Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Ransomware Vaccine Intercepts Requests to Erase Shadow Copies

A newly released “vaccine” can prevent certain ransomware families from erasing shadow copies to prevent data recovery.

A newly released “vaccine” can prevent certain ransomware families from erasing shadow copies to prevent data recovery.

Dubbed “Raccine” and released by security researchers Florian Roth and Ollie Whitehouse, the vaccine targets ransomware families that leverage vssadmin.exe to delete all shadow copies on a compromised machine.

A legitimate utility in Windows, vssadmin.exe provides users with the ability to administer shadow copies, but is often abused for malicious purposes. Raccine was designed to intercept the request to erase shadow copies, and also to kill the process that made the request.

The vaccine works by applying a registry patch to intercept vssadmin.exe invocations.

“We register a debugger for vssadmin.exe (and wmic.exe), which is our compiled raccine.exe. Raccine is a binary, that first collects all PIDs of the parent processes and then tries to kill all parent processes,” Roth explains on GitHub.

Compatible with all Windows versions starting with Windows 2000, the tool applies a rather generic method to stop ransomware, and the changes it makes can be undone. It’s agentless so it does not require a running executable or a service.

Given that it was designed to kill all processes that attempt to invoke vssadmin.exe delete shadows (or other blacklisted combinations), the tool can impact the activity of legitimate applications, Roth explains on the tool’s GitHub page.

“You won’t be able to run commands that use the blacklisted commands on a raccinated machine anymore until you apply the uninstall patch raccine-reg-patch-uninstall.reg. This could break various backup solutions that run that specific command during their work. It will not only block that request but kills all processes in that tree including the backup solution and its invoking process,” Roth says.

The researcher also encourages admins to check logs to see how frequently vssadmin.exe is invoked for the legitimate deletion or modification of shadow storage and refrain from using the vaccine if the Windows utility is frequently used.

Further details on how to install and use Raccine, as well as on what blacklist rules can be set, are available on GitHub. According to its developers, the vaccine can be used to target other processes as well.

Related: University Project Tracks Ransomware Attacks on Critical Infrastructure

Related: Financially-Motivated Iranian Hackers Adopt Dharma Ransomware

Related: ICS-Targeting Snake Ransomware Isolates Infected Systems Before Encryption

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.