Backups Ransomware Is a Silent Thief
Table of Contents
What Is Backups Ransomware?
Backups Ransomware is a recently identified form of malicious software designed to lock users out of their files. This strain of ransomware encrypts a victim's data and alters file names by appending the extension ".backups" and inserting a contact email. For example, a file named "document.pdf" becomes "document.pdf.[backups@airmail.cc].backups" after infection.
Once active, Backups Ransomware doesn't stop at encrypting files. It also changes the victim's desktop wallpaper and creates a text file called "#HowToRecover.txt." This file serves as a ransom note, outlining the attacker's demands and providing instructions for the victim to contact the cybercriminals using the email addresses backups@airmail.cc or backups@airmail.com.
Here's what the ransom note says:
!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address:
Write the ID in the email subjectID: -
Email 1 : backups@airmail.cc
To ensure decryption you can send 1-2 files less than 1MB we will decrypt it for free.
We have backups of all your files. If you dont pay us we will sell all the files to your competitors
and place them in the dark web with your companys domain extension.IF 48 HOURS PASS WITHOUT YOUR ATTENTION, BRACE YOURSELF FOR A DOUBLED PRICE.
WE DON'T PLAY AROUND HERE, TAKE THE HOURS SERIOUSLY.
The Goal of Ransomware: Money and Power
Like most ransomware, Backups Ransomware's primary goal is extortion. The attackers claim to have made backups of the encrypted files and threaten to release them to competitors or post them on the dark web if their demands are not met. Victims are warned that the ransom amount will double if they fail to respond within 48 hours.
This pressure tactic is common in ransomware schemes. By instilling fear and urgency, attackers increase the chances that a victim will pay quickly. The implication is clear: either pay up or face serious consequences, including data exposure and financial loss.
How Ransomware Operates
Ransomware encrypts the files on a user's system, making them inaccessible without a unique decryption key. In most cases, that key is only available from the attacker after a ransom has been paid—usually in cryptocurrency, which is hard to trace. For Backups Ransomware, there is currently no known third-party decryption tool available, which makes recovery without backups nearly impossible.
Once a system is compromised, the malware may remain active, encrypting new files or infecting other devices on the same network. That's why removing the ransomware immediately is crucial to responding to an attack.
How Ransomware Spreads
Cybercriminals use various tactics to distribute ransomware like Backups. One of the most common is phishing emails—messages that contain infected attachments or links that download malware when clicked. Other methods include the use of pirated software, fake software activation tools, and malicious websites posing as legitimate download sources.
Ransomware can also spread through deceptive online ads, technical support scams, and peer-to-peer file-sharing platforms. Often, the malicious payload is hidden in common file types like ZIP archives, PDFs, Word documents, or even ISO disk images. These files may appear harmless at first glance but carry dangerous scripts that activate once opened.
Defense: Backup, Awareness, and Security Tools
The best defense against ransomware is preparation. Regularly backing up your data to an external drive or secure cloud storage is essential. If you get attacked, backups allow you to restore your files without paying the ransom. However, it's just as important to keep your systems and applications updated to patch known security flaws that ransomware exploits.
Users should also avoid downloading software from unofficial sources and steer clear of pirated programs or cracked software. A reliable antivirus solution that is kept up to date can detect and block many ransomware variants before they cause harm.
What to Do If You’re Infected
If you suspect your device is infected with Backups Ransomware, disconnect it from the internet immediately to prevent further spread. Do not pay the ransom—doing so only fuels the ransomware ecosystem and does not guarantee that you'll regain access to your files.
Instead, consult a cybersecurity professional, remove the ransomware using reputable tools, and restore any available backups. If no backups exist, recovery may be difficult or impossible without the decryption key. In some cases, law enforcement or specialized security firms may be able to help.
Final Thoughts
Backups Ransomware is a dangerous example of how cybercriminals are evolving their tactics. It's a wake-up call for anyone who stores important data on a computer or networked device. Being proactive with cybersecurity hygiene—through backups, cautious online behavior, and updated protection tools—can make the difference between a minor issue and a catastrophic data loss.
