{ "id": "bf22372c-33e6-42ba-8fe9-49e5ef878937", "created_at": "2026-04-06T00:16:17.083296Z", "updated_at": "2026-04-10T13:13:07.875628Z", "deleted_at": null, "sha1_hash": "1aa9046910f5d677c6a5c92dd6accb2ba09cb17e", "title": "A technical analysis of the BackMyData ransomware used to attack hospitals in Romania – CYBER GEEKS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5607795, "plain_text": "A technical analysis of the BackMyData ransomware used to\r\nattack hospitals in Romania – CYBER GEEKS\r\nPublished: 2024-02-19 · Archived: 2026-04-02 11:15:47 UTC\r\nSummary\r\nAccording to BleepingComputer, a ransomware attack that occurred starting 0n February 11 forced 100 hospitals\r\nacross Romania to take their systems offline. BackMyData ransomware, which took credit for it, belongs to the\r\nPhobos family. The malware embedded an AES key that is used to decrypt its configuration containing whitelisted\r\nextensions, files, and directories, a public RSA key that is used to encrypt AES keys used for files’ encryption, and\r\nother information. Persistence is achieved by creating an entry under the Run registry key and copying the\r\nmalware to the Startup folder. The ransomware encrypts the local drives as well as the network shares. It deletes\r\nall Volume Shadow Copies and runs commands to disable the firewall.\r\nThe files are encrypted using the AES256 algorithm, with the AES key being encrypted using the public RSA key\r\ndecrypted from the configuration. The malware appends 6 custom bytes at the end of every encrypted file. In the\r\nend, the ransomware drops two ransom notes called “info.txt” and “info.hta” that contain information about how\r\nto contact the threat actor.\r\nTechnical analysis\r\nSHA256: 396a2f2dd09c936e93d250e8467ac7a9c0a923ea7f9a395e63c375b877a399a6\r\nThe ransomware comes with an encrypted configuration that is decrypted using a hard-coded AES key:\r\nFigure 1\r\nAs we can see below, the configuration is stored in an encrypted form:\r\nFigure 2\r\nThe malware implements the AES algorithm in its code and doesn’t rely on Windows APIs:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 1 of 20\n\nFigure 3\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 2 of 20\n\nFigure 4\r\nThe malicious process retrieves the number of milliseconds elapsed since the system was started using\r\nGetTickCount:\r\nFigure 5\r\nThe GetLocaleInfoW function is used to obtain the default locale for the operating system (0x800 =\r\nLOCALE_SYSTEM_DEFAULT, 0x58 = LOCALE_FONTSIGNATURE). The binary verifies whether the 9th\r\nbit, which represents Cyrillic alphabets, is cleared. This technique of avoiding systems that have this setting as\r\ndefault was also documented by Malwarebytes in their article about Phobos ransomware.\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 3 of 20\n\nFigure 6\r\nAn example of decrypting values from configuration is highlighted below:\r\nFigure 7\r\nFigure 8\r\nThe binary retrieves the path of the executable file of the current process via a function call to\r\nGetModuleFileNameW (see Figure 9).\r\nFigure 9\r\nInterestingly, the process is looking for a file called “backm” that wasn’t previously created by the ransomware\r\n(0x80000000 = GENERIC_READ, 0x3 = OPEN_EXISTING):\r\nFigure 10\r\nThe malware extracts the major and minor version numbers of the operating system using the GetVersion method:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 4 of 20\n\nFigure 11\r\nIt opens the access token associated with the current process by calling the OpenProcessToken API (0x8 =\r\nTOKEN_QUERY):\r\nFigure 12\r\nThe malicious process verifies if the token is elevated using GetTokenInformation (0x14 = TokenElevation):\r\nFigure 13\r\nThe environment variable “%systemdrive%” is expanded, which reveals the drive that contains the Windows\r\ndirectory:\r\nFigure 14\r\nGetVolumeInformationW is used to obtain the volume serial number:\r\nFigure 15\r\nThe ransomware tries to open two mutexes called “Global\\\\\u003c\u003cBID\u003e\u003e\u003cVolume serial number\u003e00000001” and\r\n“Global\\\\\u003c\u003cBID\u003e\u003e\u003cVolume serial number\u003e00000000”, and then creates them:\r\nFigure 16\r\nFigure 17\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 5 of 20\n\nThe DLLs and functions necessary to perform some activities are also decrypted from the configuration. The\r\nbinary obtains the module handle for a DLL using GetModuleHandleA:\r\nFigure 18\r\nThe address of the exported functions is retrieved by calling the GetProcAddress API:\r\nFigure 19\r\nThe malware disables file system redirection for the calling thread:\r\nFigure 20\r\nIt obtains a handle to the Shell’s desktop window via a function call to GetShellWindow (Figure 21).