A newly released “vaccine” can prevent certain ransomware families from erasing shadow copies to prevent data recovery.
Dubbed “Raccine” and released by security researchers Florian Roth and Ollie Whitehouse, the vaccine targets ransomware families that leverage vssadmin.exe to delete all shadow copies on a compromised machine.
A legitimate utility in Windows, vssadmin.exe provides users with the ability to administer shadow copies, but is often abused for malicious purposes. Raccine was designed to intercept the request to erase shadow copies, and also to kill the process that made the request.
The vaccine works by applying a registry patch to intercept vssadmin.exe invocations.
“We register a debugger for vssadmin.exe (and wmic.exe), which is our compiled raccine.exe. Raccine is a binary, that first collects all PIDs of the parent processes and then tries to kill all parent processes,” Roth explains on GitHub.
Compatible with all Windows versions starting with Windows 2000, the tool applies a rather generic method to stop ransomware, and the changes it makes can be undone. It’s agentless so it does not require a running executable or a service.
Given that it was designed to kill all processes that attempt to invoke vssadmin.exe delete shadows (or other blacklisted combinations), the tool can impact the activity of legitimate applications, Roth explains on the tool’s GitHub page.
“You won't be able to run commands that use the blacklisted commands on a raccinated machine anymore until you apply the uninstall patch raccine-reg-patch-uninstall.reg. This could break various backup solutions that run that specific command during their work. It will not only block that request but kills all processes in that tree includin ..
Support the originator by clicking the read the rest link below.
