A new variant of Cryptomix ransomware virus has been discovered by computer security researchers. It appends the .BACKUP extension to encrypted files. This ransomware targets computers running Microsoft Windows by spam emails or hacking into poorly protected Terminal Services (also known as Remote Desktop Services) and then manually installing the ransomware.
.BACKUP virus – ransom note
The .BACKUP virus is a ransomware that created to encrypt files found on infected computer using a very strong encryption method, adding the .BACKUP extension to all encrypted personal files. It can encrypt almost types of files, including the following:
.desc, .svg, .wpb, .kdc, .sidn, .jpe, .t13, .wp5, .tax, .ltx, .sql, .rofl, .hplg, .2bp, .zw, .der, .xar, .wbd, .m3u, .xmmap, .mp4, .xls, .dwg, .vfs0, .cdr, .xyp, .wsd, .db0, .itl, .mrwref, .layout, .xlsb, .wp6, .xld, .yml, .wmf, .mdf, .sidd, .pptm, .vtf, .vpk, .bc6, .nrw, .z, .wpe, .pdd, .sum, .wotreplay, .vdf, .wbc, .vpp_pc, .iwi, .wot, .xlsm, .xlsx, .jpg, .3fr, .zi, .x3f, .hkx, .mef, .ppt, .wpt, .odm, .odp, .txt, .ff, .t12, .wn, .ws, .avi, .xwp, .ptx, .r3d, .m2, .epk, .wmv, .lvl, .dng, .icxs, .zdb, .bc7, .1st, .x3f, .dbf, .ybk, .das, .upk, .wsc, .kdb, .iwd, .wb2, .pdf, .sie, .dmp, .vcf, .wpa, .rgss3a, .bkf, .wgz, wallet, .big, .mdb, .apk, .p7b, .wp7, .doc, .xlsx, .itm, .js, .rb, .map, .rw2, .sid, .p12, .ai, .mpqge, .dazip, .mov, .psk, .crt, .jpeg, .wbk, .fpk, .pst, .lrf, .csv, .xy3, .flv, .mddata, .wpw, .wbm, .wsh, .wbmp, .xx, .zdc, .gho, .srw, .esm, .itdb, .fsh, .wp, .wri, .wmd, .xmind, .7z, .mcmeta, .ods, .asset, .sav, .accdb, .wcf, .zabw, .syncdb, .pem, .fos, .tor, .rwl, .wdp, .xdb, .wp4, .indd, .raw, .odc, .z3d, .xbdoc, .docx, .1, .ibank, .hvpl, .x, .blob, .yal, .ztmp, .wps, .hkdb, .gdb, .kf, .webdoc, .css, .w3x, .bsa, .zip, .eps, .bay, .qdf, .docm, .pkpass, .pak, .bik, .3dm, .arch00, .py, .wps, .xxx, .sb, .xdl, .wma, .pef, .p7c, .mlx, .ncf, .arw, .sis, .sr2, .srf, .forge, .odt, .ysp, .xpm, .slm, .menu
When the ransomware encrypts a file, it will append the .BACKUP extension to every encrypted file. For example, the sample.doc file will be encrypted and its name will be changed to 3A12761B9ABCD120F42A810C4D1F02A0.BACKUP.
Once the virus finished enciphering of all files, it will drop a file named “_HELP_INSTRUCTION.TXT” with ransom instructions on how to decrypt all documents, photos and music. You can see an one of the variants of the ransom instructions below:
Hello!
Attention! All Your data was encrypted!
For specific informartion, please send us an email with Your ID number:
backuppc@tuta.io
backuppc@protonmail.com
backuppc1@protonmail.com
b4ckuppc1@yandex.com
b4ckuppc2@yandex.com
backuppc1@dr.com
Please send email to all email addresses! We will help You as soon as possible!
IMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!
DECRYPT-ID
Unfortunately, at this time, victims of the .BACKUP virus cannot decrypt encrypted files without the actual encryption key. But you can use our steps below to detect and remove .BACKUP virus from your computer as well as restore encrypted documents, photos and music for free.
Quick links:
- What is .BACKUP ransomware virus
- How to decrypt .BACKUP files
- How to remove .BACKUP ransomware
- Restore .BACKUP files
- How to prevent your computer from becoming infected by .BACKUP virus?
- Finish words
How to decrypt .BACKUP files
The encryption method is so strong that it is practically impossible to decrypt .BACKUP files without the actual encryption key. The bad news is that the only way to get your files back is to pay ($300-1000 in Bitcoins) creators of the .BACKUP ransomware for a copy of the private (encryption) key. In order to get information on how to pay the ransom, this ransomware virus suggests sending a letter to the following addresses:
- backuppc@tuta.io
- backuppc@protonmail.com
- backuppc1@protonmail.com
- b4ckuppc1@yandex.com
- b4ckuppc2@yandex.com
- backuppc1@dr.com
But not everything is as bad as it might seem at first glance. With some variants of this ransomware, it is possible to use Windows Shadow Copies or file restore utilities to recover files that have been encrypted by .BACKUP ransomware virus. You can use the free utilities listed below in this article.
How to remove .BACKUP ransomware
We can assist you get rid of .BACKUP ransomware virus, without the need to take your computer to a professional. Simply follow the removal guide below if you currently have the ransomware on your machine and want to get rid of it. If you’ve any difficulty while trying to remove the ransomware virus, feel free to ask for our assist in the comment section below. Read it once, after doing so, please print this page as you may need to close your web browser or restart your PC system.
