BackMyData Ransomware

BackMyData is a ransomware threat that has attracted the attention of cybersecurity researchers. According to their detailed analysis, this threat exhibits the capability to render a diverse range of file types entirely inaccessible through the utilization of robust encryption algorithms. The impact extends beyond encryption, as the original filenames of the affected files undergo substantial modifications. The threat appends a victim's ID, an email address ('backmydata@skiff.com'), and the '.backmydata' extension to each altered file's name. This results in a distinctive transformation, exemplified by changes such as '1.png' becoming '1.jpg.id[9ECFA74E-3511].[backmydata@skiff.com].backmydata' and '2.pdf' transforming into '2.pdf.id[9ECFA74E-3511].[backmydata@skiff.com].backmydata,' among others.

Victims of BackMyData find themselves confronted with two ransom notes presented in the form of 'info.hta' and 'info.txt' files. These notes serve as a communication channel between the attackers and the victims, outlining the ransom demands and instructions for potential payment. Notably, the threat is identified as a variant within the Phobos Ransomware family, emphasizing its association with a broader category of threatening software.

The Victims of BackMyData Have Their Files Taken Hostage by Cybercriminals

The ransom note issued by BackMyData serves as a notification to victims, explicitly stating that their network has been compromised and files encrypted. It also reveals the use of double-extortion tactics by the cybercriminals by claiming that confidential data has been collected, encompassing information pertaining to employees, customers, partners, and internal company documentation. The note explicitly communicates that all the pilfered data will be retained until the demanded ransom is paid.

Furthermore, the note delivers an ultimatum, threatening to sell the compromised data if negotiations fail. It outlines potential repercussions for the victim, including legal repercussions, financial losses, and irreparable damage to their reputation upon the release of the data.

In a strategic attempt to coerce compliance, the attackers propose a discounted ransom if the victim contacts them within a specified timeframe. Communication instructions are provided, indicating the use of a specific messaging platform (Session) and an email address (backmydata@skiff.com).

Additionally, the ransom note imposes strict guidelines for the victim to follow to prevent inadvertent damage to the encrypted files. It explicitly warns against involving third parties or employing unauthorized decryption software, emphasizing the need for compliance.

Beyond file encryption, BackMyData exacerbates the threat by disabling the firewall on the targeted system, heightening its susceptibility to malicious activities. It deliberately erases the Shadow Volume Copies, eliminating potential restore points. Moreover, BackMyData possesses the capability to extract location data and employs persistence mechanisms. The threat also can be configured to exclude predetermined locations from its reach.

It is crucial to underscore that ransomware variants within the Phobos family, including BackMyData, have demonstrated a tendency to exploit vulnerabilities in Remote Desktop Protocol (RDP) services for infection. They often capitalize on weak account credentials through brute force and dictionary attacks, thereby gaining unauthorized access to systems with inadequately managed account security. This underscores the imperative for heightened cybersecurity measures and vigilance to counteract such sophisticated threats.

A Robust Security Approach Could Prevent Ransomware Threats from Impacting Users' Devices

Protecting devices from ransomware attacks involves a combination of proactive measures, cybersecurity best practices, and vigilance. Here are some key recommendations for users to safeguard their devices:

• Keep Software and Systems Updated: Regularly update operating systems, software applications, and security programs to patch vulnerabilities and protect against known exploits.
•  Use Reliable Security Software: Install reputable anti-malware software on devices to detect and prevent ransomware infections. Keep the security software updated for the latest threat definitions.
•  Enable Firewall Protection: Activate and maintain a robust firewall to observe incoming and outgoing network traffic, adding an additional layer of defense against unauthorized access.
•  Backup Important Data: Regularly back up critical data to an external, offline storage device. Cloud-based backup solutions can also effectively ensure proper access controls and security proceedings are in place.
•  Exercise Vigilance with Email Attachments and Links: Be extra vigilant when accessing email attachments or links, especially from unknown or suspicious sources. Verify the legitimacy of emails, and avoid downloading files from untrusted emails.
•  Use Strong, Unique Passwords: Employ strong and exclusive passwords for your accounts, and think about the advantages of using a password manager to help generate and manage complex passwords. Avoid using default or easily guessable passwords.
•  Implement Network Segmentation: Segmenting networks can help contain the spread of ransomware by restricting its ability to move laterally within a network. This limits the impact if one segment becomes compromised.

By combining these measures, users can significantly enhance their defenses against ransomware attacks and minimize the potential impact on their devices and data.

The ransom note generated by the BackMyData Ransomware is:

'!!! ATTENTION !!!

Your network is hacked and files are encrypted.
Including the encrypted data we also downloaded other confidential information:
Data of your employees, customers, partners, as well as accounting and
other internal documentation of your company.

All data is stored until you will pay.
After payment we will provide you the programs for decryption and we will delete your data
We dont want did something bad to your company, it is just bussines (Our reputation is our money!)
If you refuse to negotiate with us (for any reason) all your data will be put up for sale.

What you will face if your data gets on the black market:
1) The personal information of your employees and customers may be used to obtain a loan or
purchases in online stores.
2) You may be sued by clients of your company for leaking information that was confidential.
3) After other hackers obtain personal data about your employees, social engineering will be
applied to your company and subsequent attacks will only intensify.
4) Bank details and passports can be used to create bank accounts and online wallets through
which criminal money will be laundered.
5) You will forever lose the reputation.
6) You will be subject to huge fines from the government.
You can learn more about liability for data loss here:
hxxps://en.wikipedia.org/wiki/General_Data_Protection_Regulation
hxxps://gdpr-info.eu/
Courts, fines and the inability to use important files will lead you to huge losses.
The consequences of this will be irreversible for you.
Contacting the police will not save you from these consequences, and lost data,
will only make your situation worse.

IF YOU WILL CONTACT US IN FIRST 6 hours , and we close our deal in 24 hours , PRICE WILL BE ONLY 30%.
(time is money for both of us , if you will take care about our time , we will do same , we will care of price and decryption process will be done VERY FAST)
ALL DOWNLOADED DATA WILL BE DELETED after payment.

You can get out of this situation with minimal losses (Our reputation is our money!) !!!
To do this you must strictly observe the following rules:
DO NOT Modify, DO NOT rename, DO NOT copy, DO NOT move any files.
Such actions may DAMAGE them and decryption will be impossible.
DO NOT use any third party or public decryption software, it may also DAMAGE files.
DO NOT Shutdown or Reboot the system this may DAMAGE files.
DO NOT hire any third party negotiators (recovery/police, etc.)
You need to contact us as soon as possible and start negotiations.

You can send us 1-2 small data not value files for test , we will decrypt it and send it to you back.
After payment we need no more that 2 hours to decrypt all of your data. We will be support you untill fully decryption going to be done! ! !
(Our reputation is our money!)

Instructions for contacting our team:
Download the (Session) messenger (hxxps://getsession.org) in messenger 05947063ab6603c0e3a12db53d93d23634081c56390ff2084d11977820f78ce877

MAIL:backmydata@skiff.com'