vssadmin delete shadows /all /quiet
The Raccine ransomware vaccine
This weekend, security researcher Florian Roth released the ‘Raccine’ ransomware vaccine that will monitor for the deletion of shadow volume copies using the vssadmin.exe command. “We see ransomware delete all shadow copies usingvssadmin
pretty often. What if we could just intercept that request and kill the invoking process? Let’s try to create a simple vaccine,” Raccine’s GitHub page explains.
Raccine works by registering the raccine.exe executable as a debugger for vssadmin.exe using the Image File Execution Options Windows registry key.
Once raccine.exe is registered as a debugger, every time vssadmin.exe is executed, it will also launch Raccine, which will check to see if vssadmin is trying to delete shadow copies.
If it detects a process is using ‘vssadmin delete,’ it will automatically terminate the process, which is usually done before ransomware begins encrypting files on a computer.
Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
WMIC.exe shadowcopy delete /nointeractive
For these ransomware variants, Raccine will not currently block the ransomware as they do not use vssadmin.exe. Support for these commands may be added in the future.
It should also be noted that Raccine may terminate legitimate software that uses vssadmin.exe as part of their backup routines. Roth plans on adding the ability to allow certain programs to bypass Raccine in the future so that they are not mistakenly terminated.How to install Raccine
To install Raccine, you can follow these steps:- Download Raccine.exe and use an elevated command prompt to copy it to the C:\Windows folder.
- Download the raccine-reg-patch.reg Registry file and double-click on it. When it prompts you to merge the contents into the Registry, allow it to do so.