Ransomware Vaccine Intercepts Requests to Erase Shadow Copies
A newly released “vaccine” can prevent certain ransomware families from erasing shadow copies to prevent data recovery.
Dubbed “Raccine” and released by security researchers Florian Roth and Ollie Whitehouse, the vaccine targets ransomware families that leverage vssadmin.exe to delete all shadow copies on a compromised machine.
A legitimate utility in Windows, vssadmin.exe provides users with the ability to administer shadow copies, but is often abused for malicious purposes. Raccine was designed to intercept the request to erase shadow copies, and also to kill the process that made the request.
The vaccine works by applying a registry patch to intercept vssadmin.exe invocations.
“We register a debugger for vssadmin.exe (and wmic.exe), which is our compiled raccine.exe. Raccine is a binary, that first collects all PIDs of the parent processes and then tries to kill all parent processes,” Roth explains on GitHub.
Compatible with all Windows versions starting with Windows 2000, the tool applies a rather generic method to stop ransomware, and the changes it makes can be undone. It’s agentless so it does not require a running executable or a service.
Given that it was designed to kill all processes that attempt to invoke vssadmin.exe delete shadows (or other blacklisted combinations), the tool can impact the activity of legitimate applications, Roth explains on the tool’s GitHub page.
“You won’t be able to run commands that use the blacklisted commands on a raccinated machine anymore until you apply the uninstall patch raccine-reg-patch-uninstall.reg. This could break various backup solutions that run that specific command during their work. It will not only block that request but kills all processes in that tree including the backup solution and its invoking process,” Roth says.
The researcher also encourages admins to check logs to see how frequently vssadmin.exe is invoked for the legitimate deletion or modification of shadow storage and refrain from using the vaccine if the Windows utility is frequently used.
Further details on how to install and use Raccine, as well as on what blacklist rules can be set, are available on GitHub. According to its developers, the vaccine can be used to target other processes as well.