What Is the “Backups” Malware?
Backups is a ransomware strain discovered in VirusTotal submissions. Once it infiltrates a system, it encrypts victim files and adds both an email address and the .backups extension to affected files—for example, renaming 1.jpg to 1.jpg.[[email protected]].backups or 2.png to 2.png.[[email protected]].backups.
It also changes the desktop background and drops a ransom instruction text file named #HowToRecover.txt, accompanied by a threatening note and instructions to email the attackers.
Related article: Direwolf Ransomware Decryption and Removal Using Phobos Decryptor
How Does Backups Operate?
RSA/AES-Based Encryption
Backups employs robust cryptographic measures to lock users’ data, making file recovery without the attackers’ private key practically impossible.
Also read: 9062 Ransomware Decryption and Removal Using Phobos Decryptor
Ransom Message Delivery
The desktop wallpaper is replaced, and a ransom note text file is placed in accessible directories, ensuring visibility to the victim.
The attackers claim they’ve retained copies of encrypted data, threatening to sell it to competitors or publish it on dark web forums. They demand payment within 48 hours—warning the price will double if the deadline is missed.
Full Ransom Note
!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address:
Write the ID in the email subject
ID: –
Email 1 : [email protected]
To ensure decryption you can send 1-2 files less than 1MB we will decrypt it for free.
We have backups of all your files. If you dont pay us we will sell all the files to your competitors
and place them in the dark web with your companys domain extension.
IF 48 HOURS PASS WITHOUT YOUR ATTENTION, BRACE YOURSELF FOR A DOUBLED PRICE.
WE DON’T PLAY AROUND HERE, TAKE THE HOURS SERIOUSLY.
Email us for recovery: [email protected]
In case of no answer, send to this email:
Your unqiue ID:
–
What Happens to the System?
- File Encryption: All accessible files are encrypted and renamed with .backups and the attackers’ email.
- Desktop Change: Wallpaper is altered to display ransom instructions.
- Note File: A ransom note (#HowToRecover.txt) is deposited for easy access.
Ransomware Impact & Threat Scope
This ransomware variant specifically targets QNAP and other NAS devices, as well as network-connected storage. It poses a severe threat to backups and shared repositories—not isolated to typical desktops. QNAP publicly warns its users to update firmware, disable internet-exposed ports, and employ malware scanners—especially in light of other NAS-targeting ransomware like Qlocker, eCh0raix, AgeLocker, and DeadBol
Distribution Channels
Backups hangs onto several common ransomware infection methods:
- Malicious email attachments or phishing links
- Pirated software cracks or keygens bundled with malware
- Exploit kits targeting vulnerabilities in outdated applications
- Fake pop-up ads or download prompts
- P2P file-sharing, wrapping executables or archives with malicious payloads
- Disguised malware in ZIP/RAR archives, ISO files, Microsoft Office docs, PowerShell scripts, etc.
Signs of Backups Infection
- Files become unreadable and are renamed with the .backups extension
- Desktop wallpaper changes to ransom instructions
- Presence of #HowToRecover.txt in directories
- Email contacts in ransom notes: [email protected] / [email protected]
Known Detection by Antivirus Vendors
Security software flags this malware under various names:
- Avast: Win32:MalwareX-gen [Ransom]
- Combo Cleaner: Gen:Variant.Lazy.335837
- ESET‑NOD32: Variant Of Win32/Filecoder.OOY
- Kaspersky: HEUR:Trojan-Ransom.Win32.Generic
- Microsoft Defender: Ransom:Win32/Conti!rfn
- Numerous detections cataloged in VirusTotal scans.
Recovery: What You Can—and Can’t—Do
- Restore from Backup
The only reliable recovery approach is restoring clean copies. If your QNAP or NAS device was encrypted, ensure your restore point exists on a locked-down volume or offline backup, such as one protected using QNAP’s Snapshot feature - Ransomware Removal
Clean all ransomware components before restoring data to prevent reinfection. Tools like Combo Cleaner (Windows), Malware Remover (QNAP), or reputable AV solutions should be used. - Decryptors Are Unavailable
No free or third-party decryptor has been released for Backups so far. It’s possible—but not guaranteed—that one may appear if security researchers analyze the ransomware’s code.
