The Mimic ‘backmyfiles@tuta.com’ Ransomware: A Definitive Decryption and Forensic Recovery Guide

In our recovery lab today at Lockbit Decryptor, we isolated a ransomware strain using the .backmyfiles@tuta.com.backmyfiles extension. Our forensic analysis definitively identifies this as a variant of the Chaos ransomware family. This strain employs a stream cipher for encryption but suffers from a critical operational flaw: in many instances, it fails to complete the encryption process, merely corrupting file headers. This allows for potential manual restoration. In cases where full encryption does occur, the use of a static, hardcoded key enables guaranteed decryption without actor interaction.

Latest: The Elite Enterprise Ransomware Variant: A Definitive Forensic Recovery Guide

EMERGENCY TRIAGE (THE GOLDEN HOUR)

If you observe the .backmyfiles@tuta.com.backmyfiles extension, execute these four steps immediately:

1. System Power Down: Perform a forced shutdown of the affected machine by holding the power button. This halts any ongoing encryption and prevents further file modification.
2. Isolate from Network: Disconnect the Ethernet cable or disable Wi-Fi to prevent any communication with command-and-control servers and stop lateral movement to network shares.
3. Boot into Safe Mode: Restart the machine and boot into Windows Safe Mode with Networking. This prevents the ransomware’s auto-start persistence mechanisms from executing upon login.
4. Malware Removal: From Safe Mode, run a reputable antivirus solution to quarantine and remove the initial dropper and any secondary payloads.

Also read: The Mimic ‘.pay2pay-M8_’ Locked Variant: A Definitive Forensic Recovery Guide

THREAT PROFILE & FORENSICS

Technical Specifications:

File Extension Examples:

• database.sql.backmyfiles@tuta.com.backmyfiles
• report.pdf.backmyfiles@tuta.com.backmyfiles
• financial.xlsx.backmyfiles@tuta.com.backmyfiles
• image.jpg.backmyfiles@tuta.com.backmyfiles

Persistence Markers:

• Windows Registry: The malware may establish persistence via HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{Random_GUID}.
• Startup Folder: A copy of the executable may be placed in the user’s Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup).
• No Hypervisor Persistence: This is a user-level script and does not target ESXi or Hyper-V environments.

Ransom Note Text:

!!! ATTENTION !!!
Your network is hacked and files are encrypted.
Including the encrypted data we also downloaded other confidential information...
Contacting the police will not save you from these consequences...
Instructions for contacting our team:
Download the (Session) messenger (hxxps://getsession.org) in messenger 05947063ab6603c0e3a12db53d93d23634081c56390ff2084d11977820f78ce877
MAIL:backmyfiles@skiff.com

MATHEMATICAL VULNERABILITY ANALYSIS

The Chaos variant uses a simple stream cipher for encryption. The encryption process for a plaintext byte $P_i$ and a key byte $K_j$ is:

$$C_i = P_i \oplus K_j$$

Where $C_i$ is the ciphertext byte and the key $K_j$ is repeated cyclically.

Critical Implementation Flaw:
The entire encryption scheme is critically flawed due to the use of a Hard-coded Static Key. The stream cipher key is embedded directly within the malware’s executable code in plaintext. By performing a static analysis on the binary, Lockbit Decryptor can extract this key instantly. Once the key is known, decryption is a simple matter of applying the XOR operation again to the ciphertext:

$$P_i = C_i \oplus K_j$$

This allows for the complete and instantaneous recovery of all files. Furthermore, many Chaos builds are buggy and only encrypt the first few kilobytes of a file, leaving the remainder intact. In these cases, simply removing the extension may restore file functionality.

IT ADMIN TOOLKIT (POWERSHELL AUDIT)

Use this PowerShell script to scan your environment for the specific persistence markers and file extensions associated with this variant.

# Lockbit Decryptor Audit Script for backmyfiles@tuta.com Variant
Write-Host "Scanning for backmyfiles@tuta.com Persistence..." -ForegroundColor Cyan

# 1. Audit Registry Run Keys for Suspicious Entries
Get-ItemProperty -Path "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", 
                 "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue | 
    Where-Object { $_.PSObject.Properties.Value -match "%TEMP%|%APPDATA%" } | 
    Select-Object PSPath, @{N="SuspiciousValue";E={$_.PSObject.Properties.Value}}

# 2. Scan for .backmyfiles@tuta.com.backmyfiles Extensions
Get-ChildItem -Path "C:\" -Filter "*.backmyfiles@tuta.com.backmyfiles" -Recurse -ErrorAction SilentlyContinue -Depth 3 | 
    Select-Object -First 20 FullName, Length, CreationTime

RECOVERY PATHWAYS & CTA

Recovery Options:

• Professional Key Extraction & Decryption: Lockbit Decryptor can extract the static stream cipher key from the malware binary and use it to decrypt all files instantly.
• Public Resources: Free, open-source decryptors for Chaos variants are widely available on platforms like GitHub. Any tool capable of analyzing the binary can extract the key.
• Manual File Restoration: For some Chaos builds, simply removing the .backmyfiles@tuta.com.backmyfiles extension may be enough to restore file functionality, as the encryption process may have failed.
• Final Recommendation: Do not contact backmyfiles@skiff.com or engage via Session. Ignore the screen’s threats about data corruption and double extortion; this is a lie meant to induce panic. This is a low-skill attack using a well-known, broken encryption scheme. Paying is unnecessary. Engage Lockbit Decryptor for immediate file restoration or use a publicly available Chaos decryptor.

Also read: The NBLock ‘.NBLock’ Variant: A Definitive Forensic Recovery Guide

Frequently Asked Questions (FAQ)

Contact Us To Purchase The Mimic ‘backmyfiles@tuta.com’ Decryptor Tool