Gen 4 x 4 SSD
    1 x 2TB NVMe Gen 3 x 4 SSD
    2 x 512GB 2.5" SSDs
    2 x 8TB HD
    PSU
    Corsair HX850i
    Case
    Corsair iCue 5000X RGB
    Cooling
    Noctua NH-D15 chromax.black cooler + 10 case fans
    Keyboard
    CODE backlit mechanical keyboard
    Mouse
    Logitech MX Master 3
    Internet Speed
    1Gb Up / 1 Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    Additional options installed:
    WiFi 6E PCIe adapter
    ASUS ThunderboltEX 4 PCIe adapter
  • Operating System
    Win11 Pro 23H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 13x Gen 2
    CPU
    Intel i7-1255U
    Memory
    16 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Sound Card
    Realtek® ALC3306-CG codec
    Monitor(s) Displays
    13.3-inch IPS Display
    Screen Resolution
    WQXGA (2560 x 1600)
    Hard Drives
    2 TB 4 x 4 NVMe SSD
    PSU
    USB-C / Thunderbolt 4 Power / Charging
    Mouse
    Buttonless Glass Precision Touchpad
    Keyboard
    Backlit, spill resistant keyboard
    Internet Speed
    1Gb Up / 1Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    WiFi 6e / Bluetooth 5.1 / Facial Recognition / Fingerprint Sensor / ToF (Time of Flight) Human Presence Sensor
When you ask "how secure", I would think that no one could put any kind of percentage number on "how" secure such backups would be. Encrypting backups is just one thing a user can do but other things in one's backup plan are more important than whether a backup is encrypted or not. (None of mine are, by the way, nor or any of my drives but that's just me.) Keeping multiple backups using multiple drives, testing that recovery media works and that the backups one makes are restorable, keeping at least one image stored in an off site safe place such as a safety deposit box or the cloud, and NEVER keeping the drive where your images are stored connected to the computer.
I'm more interested in how malware can actually decrypt the password-encrypted backup?
 

My Computer

System One

  • OS
    Win11
I'm more interested in how malware can actually decrypt the password-encrypted backup?
It depends on how sophisticated a piece of malware is and exactly what the thieves are after.

Some of these criminals may not be interested in what's inside the files, but their goal is to extort money from the user. This type malware doesn't decrypt anything that is encrypted but adds it's own layer of encryption on top of yours, thereby holding backup files hostage along with everything else the ransomware code has access to. Once the attacker is paid, he may or may not provide the code to unlock his layer of encryption.

Other attackers want what's inside a users files. If a hacker manages to obtain the users encryption key or crack the encryption algorithm, then they can gain access to the data itself. He will then either use the data for nefarious purposes himself and/or sell that data to other criminals.

If a hacker is sophisticated enough he can do both, add his own layer of encryption to prevent the user from accessing his files AND crack whatever encryption protects the files to gain its contents.

Encryption isn’t foolproof. It’s possible for hackers to break an encryption code. They can also use malware and other attack vectors to gain access to our devices and networks. So, while encryption is a good tool to protect users, it’s not the end all be all silver bullet that will protect us from every threat.
Thus my last rule above, NEVER keep the drive where your images are stored connected to the computer. If it's not connected, attackers cannot get to the images.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3447
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
It depends on how sophisticated a piece of malware is and exactly what the thieves are after.

Some of these criminals may not be interested in what's inside the files, but their goal is to extort money from the user. This type malware doesn't decrypt anything that is encrypted but adds it's own layer of encryption on top of yours, thereby holding backup files hostage along with everything else the ransomware code has access to. Once the attacker is paid, he may or may not provide the code to unlock his layer of encryption.

Other attackers want what's inside a users files. If a hacker manages to obtain the users encryption key or crack the encryption algorithm, then they can gain access to the data itself. He will then either use the data for nefarious purposes himself and/or sell that data to other criminals.

If a hacker is sophisticated enough he can do both, add his own layer of encryption to prevent the user from accessing his files AND crack whatever encryption protects the files to gain its contents.

Encryption isn’t foolproof. It’s possible for hackers to break an encryption code. They can also use malware and other attack vectors to gain access to our devices and networks. So, while encryption is a good tool to protect users, it’s not the end all be all silver bullet that will protect us from every threat.
Thus my last rule above, NEVER keep the drive where your images are stored connected to the computer. If it's not connected, attackers cannot get to the images.
Why do companies store images online then? They do have offsite backups too but they store them online too
 

My Computer

System One

  • OS
    Win11
Why do companies store images online then? They do have offsite backups too but they store them online too
I can not answer why or how companies handle their backup data on their servers or even how these companies design their networks.. I'm sure it's a little more involved and complicated than just making an image as you or I do.
But hackers are complicated too. I do know hackers can directly attack the servers themselves or attack from a backend user on the server. How they do it is way beyond the level of expertise of normal people.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3447
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
The companies that store backups in an online, readily-accessible state are generally the ones that end up on the news.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 [rev. 3447]
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical Keyboard with Cherry MX Clears
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical Keyboard - Cherry MX Clear

Latest Support Threads

Back
Top Bottom