Security researcher Florian Roth released a new anti-ransomware “vaccine” software called Raccine. Raccine terminates any processes that try to delete volume shadow copies using Microsoft’s vssadmin.exe program. Windows creates backups of your system and stores them in Shadow Volume snapshots—these snapshots can be used to recover lost or damaged files. Ransomware infections usually delete all Shadow Volume copies first, in order to prevent them from being recovered. Raccine works by registering the raccine.exe executable as a debugger for vssadmin.exe using the Image File Execution Options Windows registry key. Once raccine.exe is registered as a debugger, every time vssadmin.exe is executed, it will also launch Raccine, which will check to see if vssadmin is trying to delete shadow copies. If it detects vssadmin is trying to delete shadow copies it will automatically terminate the process.
12 Essentials for a Successful SOC Partnership
As cyber threats continue to impact businesses of all sizes, the need for round-the-clock security