Typical Infection Vectors
- Email phishing: attachments or malicious links
- Cracked software or keygens
- Exploited vulnerabilities in outdated OS/apps
- Pop-up ads, fake updates, unsafe downloads
- P2P and torrent swarms injecting malware
- Executable or archive disguises (.exe, .doc, .zip, .iso, .js)
Threat Summary
| Aspect | Details |
| Malware Name | Backups Ransomware |
| Threat Type | Crypto Ransomware |
| Encrypted File Extension | .backups (e.g., file.txt.[[email protected]].backups) |
| Ransom Message File | #HowToRecover.txt |
| Decryptor Available? | No known tool at present |
| Attacker Email | [email protected] / [email protected] |
| Antivirus Detection Names | Multiple (see above) |
| Typical Infection Methods | Email, cracks, exploits, fake downloads, P2P |
| Symptoms | Encrypted files, wallpaper change, ransom note |
| Damage | Data encrypted; potential additional malware installation |
| Recommended Removal (Windows) | Use legitimate AV/Combo Cleaner |
| Recommended Removal (NAS) | QNAP Malware Remover and firmware update |
| Prevention Methods | Regular backups, secure update practices, safe browsing |
Protecting Your Devices
Robust Backup Strategy
- Adhere to the 3-2-1 rule: 3 copies, 2 media types, 1 off-site or air‑gapped.
- For QNAP users, snapshots allow fast recovery even if files are encrypted
System Updates & Defense-in-Depth
- Keep OS, apps, firmware, and NAS systems updated with security patches.
- Use strong, unique passwords and disable unnecessary services (e.g., UPnP, default ports)
- Employ reputable antivirus and anti-malware tools.
- Exercise caution with email attachments, cracked software, and web downloads.
NAS-Hardening Measures
- Restrict network exposure by disabling internet-port forwarding.
- Use two-factor authentication and unique credentials.
- Install vendor-recommended malware scanners.
- Consider air-gapped, immutable backups (e.g., QNAP Airgap+ / HBS)
Recovering Files Encrypted by Backups Ransomware: Can Our Decryptor Help?
If your system has been infected with Backups ransomware, you’re likely dealing with a serious disruption—your data has been locked, and a ransom is being demanded for decryption. Fortunately, there is a secure and effective way to recover your files: our exclusive Phobos Decryptor is designed to help you restore access without having to negotiate or pay the attackers.
Whether your files reside on personal computers, enterprise networks, or NAS systems such as QNAP that were compromised through shared credentials or unsecured remote access, the Phobos Decryptor is engineered to handle even complex file recovery scenarios.
How Our Phobos Decryptor Can Help You Restore Your Files?
The Phobos Decryptor is fully compatible with ransomware strains like Backups, providing a reliable solution for regaining access to .backups-encrypted files. Instead of yielding to ransom demands, you can initiate safe and efficient file recovery.
This includes retrieving data from QNAP backup volumes and NAS environments that were encrypted due to exploits involving shared SMB access or weak authentication protocols.
Why Our Phobos Decryptor Is the Right Solution for Backups Ransomware?
- Custom-Built for Backups Ransomware
This tool has been precisely developed to counteract file encryption performed by the Backups variant. - User-Friendly and Efficient
No technical knowledge is necessary. The process is intuitive and designed for quick recovery. - Maintains Data Integrity
Unlike unreliable tools that may corrupt data, the Phobos Decryptor protects the integrity of every file during the process.
Even if your QNAP NAS was targeted—resulting in encrypted volumes or partial data loss—the decryptor may still be able to access and recover .backups files, provided the storage hardware remains functional.
Steps to Use the Phobos Decryptor for .backups Files
If your system has been compromised by the Backups ransomware, follow these steps to recover your encrypted files:
Step 1: Secure Your Copy
Contact us to purchase the Phobos Decryptor and gain immediate access to the recovery tool.
Step 2: Launch the Tool with Administrator Rights
Open the decryptor on the infected system with admin privileges and ensure that the device is connected to the internet.
Step 3: Connect to Our Secure Servers
The tool will securely communicate with our servers to generate the decryption keys specific to your infection.
Step 4: Enter Your Victim ID
Retrieve your unique victim ID from the #HowToRecover.txt ransom note and input it into the application.
Step 5: Begin the Decryption Process
Click on “Decrypt” and allow the tool to restore your files—safely and efficiently.
Also read: Helper Ransomware Decryption and Removal Using Phobos Decryptor
Why Trust Our Phobos Decryptor Over Other Recovery Tools?
- Field-Tested for Backups Ransomware
Extensively tested across numerous systems impacted by the .backups extension, with verified results. - Guaranteed Data Protection
Ensures that files remain unharmed throughout the recovery process. - Expert Remote Support
Our cybersecurity specialists are available to guide you through each stage of recovery. - Avoid Paying Ransoms
Regain control of your files legally and securely—without funding criminal operations.
Whether you are restoring data from a single device, a business network, or a QNAP NAS system, the Phobos Decryptor offers a comprehensive, scalable solution to help you recover quickly and avoid prolonged downtime or financial loss.
Final Takeaways
Backups ransomware is a potent file-encrypting malware designed to disrupt operations and extort payment. Recovery without clean backups is essentially impossible at this time. It strikes both desktops and NAS systems—particularly QNAP and other network storage environments. The best defense is a proactive, multi-layered strategy emphasizing immutable backups, vigilant updates, strong credentials, and safe digital habits.