A newly released “vaccine” can prevent certain ransomware families from erasing shadow copies to prevent data recovery.
Dubbed “Raccine” and released by security researchers Florian Roth and Ollie Whitehouse, the vaccine targets ransomware families that leverage vssadmin.exe to delete all shadow copies on a compromised machine.
A legitimate utility in Windows, vssadmin.exe provides users with the ability to administer shadow copies, but is often abused for malicious purposes. Raccine was designed to intercept the request to erase shadow copies, and also to kill the process that made the request.
The vaccine works by applying a registry patch to intercept vssadmin.exe invocations.
“We register a debugger for vssadmin.exe (and wmic.exe), which is our compiled raccine.exe. Raccine is a binary, that first collects all PIDs of the parent processes and then tries to kill all parent processes,” Roth explains on GitHub.
Compatible with all Windows versions starting with Windows 2000, the tool applies a rather generic method to stop ransomware, and the changes it makes can be undone. It’s agentless so it does not require a running executable or a service.
Given that it was designed to kill all processes that attempt to invoke vssadmin.exe delete shadows (or other blacklisted combinations), the tool can impact the activity of legitimate applications, Roth explains on the tool’s GitHub page.
“You won’t be able to run commands that use the blacklisted commands on a raccinated machine anymore until you apply the uninstall patch raccine-reg-patch-uninstall.reg. This could break various backup solutions that run that specific command during their work. It will not only block that request but kills all processes in that tree including the backup solution and its invoking process,” Roth says.
The researcher also encourages admins to check logs to see how frequently vssadmin.exe is invoked for the legitimate deletion or modification of shadow storage and refrain from using the vaccine if the Windows utility is frequently used.
Further details on how to install and use Raccine, as well as on what blacklist rules can be set, are available on GitHub. According to its developers, the vaccine can be used to target other processes as well.
Related: University Project Tracks Ransomware Attacks on Critical Infrastructure
Related: Financially-Motivated Iranian Hackers Adopt Dharma Ransomware
Related: ICS-Targeting Snake Ransomware Isolates Infected Systems Before Encryption

More from Ionut Arghire
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Florida Hospital Cancels Procedures, Diverts Patients Following Cyberattack
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
Latest News
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
