Threat Watch

New Ransomware Vaccine Kills Programs That Wipe Windows Shadow Volumes

Security researcher Florian Roth released a new anti-ransomware “vaccine” software called Raccine. Raccine terminates any processes that try to delete volume shadow copies using Microsoft’s vssadmin.exe program. Windows creates backups of your system and stores them in Shadow Volume snapshots—these snapshots can be used to recover lost or damaged files. Ransomware infections usually delete all Shadow Volume copies first, in order to prevent them from being recovered. Raccine works by registering the raccine.exe executable as a debugger for vssadmin.exe using the Image File Execution Options Windows registry key. Once raccine.exe is registered as a debugger, every time vssadmin.exe is executed, it will also launch Raccine, which will check to see if vssadmin is trying to delete shadow copies. If it detects vssadmin is trying to delete shadow copies it will automatically terminate the process.

ANALYST NOTES

While this method will prevent encryption by a large amount of ransomware, some modern ransomware families delete shadow volumes using other commands. Defenders should also create detections and alarms for the possibility that attackers could make a copy of vssadmin.exe with a different file name, or using WMI commands. Checking the running process file name against the “Original Filename” attribute of a file, especially for Microsoft system executables, is a great way to detect when system files have been renamed. That isn’t always malicious, but it should be unusual enough to determine when it is normal and when it requires investigation. If an attacker triggers Raccine, it is important to investigate right away. Just because the ransomware failed to run, it is most likely that an attacker still has remote control of the computer that tried to execute it, and that the attacker will soon find a way around the control if they are not quickly and decisively evicted from the environment.

Sources: https://www.bleepingcomputer.com/news/security/new-ransomware-vaccine-kills-programs-wiping-windows-shadow-volumes/