\r\nFigure 21\r\nUsing the above handle, the process calls the GetWindowThreadProcessId function to retrieve the identifier of the\r\nprocess that created the window (explorer.exe):\r\nFigure 22\r\nThe binary opens the “explorer.exe” process using the OpenProcess method (0x400 =\r\nPROCESS_QUERY_INFORMATION):\r\nFigure 23\r\nOpenProcessToken is used to open the access token associated with the above process (0x02000000 =\r\nMAXIMUM_ALLOWED):\r\nFigure 24\r\nThe DuplicateTokenEx API is utilized to create a new access token that duplicates the token mentioned above\r\n(0x2 = SecurityImpersonation, 0x1 = TokenPrimary):\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 6 of 20\n\nFigure 25\r\nThe ransomware spawns itself running in the security context of the newly created token (Figure 26).\r\nFigure 26\r\nIt creates a new thread that will run the following commands in the sub_EB4B85 function:\r\nvssadmin delete shadows /all /quiet – delete all Volume Shadow Copies\r\nwmic shadowcopy delete – delete all Volume Shadow Copies\r\nbcdedit /set {default} bootstatuspolicy ignoreallfailures – ignore errors if there is a failed boot, shutdown,\r\nor checkpoint\r\nbcdedit /set {default} recoveryenabled no – disable automatic repair\r\nwbadmin delete catalog -quiet – delete the backup catalog on the machine\r\nnetsh advfirewall set currentprofile state off – disable the firewall for the current network profile\r\nnetsh firewall set opmode mode=disable – disable the firewall\r\nFigure 27\r\nThe process copies its executable to the “%AppData%\\Local” directory, as highlighted in Figure 28.\r\nFigure 28\r\nRegOpenKeyExW is used to open the Run registry key (0x80000002 = HKEY_LOCAL_MACHINE, 0x20106\r\n= KEY_WRITE | KEY_WOW64_64KEY):\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 7 of 20\n\nFigure 29\r\nThe ransomware establishes persistence by creating an entry named based on the executable name, which points\r\nto the newly created executable:\r\nFigure 30\r\nThe malicious binary tries to copy the non-existent file called “backm” to the same directory:\r\nFigure 31\r\nThe second persistence mechanism consists of copying the executable to the Startup folder.\r\nThe following extensions are targeted, but the ransomware will encrypt other extensions as well:\r\nfdb sql 4dd 4dl abs abx accdb accdc accde adb adf ckp db db-journal db-shm db-wal db2 db3 dbc dbf dbs\r\ndbt dbv dcb dp1 eco edb epim fcd gdb mdb mdf ldf myd ndf nwdb nyf sqlitedb sqlite3 sqlite\r\nAlso, the ransomware doesn’t encrypt files that were previously encrypted by other ransomware families:\r\nbackmydata actin DIKE Acton actor Acuff FILE Acuna fullz MMXXII GrafGrafel monero n3on jopanaxye\r\n2700 DEVOS kmrox s0m1n qos cg ext rdptest S0va 6y8dghklp SHTORM NURRI GHOST FF6OM6 blue\r\nNX BACKJOHN OWN FS23 2QZ3 top blackrock CHCRBO G-STARS faust unknown STEEL worry\r\nWIN duck fopra unique acute adage make Adair MLF magic Adame banhu banjo Banks Banta Barak\r\nCaleb Cales Caley calix Calle Calum Calvo deuce Dever devil Devoe Devon Devos dewar eight eject\r\neking Elbie elbow elder phobos help blend bqux com mamba KARLOS DDoS phoenix PLUT karma bbc\r\nCAPITAL WALLET LKS tech s1g2n3a4l MURK makop ebaka jook LOGAN FIASKO GUCCI decrypt\r\nOOH Non grt LIZARD FLSCRYPT SDK 2023 vhdv\r\nThe following files and directories will also be skipped during the encryption process:\r\ninfo.hta info.txt boot.ini bootfont.bin ntldr ntdetect.com io.sys backm\r\nC:\\WINDOWS C:\\ProgramData\\microsoft\\windows\\caches\r\nThe process splits further malicious activity into multiple threads that will be described in the following\r\nparagraphs. The following functions will be executed: sub_EB22EE, sub_EB239A, sub_EB2161, sub_EB1A76,\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 8 of 20\n\nand sub_EB1CC5.