Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

Backmydata

BackMyData is a ransomware strain identified as a variant of the Phobos ransomware family. It was used in the February 2024 attacks on Romanian hospitals via the Hipocrate/Hippocrates healthcare management system after attackers breached Bucharest-based software provider RSC. The campaign disrupted more than 100 hospitals across Romania, with at least 25 hospitals confirmed to have encrypted data and many others taking systems offline as a precaution. Impacted healthcare organizations reverted to paper-based workflows for admissions, prescriptions, medical records, lab requests, radiology, medicines, supplies, payroll, pharmacy logistics, and test results. Romanian authorities stated there was no evidence of patient data theft at the time of reporting, and most affected hospitals reportedly had recent backups. The attackers demanded ransom in bitcoin; one report cited a demand of 3.5 BTC, and the ransom note reportedly did not identify the ransomware operation by name.

Observed technical behavior includes encrypted configuration data protected with a hard-coded AES key, use of an embedded RSA public key to wrap per-file AES-256 keys, and file encryption that fully encrypts smaller files and partially encrypts files larger than 1.5 MB. Encrypted files receive the .backmydata extension together with the volume serial number and attacker email address, and contain an unencrypted 16-byte IV, an RSA-encrypted AES key, and a 6-byte marker value DD F9 CC F5 B3 44. The malware drops ransom notes named info.txt and info.hta and instructs victims to contact the attacker via email or Session messenger.

BackMyData establishes persistence by copying itself to %AppData%\Local, creating Run registry entries under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and copying itself to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup<Executable name>. It deletes Volume Shadow Copies, disables automatic repair, deletes the backup catalog, and disables the Windows firewall. It enables SeDebugPrivilege, kills processes including sqlservr.exe, oracle.exe, mysqld.exe, outlook.exe, winword.exe, excel.exe, thunderbird.exe, and steam.exe to unlock files, enumerates logical drives and network resources, probes hosts over TCP/445, and encrypts local drives and network shares using multiple worker threads. It avoids systems with Cyrillic locale indicators and skips selected files and directories including info.hta, info.txt, boot.ini, bootfont.bin, ntldr, ntdetect.com, io.sys, backm, C:\WINDOWS, and C:\ProgramData\microsoft\windows\caches. One analyzed sample was identified by SHA-256 396a2f2dd09c936e93d250e8467ac7a9c0a923ea7f9a395e63c375b877a399a6.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

19 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1195Supply Chain CompromiseEvidence2

attackers had breached Bucharest-based software firm RSC, burrowing into a widely used medical system called Hippocrates.

Execution

1 technique
T1059.003Windows Command ShellEvidence1

The ransomware creates a “cmd.exe” process that will execute multiple commands.

Persistence

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1

Persistence is achieved by creating an entry under the Run registry key and copying the malware to the Startup folder.

Privilege Escalation

4 techniques
T1134Access Token ManipulationEvidence1

The DuplicateTokenEx API is utilized to create a new access token... The ransomware spawns itself running in the security context of the newly created token.

T1134.001Token Impersonation/TheftEvidence1

The DuplicateTokenEx API is utilized to create a new access token that duplicates the token mentioned above... The ransomware spawns itself running in the security context of the newly created token.

T1547.001Registry Run Keys / Startup FolderEvidence1

Persistence is achieved by creating an entry under the Run registry key and copying the malware to the Startup folder.

T1548Abuse Elevation Control MechanismEvidence1

The malicious process enables the above privilege via a call to AdjustTokenPrivileges... 'SeDebugPrivilege' privilege

Stealth

4 techniques
T1070.004File DeletionEvidence1

The unencrypted file is overwritten with zeros and deleted afterwards.

T1134Access Token ManipulationEvidence1

The DuplicateTokenEx API is utilized to create a new access token... The ransomware spawns itself running in the security context of the newly created token.

T1134.001Token Impersonation/TheftEvidence1

The DuplicateTokenEx API is utilized to create a new access token that duplicates the token mentioned above... The ransomware spawns itself running in the security context of the newly created token.

T1480.002Mutual ExclusionEvidence1

The ransomware tries to open two mutexes called “Global\\<<BID>><Volume serial number>00000001” and “Global\\<<BID>><Volume serial number>00000000”, and then creates them.

Discovery

5 techniques
T1057Process DiscoveryEvidence1

The malware takes a snapshot of all processes in the system... The processes are enumerated using the Process32FirstW and Process32NextW APIs.

T1082System Information DiscoveryEvidence1

The malware extracts the major and minor version numbers of the operating system using the GetVersion method.

T1083File and Directory DiscoveryEvidence1

The files are enumerated using the FindFirstFileW and FindNextFileW methods.

T1135Network Share DiscoveryEvidence1

WNetOpenEnumW is used to start an enumeration of all currently connected resources... The enumeration continues by calling the WNetEnumResourceW function.

T1614.001System Language DiscoveryEvidence1

The GetLocaleInfoW function is used to obtain the default locale... The binary verifies whether the 9th bit, which represents Cyrillic alphabets, is cleared.

Lateral Movement

2 techniques
T1021Remote ServicesEvidence1

It tries to connect to every host on the network on port 445 in order to encrypt every available network share.

T1021.002SMB/Windows Admin SharesEvidence1

It tries to connect to every host on the network on port 445 in order to encrypt every available network share.

Impact

3 techniques
T1486Data Encrypted for ImpactEvidence4

Quietly, the cyber-attackers had begun infecting hospitals across the country that used the system with a ransomware strain called BackMyData. Files were being scrambled into gibberish and the demand was a ransom in bitcoin.

T1489Service StopEvidence1

Any target process is stopped using the TerminateProcess method.

T1490Inhibit System RecoveryEvidence1

vssadmin delete shadows /all /quiet – delete all Volume Shadow Copies; wmic shadowcopy delete – delete all Volume Shadow Copies | bcdedit /set {default} bootstatuspolicy ignoreallfailures; bcdedit /set {default} recoveryenabled no; wbadmin delete catalog -quiet

Other

1 technique
T1562Impair DefensesEvidence1

It deletes all Volume Shadow Copies and runs commands to disable the firewall.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app2 years ago
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
bbcNews
Jun 22, 2026
How 100 Romanian hospitals switched to pen and paper to defeat a national cyber-attack

Ransomware used to infect hospitals, encrypt files, and demand payment in bitcoin.

Read more
bbcNews
Jun 22, 2026
How 100 Romanian hospitals switched to pen and paper to defeat a national cyber-attack

Ransomware that encrypts files and demands payment in bitcoin.

Read more
bleeping computerNews
Dec 29, 2025
Romanian energy provider hit by Gentlemen ransomware attack

Ransomware group that targets healthcare organizations, encrypting systems and disrupting operations.

Read more
bleeping computerNews
Dec 22, 2025
Romanian water authority hit by ransomware attack over weekend

Backmydata is a ransomware strain that disrupted healthcare management systems in Romania, forcing hospitals to take systems offline.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping19

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.

Backmydata | Mallory