Raccine utility protects from ransomware by banning deletion of shadow copies

by Emma Davis
October 6, 2020
Raccine utility protects from ransomware
Written by Emma Davis

Bleeping Computer journalists drew attention to an interesting utility recently created by information security expert Florian Roth. The utility is called Raccine (Ransomware vaccine) and it protects against the actions of ransomware, automatically eliminating any processes trying to delete shadow copies in Windows using vssadmin.exe.

The fact is that ransomware operators do not want their victims to use this OS feature to recover their files for free, so almost any ransomware malware first of all deletes all shadow copies from the infected machine.

So, one way to remove them is to use the vssadmin.exe command: vssadmin delete shadows /all /quiet. Another way is to use the resize command to set the amount of storage that Windows allocates for shadow copies. This command will also erase existing snapshots: vssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=401MB.

Ransomware often removes all shadow copies using vssadmin. But what if we could just intercept this request and stop the process call? Let’s try to create a simple vaccine.writes Roth on the project's GitHub page.

Raccine’s principle of work is simple: it registers raccine.exe as a debugger for vssadmin.exe through the Windows registry and the Windows Image File Execution Options key. After registering, each time vssadmin.exe is started, Raccine is also launched to check if vssadmin is trying to delete shadow copies.

If the utility detects that a process is using vssadmin delete or vssadmin resize shadowstorage, it automatically terminates it, thereby interfering with the operation of the ransomware.

Raccine utility protects from ransomware
Bleeping Computer reporters note that some modern ransomware removes shadow copies using other commands, including:

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$ _.Delete();}
WMIC.exe shadowcopy delete /nointeractive

Alas, in such cases, Raccine cannot do anything, but Roth promises to expand the functionality of the utility over time so that it can recognize such methods.

Also in the future, Roth plans to add some programs to Raccine’s exceptions so that they would not be stopped with an error message.

Let me also remind you of some other useful utilities: EmoCheck utility detects Emotet infection, and, for example, a free utility from ESET finds BlueKeep vulnerabilities.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending