Backmydata

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Backmydata is a variant of the Phobos ransomware family, a malicious software (malware) designed to exploit and damage computer systems. It has been used in sophisticated cyber-attacks on healthcare entities, notably hospitals. The landscape of such attacks is evolving, with groups like RansomHouse, Rhysida, and others employing more advanced tactics. The method of breach involving Backmydata was intricate, suspected to have originated from the compromised website of the RSC infrastructure. This malware is part of an expanding list of Phobos variants including Devos, Eight, Elking, and Faust. In one significant incident, a threat actor affiliated with Phobos infected systems at approximately 100 hospitals in Romania. The attacker initially targeted a central health information system connected to these hospitals, subsequently spreading the Backmydata ransomware across the network. While no specific group claimed responsibility for this attack, the servers of the Hippocrates Information System were encrypted using Backmydata, with the unidentified attackers demanding a ransom of 3.5 BTC or 157,000 euros. In response to these escalating threats, US CISA, the FBI, and MS-ISAC issued a joint cybersecurity advisory (CSA) warning of attacks involving Phobos ransomware variants such as Backmydata. They underscored the importance of using Indicators of Compromise (IOCs) for scanning IT&C infrastructure across all health entities, irrespective of whether they had been affected by the Backmydata ransomware attack. As the sophistication of these attacks increases, vigilance and proactive measures are critical to maintaining the integrity and security of healthcare systems.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Phobos	5	Phobos is a type of malware, specifically a ransomware, that has been a significant cause for concern in the cyber security world. This malicious software infiltrates systems through dubious downloads, emails, or websites and can cause severe damage by stealing personal information, disrupting opera
Faust	1	Faust is a newly discovered variant of the Phobos ransomware, an evolution of the Dharma/Crysis ransomware. It shares similar Tactics, Techniques, and Procedures (TTPs) with other variants such as Elking, Eight, Devos, and Backmydata, indicating a likely connection between them. Researchers from For
Devos	1	Devos is a variant of Phobos ransomware, a type of malware that infects systems and holds data hostage for ransom. It is closely linked to other variants such as Elking, Eight, Backmydata, and Faust ransomware due to similar Tactics, Techniques, and Procedures (TTPs) observed in their intrusions. Op
Elking	1	Elking is a type of malware, specifically a variant of the Phobos ransomware. Malware is a harmful program designed to exploit and damage computer systems, often infiltrating them via suspicious downloads, emails, or websites. Once inside a system, it can steal personal information, disrupt operatio

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Healthcare

Malware

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Alphv	Unspecified	1	AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
Rhysida	Unspecified	1	Rhysida, a threat actor known for executing malicious cyber activities, has been responsible for numerous ransomware attacks. The group has primarily targeted businesses and healthcare organizations, with notable instances including a disruptive attack on Ann & Robert H. Lurie Children's Hospital of

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Backmydata Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	5 months ago	Alert: FBI Warns Of BlackCat Ransomware Healthcare Attack
Checkpoint	5 months ago	19th February – Threat Intelligence Report - Check Point Research
BankInfoSecurity	5 months ago	Breach Roundup: Zeus Banking Trojan Leader Pleads Guilty
DARKReading	5 months ago	Ransomware Wave at Romanian Hospitals Tied to Healthcare App
CERT-EU	5 months ago	Investigating the Shadows: Is Russia-Linked Phobos Ransomware Group Responsible for Romanian Healthcare Disruption?
Securityaffairs	5 months ago	US cyber and law enforcement agencies warn of Phobos ransomware attacks
DARKReading	5 months ago	FBI, CISA Release IoCs for Phobos Ransomware
CERT-EU	5 months ago	FBI, CISA Release IoCs for Phobos Ransomware \| #ransomware \| #cybercrime \| National Cyber Security Consulting