.back Files Virus (Dharma) – How to Remove It

.back Files Virus (Dharma) – How to Remove It

remove .back files virus dharma ransomware restore files sensorstechforum

This article explains what issues occur in case of infection with .back files virus and provides a complete guide on how to remove malicious files and how to potentially recover files encrypted by this ransomware.

An infection with the so-called .back files virus results in corruption of sensitive data for which hackers demand a ransom fee. It belongs to the infamous Dharma ransomware family. For the extortion cyber criminals use the ransom message file FILES ENCRYPTED.txt. At the end of the attack the same file is started on your infected device to inform you about the presence of this nasty ransomware and present you further instructions.

Threat Summary

Name.back Files Virus
TypeRansomware, Cryptovirus
Short DescriptionA data locker ransomware that encrypts valuable data and demands ransom payment for a decryption solution.
SymptomsImportant files are locked and renamed with .back extension. They remain unusable for unspecified period of time.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .back Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .back Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.back Files Virus – Distribution

The distribution of this .back files virus is likely to happen with the help of shady methods such as malspam, malvertising, third-party instellers and compromised web pages. All mentioned methods aim to deliver the malicious payload on your device and trick you to execute it.

As a primary infection channel is believed to be used malspam (emails that deliver malicious software). There are several common components that are typical of these emails:

  • A link that lands on compromised web page. Once loaded in the browser such page could trigger download process of the malicious software and execute it directly on the PC. The link may be presented as in-text link, banner, image, button or direct URL address.
  • A file attachment that according to email text message is a legitimate document but in reality is an infected file that runs the ransomware code the moment you open it on the device. The format of this file may be of common type such as .rar, .zip, .7z, .docx, etc. Such a file could be set to evade active security measures and complete the attack without any notification.

In addition, infected software installers, fake update notifications, malicious files shared on forums, social media and P2P networks may be spreading the payload of .back ransomware.

Variants of the so-called

Skype virus may be utilized for the distribution of .back files virus.

.back Files Virus – Overview

An infection with .black files virus begins when its payload is started on the system. The code of the payload is designed to access various system settings and plague some that will support its attack to its very end.

In the beginning of the infection process it could drop or create additional malicious files that may be located in the following system folders:

  • %Roaming%
  • %Windows%
  • %AppData%
  • %Local%
  • %Temp%

The analyses of .back files virus samples reveal that it implements modifications that affect registry keys. They enable it to load its malicious files on each system start. The keys that could be affected are Run and RunOnce. To check whether they contain malicious values or not, you should open the Registry Editor and open the following locations:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

At the end of the attack, .back files virus drops the file FILES ENCRYPTED.txt and loads it on the screen. The purpose of this file is to present you ransom message left by hackers. With this message they attempt to blackmail you into paying for file decrypter. However, we recommend you to avoid their demands as they could trick you once again and steal your money without sending you back a working solution.

.back Files Virus – Encryption Process

Like some previous Dharma ransomware variants (

.combo, .arrow, .bkp, etc.) Dharma .back utilizes a built-in encryption module when it completes all initial infection stages.

This variant of the threat is believed to utilize a strong cipher algorithm called AES to corrupt target files. When the encryption process is completed, valuable files remain inaccessible for unspecified period of time. This is due to the fact that their code is transformed by the ransomware. Unfortunately, it could be set to affect all your valuable files including all your:

  • Audio files.
  • Videos.
  • Image files.
  • Databases.
  • Archives.

You could recognize your corrupted files by the distinctive extension .back appended to their original names. You cannot access the information stored by .black files for which hackers blackmail you into paying them a ransom for a decrypter. However, there is no guarantee that they could provide you a working solution as the code of their threat could be broken.

Remove .back Files Virus and Restore Data

The so-called .back files virus is a threat with highly complex code that plagues not only your files but your whole system. So infected system should be cleaned and secured properly before you could use it regularly again. Below you could find a step-by-step removal guide that may be helpful in attempting to remove .back ransomware. Choose the manual removal approach if you have previous experience with malware files. If you don’t feel comfortable with the manual steps select the automatic section from the guide. Steps there enable you to check the infected system for ransomware files and remove them with a few mouse clicks.

In order to keep your system safe from ransomware and other types of malware in future, you should install and maintain a reliable anti-malware program. Additional security layer that could prevent the occurrence of ransomware attacks is

anti-ransomware tool.

Make sure to read carefully all the details mentioned in the step “Restore files” if you want to understand how to fix encrypted files without paying the ransom. Beware that before data recovery process you should back up all encrypted files to an external drive as this will prevent their irreversible loss.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for four years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share