HomesecurityRansomware vaccine terminates programs that remove Windows shadow copies

Ransomware vaccine terminates programs that remove Windows shadow copies

A new one was created ransomware vaccine program που terminates malicious processes that attempt to delete Windows shadow copies using the program vssadmin.exe of Microsoft.

Windows shadow copies ransomware vaccine

Windows creates backups of the system and its files users and store them in Shadow Volume Copy snapshots. These snapshots are very useful because they can be used to retrieve files in case they are deleted by mistake.

The ransomware gangs they do not want them victims to use this feature, because in this way they recover the encrypted ones data free. For this reason, one of the first things ransomware does is delete all Shadow Volume copies.

One method of deleting Shadow Volumes is to use the following vssadmin.exe command:

vssadmin delete shadows / all / quiet

Raccine ransomware vaccine

This weekend, the researcher security Florian Roth releasedRaccineransomware vaccine, designed to monitors suspicious activity trying to delete shadow volume copies using the vssadmin.exe command.

"We often see ransomware deleting shadow copies using vssadmin. What if we can track this request and block this process? Let's try to create a simple vaccine", Explains Raccine's page on GitHub.

Its operation Raccine

Initially, the executable raccine.exe is registered as debugger for vssadmin.exe, using the Image File Execution Options Windows registry key.

Once raccine.exe is registered as program debugger, every time vssadmin.exe is run, Raccine will also run, which will check if vssadmin is trying to delete the shadow copies.

If it detects a process that uses "vssadmin delete", it will terminate it automatically. This process is usually done before the ransomware starts encrypting files in one computer.

This new ransomware vaccine program can be very useful, but some ransomware delete shadow volumes using other commands, such as:

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$ _. Delete ();}

WMIC.exe shadowcopy delete / nointeractive

In these cases, Raccine will not block the ransomware removal process as vssadmin.exe is not in use. Support for these commands may be added in the future.

However, it should also be noted that Raccine can end and legal software that uses vssadmin.exe to make copies security.

According to Bleeping Computer, Roth plans to add a feature that will allow this separation to take place so that necessary and legal procedures are not terminated.

How to install Raccine?

  • Download Raccine.exe and use an "elevated command prompt" to copy it to the C: \ Windows folder.
  • Download the raccine-reg-patch.reg Registry file and double-click it.

Raccine is now registered as a debugger.

If Raccine terminates legal programs, you can uninstall it by running the raccine-reg-patch-uninstall.reg registry file and deleting C: \ windows \ raccine.exe. Once uninstalled, the ransomware vaccine will not be able to stop malicious activity.


Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortress
Pursue Your Dreams & Live!