“Vaccine” Prevent Ransomware Families from Erasing Shadow Copies to Prevent Data Recovery

Ransomware

To prevent data recovery, a newly released “vaccine” will prevent such ransomware families from erasing shadow copies.

The vaccine, called ‘Racine’ and reported by security researchers Florian Roth and Ollie Whitehouse, targets ransomware families that exploit vssadmin.exe on a compromised computer to erase all shadow copies.

Vssadmin.exe, a legal Windows utility, gives consumers the opportunity to handle shadow copies but is also exploited for malicious purposes. Racine was designed to intercept the request for the erasure of shadow copies, as well as to destroy the request method.

By adding a registry patch to intercept invocations from vssadmin.exe, the vaccine functions.

We have recorded the vssadmin.exe (and wmic.exe) debugger, which is our compiled raccine.exe format. “Racine is a binary that first gathers all parent process PIDs and then aims to terminate all parent processes,” Roth on GitHub says.

Compatible for all versions of Windows starting with Windows 2000, the tool implements a very standardised method of preventing ransomware, and it may reverse the changes it makes. It’s agentless because it doesn’t need an executable or service to function.

As it was programmed to disable any processes that try to activate shadows (or other blacklisted combinations) from vssadmin.exe remove, the tool will influence the operation of legitimate applications, Roth explains on the GitHub page of the program.

Until you add the uninstall mod vaccine-reg-patch-uninstall. reg, you will no longer be able to execute commands that use blacklisted commands on the vaccinated machine. This may break down numerous backup solutions that during their function execute that particular instruction. Not only will it block the order, but it will destroy all processes in that tree, including the backup solution and its invocation method, says Roth.

The researcher also advises administrators to review records to see how much vssadmin.exe is called for the legal elimination or alteration of shadow storage and, if the Windows utility is often used, prevent from using the vaccine.

Further information is available on GitHub on how to instal and use Racine, as well as on what blacklist rules can be set. The vaccine can be used, according to its creators, to control other mechanisms as well.

Melina Richardson
Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards. Previously, he worked as a security news reporter.