New ransomware vaccine kills programs wiping Windows shadow volumes

mood · Oct 5, 2020

New ransomware vaccine kills programs wiping Windows shadow volumes
October 4, 2020
https://www.bleepingcomputer.com/ne...kills-programs-wiping-windows-shadow-volumes/

A new ransomware vaccine program has been created that terminates processes that try to delete volume shadow copies using Microsoft's vssadmin.exe program,
The Raccine ransomware vaccine
This weekend, security researcher Florian Roth released the 'Raccine' ransomware vaccine that will monitor for the deletion of shadow volume copies using the vssadmin.exe command.

"We see ransomware delete all shadow copies using vssadmin pretty often. What if we could just intercept that request and kill the invoking process? Let's try to create a simple vaccine," Raccine's GitHub page explains.
Click to expand...

Raccine works by registering the raccine.exe executable as a debugger for vssadmin.exe using the Image File Execution Options Windows registry key.
If it detects a process is using 'vssadmin delete' or 'vssadmin resize shadowstorage' it will automatically terminate the process, which is usually done before ransomware begins encrypting files on a computer.

While this method will prevent encryption by a large amount of ransomware, some modern ransomware families delete shadow volumes using other commands, as listed below.
For these ransomware variants, Raccine will not currently block the ransomware as they do not use vssadmin.exe. Support for these commands may be added in the future.
Click to expand...

Raccine

A Simple Ransomware Protection
Why
We see ransomware delete all shadow copies using vssadmin pretty often. What if we could just intercept that request and kill the invoking process? Let's try to create a simple vaccine.
How it works
We register a debugger for vssadmin.exe (and wmic.exe), which is our compiled raccine.exe. Raccine is a binary, that first collects all PIDs of the parent processes and then tries to kill all parent processes. [...]
Click to expand...

Malicious combinations:

delete and shadows (vssadmin)

resize and shadowstorage (vssadmin)

delete and shadowcopy (wmic)

delete and catalog and -quiet (wbadmin)

Click to expand...

Installation

Apply Registry Patch raccine-reg-patch-vssadmin.reg to intercept invocations of vssadmin.exe

Place Raccine.exe from the release section in the PATH, e.g. into C:\Windows

(For i386 architecture systems use Raccine_x86.exe and rename it to Raccine.exe)
Click to expand...

mood · Oct 5, 2020

ShadowGuard

ShadowGuard is designed to detect when malware or ransomware is attempting to delete File Shadow Copies and take action.
Click to expand...

Website + Download
Download (Majorgeeks)

Supported Systems:
Windows 10. Although we are not officially supporting this, it will work on older versions of Windows back to Windows XP.
Click to expand...

New App: ShadowGuard

ShadowGuard is a new app designed to detect when malware or ransomware is attempting to delete File Shadow Copies and take action. Typically ransomware will attempt to delete Shadow Copies of your files prior to encrypting, so you can’t restore them, but ShadowGuard can step in at this stage to stop it completely. Upon detection ShadowGuard will:

Prevent the command from execution (Preserving your Shadow Copies)

Terminate the application that initiated the command (This would be the potential ransomware.)

Click to expand...

ShadowGuard works by attaching itself as a debugger to certain processes, filtering out destructive commands before the process is even created. ShadowGuard can currently attach to:

vssadmin.exe

wmic.exe

powershell.exe

ShadowGuard also maintains an allowed programs list which will prevent those programs from being terminated by ShadowGuard. This is extremely useful for some backup applications which may use vssadmin.exe in order to manage volume shadow copies.
Click to expand...

EASTER · Oct 6, 2020

d7xtech

Now why hasn't someone done this before now?

D/L & Installed 8.1- Best part shouldn't interfere with my regular registry backup apps RegBak-Tweaking.com Registry Backup

mood · Oct 20, 2020

mood said: ↑

New ransomware vaccine kills programs wiping Windows shadow volumes October 4, 2020

Raccine
Click to expand...

Raccine got some additions/improvements in the meantime (simulation mode, batch installer, logging to a file, etc.)
Excerpt of recent changelogs:

• Better Emotet coverage
• Some Ryuk coverage
• Windows hardening script
• support for configuration via GPO
• Simulation Mode: let Raccine run for a week or two and see if it would interfere with legitimate software (text log on disk C:\ProgramData\Raccine_log.txt and Windows Application Eventlog)
• Creates a log file with all intercepted requests and actions performed C:\ProgramData\Raccine_log.txt
• Windows Batch Installer
Click to expand...

EASTER · Oct 20, 2020

mood said: ↑

Raccine got some additions/improvements in the meantime (simulation mode, batch installer, logging to a file, etc.)
Excerpt of recent changelogs:
Click to expand...

Interesting details-improvements etc.

Long well known badware's first cruddy adventure is getting to the O/S native Shadow Copy ensuring no easy peasy quick fix back to normal from inbuilt window system.

Moose World · Oct 22, 2020

Hey there,

Anybody know if ShadowGuard will still prevent you from Raccine? Umm!

ichito · Oct 23, 2020

Moose World said: ↑

Hey there,

Anybody know if ShadowGuard will still prevent you from Raccine? Umm!
Click to expand...

Both apps offers similar protection but ShadowGuard seams to cover more.
BTW - SG is developed by the same person who developed CryptoPrevent
https://www.d7xtech.com/cryptoprevent-shadowexplorer-and-vssadmin/

Two screenshots of ShadowGuard

Moose World · Nov 12, 2020

@ichito,

Thank you ,sharing, appreciated......

Moose

mood · Nov 14, 2020

Raccine v1.4 Released (November 14, 2020)
Website
Download

1.4

Full x86 support

Log of accepted executions (EventID 3)

Moved all static internal strings into YARA rules to avoid AV detection (without success)

.NET Framework setup in installer

Click to expand...

mood · Mar 23, 2021

Raccine 1.4.2 Released (March 23, 2020)
Website
Download

1.4.2

feat: add taskkill.exe interception to the coverage

fix: pass trough of exit codes of the intercepted processes

1.4.1

Fix: issues with some rule updates causing problems when rules contain different types of line breaks

Click to expand...

EASTER · Mar 24, 2021

All of which screams to users to already utilize daily backup images, then the intruders can fudge all they want in a wasted effort.

Still those apps (Raccine & Shadow Guard) have their place to some degree for unaware users.

mood · May 15, 2021

Raccine 1.4.3 Released (May 15, 2021)
Website
Download

1.4.3

Integrity checks in installer

Click to expand...

Log in or Sign up

New ransomware vaccine kills programs wiping Windows shadow volumes

mood Updates Team

mood Updates Team

EASTER Registered Member

mood Updates Team

EASTER Registered Member

Moose World Registered Member

ichito Registered Member

Moose World Registered Member

mood Updates Team

mood Updates Team

EASTER Registered Member

mood Updates Team

Log in or Sign up

New ransomware vaccine kills programs wiping Windows shadow volumes

mood Updates Team

mood Updates Team

EASTER Registered Member

mood Updates Team

EASTER Registered Member

Moose World Registered Member

ichito Registered Member

Moose World Registered Member

mood Updates Team

mood Updates Team

EASTER Registered Member

mood Updates Team

Useful Searches