encrypted_backup

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

The suffix encrypted_backup appearing after a file’s original name (e.g., Invoice_12.pdf.encrypted_backup) is NOT a static, trademarked extension unique to a single ransomware family.
It is generated by off-the-shelf “builder” kits such as:

  • Hidden Tear / Hidden Tear-Spinoffs
  • Apocalypse / Al-Namrof / Esmeralda variants
  • some PowerShell-based “for-education” lockers
  • competition-CTF or hobbyist kits (“Ransom0”, “Ransom-1h”, etc.)

Because the same string can be produced by several disparate malware binaries, attribution must be confirmed with ransom-note name / hash / network IoCs (see § 2).

Renaming Convention:
[original basename] [optional counter] .encrypted_backup
Letters are always lower-case; no e-mail address or random ID is embedded in the filename itself.

2. Detection & Outbreak Timeline

First recorded mass sightings:

  • 2016-Q2 – Hidden Tear “github clones” used in e-mail spam campaigns targeting Italian SMEs.
  • 2017-Q1 – Apocalypse branch spreads via RDP brute-force; files appended with “encrypted_backup”.
  • 2018-Q4 – PowerShell-based “BadTear” uses the same extension against exposed SMB (EternalBlue patched but re-enabled via GPO).
  • 2021-Q3 – Hobbyist kit returned in small-volume “pentester wannabe” incidents; correlates with CVE-2021-34527 (PrintNightmare) exploitation.

The extension therefore spans multiple code-bases across five years; always triage the ransom note (usually README_TO_RESTORE.txt, HOW_TO_DECRYPT.hta, or __$$RECOVER__$$.html) to establish the exact family.

3. Primary Attack Vectors

  • E-mail phishing → weaponised Office docs with malicious macros (Invoice_12-05.docm).
  • RDP / VNC brute forcing → manual drop of payload once inside.
  • Exploitation of un-patched Windows:
    – EternalBlue (MS17-010)
    – BlueKeep (CVE-2019-0708)
    – PrintNightmare (CVE-2021-34527 & 34533)
  • Legitimate pentest frameworks gone rogue (Invoke-ReflectivePEInjection, Cobalt-Strike beacons) that then side-load the encryptor DLL.
  • Insecure file-shares: attacker uploads the executable and schedules it with schtasks or WMI.

Remediation & Recovery Strategies:

1. Prevention

☑ Apply 2023-08 cumulative Windows patches (includes fixes for PrintNightmare, SMB, and RCEs).
☑ Disable SMBv1 at the organisational level (via Group Policy or PowerShell Disable-WindowsOptionalFeature).
☑ Enforce Network Level Authentication (NLA) on all RDP endpoints; use 2-factor (Azure MFA, Duo, etc.).
☑ Segment VLANs: high-value backups isolated with ACL “deny all inbound” except from dedicated backup service account.
☑ Macro controls: block internet macros automatically (Office 365 “Block Office applications from creating executable content”).
☑ E-mail hygiene: attachment sandboxing (MS Defender for Office 365, Proofpoint, Mimecast).
☑ Principle of Least Privilege + LAPS for local admin passwords.
☑ Immutable / offline backups (Veeam Hardened Repository, AWS S3 Object-Lock, Azure Immutable Blob).
☑ Application whitelisting (WDAC / AppLocker) preventing unsigned binaries in user-writeable paths (%APPDATA%, %TEMP%).

2. Removal

a. Disconnect from network immediately (pull cable / disable Wi-Fi).
b. Power-off unrelated machines to avoid lateral SMB or PSExec spread.
c. Collect volatile memory dump for forensics if possible (winpmem, Magnet RAM).
d. Boot a clean Windows PE / Linux live-disk; mount the OS volume read-only:
1) Identify the main payload (*.exe or *.dll) often in %TEMP%, %APPDATA%\Roaming\[random4], or C:\PerfLogs.
2) Remove persistence entries in HKLM\Software\Microsoft\Windows\CurrentVersion\Run, RunOnce, TaskScheduler.
3) Delete dropped copies; empty Prefetch, C:\Windows\Temp, user Temp folders.
e. Run up-to-date AV/AM (Defender, ESET, Kaspersky, Sophos) with cloud heuristic ON; most vendors detect Hidden-Tear and Apocalypse generically as Ransom.HiddenTear.* or Ransom.APH.*.
f. Re-image if feasible (fastest & cleanest) or run DISM/SFC to verify system file integrity.

3. File Decryption & Recovery

Hidden Tear–lineage uses AES-128 in CBC mode with a randomly generated 16-byte key per file; the key list is RSA-encrypted with a 2048-bit attacker public key and stored in %ProgramData%\key.dat. No private key = offline decryption impossible.

HOWEVER the early Apocalypse / Esmeralda fork reused a static or hard-coded RSA private key.
Check your ransom note:

  • Note says “Email me at [email protected] / [email protected]
    – You are in luck; a free decrypter exists.
    – Download ESET’s “ApocalypseDecryptor” or use “Al-Namrof Decrypter” (Trend Micro) – runs on Windows 7–11.
    – Supply an unencrypted copy of one file (>2 KB) plus its encrypted twin; tool brute-forces the key within minutes.

  • Note uses “anon” proton-mail or no mail at all; note counsels you to visit a TOR site with a user-ID string
    – Likely a modern variant with unique RSA key pair → pay or restore from backup only.

  • Encrypted by a “proof-of-concept” Hidden Tear sample compiled without modification
    – Because the author’s RSA public key was embedded, free decrypters (G-data, Nomoreransom) can unlock them.
    – Upload one encrypted file + ransom note to https://www.nomoreransom.org to receive an online checker; if green, it auto-builds the decryptor.

No public decryptor = last hope is cloud shadow copies or 3rd-party file recovery (Recuva, PhotoRec) if the malware deleted them incorrectly.

4. Other Critical Information

Distinguishing characteristics:

  • Extension alone is ambiguous; always correlate with IoCs in the ransom note and with dropped mutexes (HIDDEN_TEAR, APOCALYPSE_MUTEX, local\hsdfjklhvkjhejrl).
  • Older Hidden Tear binaries use a self-deletion routine but forget to clear Windows Error Reporting logs; inspect WER\ReportQueue for leftover crash dumps containing the executable.
  • Many versions leave a verbose log in %TEMP%\mylog.txt.tmp that lists which folders were processed—useful to verify completeness of encryption.

Broader impact / lessons learned:

  • Served as “entry-level” ransomware—source code still referenced in undergrad security courses; hence perpetual re-appearance.
  • Demonstrates that even weak, poorly-coded lockers can disable a small business if backups are on-line and RDP is exposed.
  • Reinforces need for layered defences: patch, segment, 2FA, immutable backups, and tested restore drills.

Quick Reference (TL;DR)

  • Extension does NOT unambiguously identify a single family; use the ransom note or hash to be sure.
  • Free decryption tools are available only for the Apocalypse / early Hidden Tear versions linked above.
  • Patch EternalBlue & PrintNightmare, disable SMBv1, protect RDP, keep offline backups.
  • If hit, isolate, triage, delete persistence, try nomoreransom checker, rebuild.

Stay safe, patch promptly, and—most importantly—maintain verified, offline backups.