\r\nFigure 32\r\nThread activity – sub_EB22EE function\r\nThe malware opens the access token associated with the current process (0x20 =\r\nTOKEN_ADJUST_PRIVILEGES):\r\nFigure 33\r\nThe LookupPrivilegeValueW method is used to extract the locally unique identifier (LUID) that represents the\r\n“SeDebugPrivilege” privilege:\r\nFigure 34\r\nThe malicious process enables the above privilege via a call to AdjustTokenPrivileges:\r\nFigure 35\r\nThe following processes will be killed because they could lock files to be encrypted:\r\nmsftesql.exe sqlagent.exe sqlbrowser.exe sqlservr.exe sqlwriter.exe oracle.exe ocssd.exe dbsnmp.exe\r\nsynctime.exe agntsvc.exe mydesktopqos.exe isqlplussvc.exe xfssvccon.exe mydesktopservice.exe\r\nocautoupds.exe agntsvc.exe agntsvc.exe agntsvc.exe encsvc.exe firefoxconfig.exe tbirdconfig.exe\r\nocomm.exe mysqld.exe mysqld-nt.exe mysqld-opt.exe dbeng50.exe sqbcoreservice.exe excel.exe\r\ninfopath.exe msaccess.exe mspub.exe onenote.exe outlook.exe powerpnt.exe steam.exe thebat.exe\r\nthebat64.exe thunderbird.exe visio.exe winword.exe wordpad.exe\r\nThe malware takes a snapshot of all processes in the system, as displayed in the figure below.\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 9 of 20\n\nFigure 36\r\nThe processes are enumerated using the Process32FirstW and Process32NextW APIs:\r\nFigure 37\r\nFigure 38\r\nAny target process is stopped using the TerminateProcess method:\r\nFigure 39\r\nThread activity – sub_EB239A function\r\nOpenProcessToken is utilized to open the access token associated with the process (0x8 = TOKEN_QUERY):\r\nFigure 40\r\nThe binary verifies again if the token is elevated by calling the GetTokenInformation API (0x14 =\r\nTokenElevation):\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 10 of 20\n\nFigure 41\r\nIt calls again the OpenMutexW and CreateMutexW methods with the “Global\\\\\u003c\u003cBID\u003e\u003e\u003cVolume serial\r\nnumber\u003e00000000” mutex name:\r\nFigure 42\r\nThread activity – sub_EB2161 function\r\nThe ransomware uses events to synchronize threads. It creates two unnamed event objects using CreateEventW:\r\nFigure 43\r\nThe NetBIOS name of the local machine is extracted (Figure 44).\r\nFigure 44\r\nWNetOpenEnumW is used to start an enumeration of all currently connected resources (0x1 =\r\nRESOURCE_CONNECTED):\r\nFigure 45\r\nThe enumeration continues by calling the WNetEnumResourceW function:\r\nFigure 46\r\nThe process obtains the interface–to–IPv4 address mapping table via a function call to GetIpAddrTable, as shown\r\nbelow:\r\nFigure 47\r\nEvery IP address extracted above is converted from network order to host byte order using ntohl:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 11 of 20\n\nFigure 48\r\nThe malware creates a TCP socket (0x2 = AF_INET, 0x1 = SOCK_STREAM, 0x6 = IPPROTO_TCP):\r\nFigure 49\r\nIt tries to connect to every host on the network on port 445 in order to encrypt every available network share:\r\nFigure 50\r\nThread activity – sub_EB4B85 function\r\nThe process creates two anonymous pipes by calling the CreatePipe method (see Figure 51).\r\nFigure 51\r\nThe read handles are made inheritable using SetHandleInformation (0x1 = HANDLE_FLAG_INHERIT):\r\nFigure 52\r\nThe ransomware creates a “cmd.exe” process that will execute multiple commands:\r\nFigure 53\r\nThe commands responsible for disabling the firewall, deleting all Volume Shadow Copies, and so on, are\r\ntransmitted to the newly created process via pipes:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 12 of 20\n\nFigure 54\r\nThread activity – sub_EB1CC5 function\r\nThis thread keeps extracting a bitmask representing the currently available disk drives using the\r\nGetLogicalDrives API:\r\nFigure 55\r\nThread activity – sub_EB1A76 function\r\nThe malware decrypts the public RSA key that will be used to encrypt the AES256 key used for file’s encryption.\r\nThe same key was used by Phobos ransomware since 2019 according to Talos.