Raccine ransomware vaccine now prevents Volume shadow copy from deletion
Florian Roth released “Raccine” ransomware vaccine that will prevent ransomware to delete Volume Shadow Copies.
Shadow Copy snapshots for system and data files are created and stored as backups by Windows on daily basis. Users can use these snapshots to recover files they mistakenly changed or deleted.
In cases with ransomware attack, what the first thing that these viruses do is delete the shadow copies so that victims cannot use this feature to recover the files for free. They execute certain commands to delete the said backups from Windows. One of such is to use following vssadmi.exe command:
vssadmin delete shadows /all /quiet
The vaccine released this week will monitor for the deletion of Shadow volume using the vssadmin.exe command. As Raccine’s GitHub page explains,
“We see ransomware delete all shadow copies using vssadmin pretty often. What if we could just intercept that request and kill the invoking process? Let’s try to create a simple vaccine.”
Raccine works by registering a raccine.exe executable as a debugger for vassadmin.exe file with the help of the Image File Execution Options Windows registry key.
Once this process is completed, Racine can check if vssadmin try to delete shadow copies. In case, it detects process is using vssadmin delete, it will automatically terminate the process.
Some modern ransomware families use other commands listed below for shadow copies deletion:
et-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
WMIC.exe shadowcopy delete /nointeractive
Raccine will not be working for such malware because these do not use vssadmin.exe commands. However, it may be added the following commands in future.
Here, it is thing to be pointed out that the Raccine program may terminate legitimate process that uses vssadmin.exe as a part of their backup routines. Roth highlighting this point, said, soon the Raccine will be allow certain ability that allows certain programs bypass so that no any files are mistakenly terminated.
The steps to download Raccine:
- Download Raccine.exe and copy it to the C:\Windows folder by using elevated command prompt
- Then download the registry file raccine-reg-patch.reg and double click on it. When you see the prompt saying merge the contents into the Registry, allow it to do so.
Raccine is now set as a debugger for vssadmin.exe and will monitor the Volume Shadow Copies for attempts to deletion.