Remove .BACKUP ransomware virus with Zemana Anti-malware
Zemana Anti-malware highly recommended, because it can search for security threats such .BACKUP ransomware virus, adware and other malware which most ‘classic’ antivirus applications fail to pick up on. Moreover, if you have any .BACKUP removal problems which cannot be fixed by this utility automatically, then Zemana Anti-malware provides 24X7 online assistance from the highly experienced support staff.
Now you can install and run Zemana AntiMalware to get rid of .BACKUP ransomware from your web browser by following the steps below:
Please go to the link below to download Zemana Free installer called Zemana.AntiMalware.Setup on your personal computer. Save it on your Windows desktop.
164031 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Launch the setup file after it has been downloaded successfully and then follow the prompts to set up this tool on your computer.
During installation you can change some settings, but we suggest you don’t make any changes to default settings.
When installation is finished, this malicious software removal utility will automatically start and update itself. You will see its main window as displayed below.
Now press the “Scan” button to perform a system scan for the .BACKUP virus related files, folders and registry keys.
Once the scan get completed, Zemana Free will display a scan report. In order to remove all threats, simply click “Next” button.
The Zemana will remove .BACKUP ransomware related files, folders and registry keys. After the cleaning process is finished, you can be prompted to reboot your PC system to make the change take effect.
Automatically get rid of .BACKUP with Malwarebytes
Remove .BACKUP ransomware manually is difficult and often the ransomware is not completely removed. Therefore, we advise you to use the Malwarebytes Free that are completely clean your computer. Moreover, the free program will help you to remove malicious software, PUPs, toolbars and ad supported software that your personal computer may be infected too.
- Click the following link to download the latest version of MalwareBytes Free for MS Windows. Save it on your Windows desktop or in any other place.
Malwarebytes Anti-malware
326384 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- Once the downloading process is complete, close all programs and windows on your PC. Open a file location. Double-click on the icon that’s named mb3-setup.
- Further, click Next button and follow the prompts.
- Once install is complete, press the “Scan Now” button to perform a system scan with this utility for the .BACKUP ransomware and other kinds of potential threats such as malicious software and potentially unwanted apps. Depending on your computer, the scan can take anywhere from a few minutes to close to an hour.
- Once finished, the results are displayed in the scan report. All found threats will be marked. You can remove them all by simply press “Quarantine Selected”. When disinfection is finished, you can be prompted to reboot your machine.
The following video offers a steps on how to delete hijackers, adware and other malware with MalwareBytes Anti Malware.
Run KVRT to delete .BACKUP virus
KVRT is a free removal tool which can check your computer for a wide range of security threats such as the .BACKUP ransomware, ad supported software, PUPs as well as other malware. It will perform a deep scan of your personal computer including hard drives and MS Windows registry. After a malicious software is detected, it will help you to delete all detected threats from your computer by a simple click.
Download Kaspersky virus removal tool (KVRT) on your Microsoft Windows Desktop from the link below.
129055 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once downloading is done, double-click on the Kaspersky virus removal tool icon. Once initialization process is done, you’ll see the Kaspersky virus removal tool screen as displayed in the figure below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to scan for .BACKUP ransomware . This task may take quite a while, so please be patient. While the KVRT tool is scanning, you can see how many objects it has identified as being infected by malicious software.
When Kaspersky virus removal tool has completed scanning, KVRT will display a scan report as displayed in the figure below.
Once you have selected what you want to remove from your machine press on Continue to start a cleaning procedure.
Restore .BACKUP files
In some cases, you can restore files encrypted by .BACKUP virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and music.
Run ShadowExplorer to recover .BACKUP files
In some cases, you have a chance to recover your photos, documents and music which were encrypted by the .BACKUP ransomware. This is possible due to the use of the utility named ShadowExplorer. It is a free program that designed to obtain ‘shadow copies’ of files.
Visit the page linked below to download ShadowExplorer. Save it to your Desktop.
438665 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.
Double click ShadowExplorerPortable to start it. You will see the a window as displayed below.
In top left corner, select a Drive where encrypted documents, photos and music are stored and a latest restore point like below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as displayed below.
Recover .BACKUP files with PhotoRec
Before a file is encrypted, the .BACKUP ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your personal files using file restore apps such as PhotoRec.
Download PhotoRec on your MS Windows Desktop from the link below.
After the downloading process is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the image below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll display a screen as shown on the screen below.
Choose a drive to recover as displayed on the screen below.
You will see a list of available partitions. Select a partition that holds encrypted personal files as displayed below.
Click File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, press OK button.
Next, press Browse button to select where recovered documents, photos and music should be written, then press Search.
Count of restored files is updated in real time. All restored documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents like below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your computer from becoming infected by .BACKUP virus?
Most antivirus apps already have built-in protection system against the ransomware virus. Therefore, if your machine does not have an antivirus program, make sure you install it. As an extra protection, use the CryptoPrevent.
Run CryptoPrevent to protect your system from .BACKUP ransomware
Download CryptoPrevent on your Windows Desktop by clicking on the following link.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the installation is finished, you’ll be shown a window where you can choose a level of protection, as displayed in the figure below.
Now click the Apply button to activate the protection.
Finish words
Now your PC should be clean of the .BACKUP virus. Uninstall Kaspersky virus removal tool and MalwareBytes. We suggest that you keep Zemana AntiMalware (to periodically scan your computer for new malware). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to remove .BACKUP ransomware virus from your PC, then ask for help here.