\r\nFigure 56\r\nIt extracts the current local date and time, the current process and thread IDs, and other information using multiple\r\nfunctions:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 13 of 20\n\nFigure 57\r\nThe binary creates a new thread that will traverse the network shares and drives in order to extract files to be\r\nencrypted:\r\nFigure 58\r\nThread activity – sub_EB56B3 function\r\nTwo new threads, which will be responsible for file’s encryption, are created:\r\nFigure 59\r\nThe files are enumerated using the FindFirstFileW and FindNextFileW methods:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 14 of 20\n\nFigure 60\r\nFigure 61\r\nThe malware sets the event objects to the signaled state via a function call to SetEvent:\r\nFigure 62\r\nThe process waits until the new threads finish their execution using the WaitForMultipleObjects function.\r\nThread activity – sub_EB54BF function\r\nThe ransomware opens a file to be encrypted in reading mode (0x80000000 = GENERIC_READ, 0x7 =\r\nFILE_SHARE_DELETE | FILE_SHARE_WRITE | FILE_SHARE_READ, 0x3 = OPEN_EXISTING):\r\nFigure 63\r\nIt retrieves the size of the file using the GetFileSizeEx API:\r\nFigure 64\r\nThe size is compared with 0x180000 bytes (1.5MB), and the files having more bytes are partially encrypted. The\r\nrest of the files are totally encrypted:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 15 of 20\n\nFigure 65\r\nAs we can see below, not only the “.backmydata” extension will be added to an encrypted file, but also the volume\r\nserial number and the threat actor’s email address:\r\nFigure 66\r\nThe file’s content is read using the ReadFile method (see Figure 67).\r\nFigure 67\r\nThere is a custom implementation of the AES256 algorithm, as highlighted in the figure below.\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 16 of 20\n\nFigure 68\r\nThe content is encrypted using the AES256 algorithm and written to the newly created file:\r\nFigure 69\r\nThe file’s name is encrypted as well and will appear in the encrypted file:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 17 of 20\n\nFigure 70\r\nThe following information is also written to the encrypted file: unencrypted 16-byte IV, RSA-encrypted AES256\r\nkey, and 6 bytes decrypted from the config that identifies the ransomware “DD F9 CC F5 B3 44”:\r\nFigure 71\r\nThe unencrypted file is overwritten with zeros and deleted afterwards:\r\nFigure 72\r\nThe structure of an encrypted file is displayed below. We’ve already described the meaning of the buffers.\r\nFigure 73\r\nThe ransomware drops two ransom notes: “info.txt” and “info.hta”. The communication with the threat actor can\r\nbe done via email or Session messenger.\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 18 of 20\n\nFigure 74\r\nINDICATORS OF COMPROMISE\r\nSHA256\r\n396a2f2dd09c936e93d250e8467ac7a9c0a923ea7f9a395e63c375b877a399a6\r\nBackMyData ransom notes\r\ninfo.txt, info.hta\r\nFiles created\r\n%AppData%\\Local\\\u003cExecutable name\u003e\r\nC:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\u003cExecutable name\u003e\r\nRegistry values\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\u003cExecutable name\u003e\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\u003cExecutable name\u003e\r\nProcesses spawned\r\nvssadmin delete shadows /all /quiet\r\nwmic shadowcopy delete\r\nbcdedit /set {default} bootstatuspolicy ignoreallfailures\r\nbcdedit /set {default} recoveryenabled no\r\nwbadmin delete catalog -quiet\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 19 of 20\n\nnetsh advfirewall set currentprofile state off \r\nnetsh firewall set opmode mode=disable\r\nMutexes\r\nGlobal\\\\\u003c\u003cBID\u003e\u003e\u003cVolume serial number\u003e00000000\r\nGlobal\\\\\u003c\u003cBID\u003e\u003e\u003cVolume serial number\u003e00000001\r\nReferences\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attack-forces-100-romanian-hospitals-to-go-offline/\r\nhttps://www.malwarebytes.com/blog/news/2019/07/a-deep-dive-into-phobos-ransomware\r\nhttps://blog.talosintelligence.com/deep-dive-into-phobos-ransomware/\r\nhttps://docs.microsoft.com/en-us/windows/win32/api/\r\nSource: https://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/" ], "report_names": [ "a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania" ], "threat_actors": [ { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434577, "ts_updated_at": 1775826787, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1aa9046910f5d677c6a5c92dd6accb2ba09cb17e.pdf", "text": "https://archive.orkl.eu/1aa9046910f5d677c6a5c92dd6accb2ba09cb17e.txt", "img": "https://archive.orkl.eu/1aa9046910f5d677c6a5c92dd6accb2ba09cb17e.jpg" } }