The way the ransom stuff works is like this.Maybe you are not following me.
The Site was hacked several months earlier and the inactive Cryptolocker software was installed while they were actively sabotaging multiple server systems for weeks. Nothing noticeable happened for months until a final command was sent.
All of the backups they made over those months were already compromised.
Keep in mind their main source of Revenue is matching contacts between Operators across the globe and adding them up towards various Career based Awards.
I don't think you understand the Kind of Money that is spent in the Ham Radio Hobby.
Here is a link to just one of the planned 2026 Dxpedition with a bigger one from that same team in 2027
https://3y0k.com/
The ARRL cannot use a 6 month old backup that does not contain contacts made by a recent $1 million dollar Expedition or even a small one that was needed by several thousand operators to complete their HR Award.
It is not a Forum where some posts can just go missing and no one really gets hurt.
They did try to reinstalling a backup, but as soon as it went online it was locked again. They called in the FBI who sent a team to investigate and they hired security specialist to go through the backups.
From what we were told after a few weeks they realized that isolating what was added or changed was not feasible, so they negotiated the 5 million down to 1 million and paid them. Even when they got it back online they realized that parts of the system were corrupted and other parts were still security compromised.
They have hired programmers to rewrite the Awards part of the system.
The ARRL has over 1.5 Billion contacts recorded and matched and 156 thousand active Radio Operators paying for the service.
An archiver reads the files and then writes them out with the same file name or they add their own extension and password protects the archive.
No different than you using rar or zip to make a password protect archive. When you pay the ransom it just unarchives the files using the password the ransom people give you or they give you a program with the password embedded in it that does the unarchiving.
The backups even if the ransomware was in place are just backups of the files that are there. The files are not "infected". The archiver program if it has access to the backup files when it goes nuclear will encrypt the backups too if it can get to them. But on a true offsite setup it can't do that so that makes me think they left access to the drives by the server running the website 24/7. That's actually the norm. Dumb setup but the norm.