logo SOS Ransomware
Emergency 24/7

Encrypted .BAK files by ransomware

1️⃣ Presentation of the issue

.BAK files are backup files created by applications or databases (e.g., SQL Server, MySQL, ERP software). They are designed to restore data in the event of a failure or corruption. When these files are infected by ransomware, they typically undergo encryption. This encryption makes it impossible to access the data without the corresponding key.

2️⃣ Symptoms of an infected .BAK file

  1. Modified extension 
    • The ransomware may rename the file: e.g., db_backup.bak → db_backup.bak.lockbit or db_backup.bak.anubis.
  2. Unchanged size but unreadable content 
    • The file appears normal in size, but its content is encrypted.
  3. Unable to open the file 
    • Standard tools used to read .BAK files return a format error or refuse to open it.
  SCREENSHOT  
  1. Presence of a ransom note 
    • An HTML or TXT file is left in the same folder to inform about the attack.
  2. Partial corruption if the ransomware combined encryption + deletion 
    • Some ransomware destroy the header or critical blocks, making classic recovery nearly impossible.

3️⃣ Impact on data recovery

3.1 Technical complexity

  • .BAK files are often large (several GB).
  • If they are encrypted by modern ransomware (e.g., ECIES, AES-256 with a unique key), standard recovery tools cannot decrypt them.
  • Since .BAK files are not designed to be encrypted, the malware may corrupt internal metadata, which complicates decryption or reconstruction.

3.3 Dependency on backups

If no clean copy exists, advanced data recovery techniques must be used, but success is not guaranteed.

4️⃣ Time required to recover the data

The recovery time depends on several factors:
Factor Impact on time
.BAK file size The larger the file, the longer the recovery (hours to days for files > 100 GB)
Type of encryption Strong encryption (AES-256, ECIES) = recovery impossible without the key; weak encryption = faster recovery
Number of files and redundancy Multiple encrypted or corrupted .BAK files = more time needed for reconstruction
Technical expertise Specialized teams = optimized time and minimized data loss; DIY methods = failure or very long delays

5️⃣ Best practices after infection

  1. Do not handle the .BAK file 
    • Avoid opening, copying, or attempting to modify the file, as this may further corrupt its contents.
  2. Contact RECOVEO
    • Recoveo can recover .BAK files even when partially corrupted, thanks to advanced recovery tools and manual repair of file structures.

6️⃣ Summary

  • Symptoms: modified extension, unreadable file, ransom note, possible corruption.
  • Impact on recovery: depends on the encryption, file size, and backup status. A .BAK file encrypted without a clean copy may be irreversible.
  • Immediate actions: make a copy before any manipulation.