A new ransomware vaccine program has been created that terminates processes that try to delete volume shadow copies using Microsoft’s vssadmin.exe program,
Every day, Windows will create backups of your system and data files and store them in Shadow Volume Copy snapshots.
These snapshots can then be used to recover files if they are mistakenly changed or deleted.
As ransomware infections do not want victims to use this feature to recover files for free, one of the first things they do when executed is to delete all Shadow Volume copies on the computer.
One method of deleting Shadow Volumes is to use the following vssadmin.exe command:
vssadmin delete shadows /all /quiet
The Raccine ransomware vaccine
This weekend, security researcher Florian Roth released the ‘Raccine’ ransomware vaccine that will monitor for the deletion of shadow volume copies using the vssadmin.exe command.
“We see ransomware delete all shadow copies using vssadmin pretty often. What if we could just intercept that request and kill the invoking process? Let’s try to create a simple vaccine,” Raccine’s GitHub page explains.
Raccine works by registering the raccine.exe executable as a debugger for vssadmin.exe using the Image File Execution Options Windows registry key.
Once raccine.exe is registered as a debugger, every time vssadmin.exe is executed, it will also launch Raccine, which will check to see if vssadmin is trying to delete shadow copies.
If it detects a process is using ‘vssadmin delete,’ it will automatically terminate the process, which is usually done before ransomware begins encrypting files on a computer.
Raccine killing processes
While this method will prevent encryption by a large amount of ransomware, some modern ransomware families delete shadow volumes using other commands, as listed below.
For these ransomware variants, Raccine will not currently block the ransomware as they do not use vssadmin.exe. Support for these commands may be added in the future.
It should also be noted that Raccine may terminate legitimate software that uses vssadmin.exe as part of their backup routines.
Roth plans on adding the ability to allow certain programs to bypass Raccine in the future so that they are not mistakenly terminated.
Download the raccine-reg-patch.reg Registry file and double-click on it. When it prompts you to merge the contents into the Registry, allow it to do so.
Raccine is now registered as a debugger for the vssadmin.exe command monitors for attempts to delete shadow volume copies.
If you find that Raccine is terminating legitimate programs that you use, you can uninstall it by running the raccine-reg-patch-uninstall.reg registry file and deleting C:\windows\raccine.exe.
Once you uninstall Raccine, it will no longer terminate processes that attempt to delete shadow volume copies using vssadmin.exe.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
