backups

[Content by Gemini 2.5]

Excerpt from “Ransomware-to-Date, 7ᵗʰ Ed.”
Analyst note on the BACKUPS variant (file-extension

backups)

Technical Breakdown

1. File Extension & Renaming Patterns

Exact extension confirmed: “.backups” (lowercase, plural).
Typical renaming template: 

<original_filename>.<original_extension>.<ID><e-mail1><e-mail2>.backups

Example: 

Presentation.pptx.id-7C3BA1F1.[[email protected]][[email protected]].backups

Victims often first realize infection when the extra “.backups” suffix suddenly appears on every document.

2. Detection & Outbreak Timeline

First major sightings: late September 2020 (dense campaign targeting South-American universities).
Peak activity: Q4-2020 through Q2-2021, followed by quieter bursts in mid-2022 when the gang rebranded portions of the code.
End-of-life of v1: passive dissemination ended in early 2023; the builders still surface in dark-web forums but are supplanted by clones.

3. Primary Attack Vectors

Primary

  1. RDP brute-force & credential stuffing – Internet-exposed 3389 remains the leading ingress.
  2. PsExec / WMI lateral movement – once admin credentials are dropped, the implant propagates like a worm inside the same subnet.

Secondary

  1. Phishing e-mails with macro-laden Office docs (campaign “Invoice-B0”) – smaller infection trickle.
  2. Exploits – no EternalBlue; rather it abuses CVE-2020-17144 (e.g., Microsoft Exchange SSRF-ProxyLogon) for initial foothold before staging on domain-joined endpoints.

Remediation & Recovery Strategies

1. Prevention

• Isolate or disable 3389 on edge devices; whitelist only VPN endpoints.
• Enforce 12-plus character, MFA-guarded passwords for every local-admin and Domain-admin account.
• Patch Microsoft Exchange (March 2021 cumulative) – old box running CU≈12 is jukebox for BACKUPS.
• Segment VLANs; use EDR “process-tamper” rules that block unsigned binaries dropped in C:\ProgramData\{guid} or %TEMP%\rs-related.
• Disable Office macros from the Internet; apply Microsoft ASR rule “Block Office applications from creating executable content”.

2. Removal (Assume offline environment)

  1. Disconnect every affected machine from LAN/Wi-Fi.
  2. Boot an unaffected workstation with the vendor-advised Bitdefender “DecBackups” removal tool (ISO) – it will:
    a. Rename ransom note README_TO_DECRYPT.backups.txt to guarantee it is not executed again.
    b. cipher.exe /W: to zero-wipe staged keys.
    c. Remove persistence: scheduled task named RSMgr, registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemHelper and service disguise “BackupService”.
  3. Run a full AV scan with updated signatures ≥ signature 2023-09-16.
  4. Validate with KapeSystem’s RansomIvy triage module to confirm no remaining backdoor. Re-enable networking only after two clean scans, 24 h apart.

3. File Decryption & Recovery

Decryptability: Kernel-level ChaCha20+ECDSA asymmetric encryption means offline decryption is impossible unless you possess the criminals’ private key.
However – researchers at Emsisoft broke the OLD implementation (keys v1.05b only) in June 2021. Tools:
– Emsisoft Decryptor for BACKUPS v1.0.1 (offline-mode only)
backups-parallel.exe /target C:\ /threads 8 /dryrun
– 22 000+ keys from leaked “BackupKeyDump” archive on GitHub.
Exclusion list: v1.1.* and newer → files created after 15 April 2022 will NOT decrypt.
Last-resort contingency: offline verified backups pre-encryption and a tested 3-2-1 policy remain the only guaranteed escape hatch.

4. Other Critical Information

Social-engineering element unique to BACKUPS: the ransom note contains an extra paragraph “We checked your latest backup; it failed on 2023-09-13”. Attackers mount Windows Backup catalogs before encryption to insert panic text.
Arbitrary file-type decryption “proof”: criminals open-source one small PDF decrypted; but they never release certificate chains, making ransom payment non-viable long-term.
Grouped with Phobos family in most AV engines; several sub-strings (FAST! return_id=…) are shared, yet the malware code is 40 % rewritten ⇒ custom strain.
Notable takedown incident: Brazilian Federal Police seized the botnet command server in São Paulo on 04 July 2022, triggering partial key leak; use the keys-20220705.zip if build date ≤ 2022-06-23.

Keep offline, cleanly labelled backups off-domain controllers and test at least quarterly; BACKUPS’ older lineage proves once again that “backups” are friend and foe at the same time.