A new type of vaccine has been created to help defend against ransomware called raccine.exe. The program will not stop ransomware from being installed on a PC, but it can help with the recovery process. This vaccine will terminate any processes that try to delete the shadow copies volume on a windows machine. Windows creates daily backups of your system and data files (when activated) and stores them as snapshots in Shadow Volume Copy. These snapshots are useful for recovering files if they are accidentally changed or deleted.
Many ransomware programs do not want their victims to use this feature as it can aid them in recovering their files for free. One of the first things most ransomware programs do is to delete all Shadow Volume copies on the computer. This generally executed by the command “vssadmin delete shadows /all /quiet.” The new vaccine is an executable that is a debugger for vssadmin.exe. Anytime vssadmin is executed on a computer raccine.exe will launch as well and check to see if vssadmin is trying to delete shadow copies and terminate the process.
https://www.bleepingcomputer.com/news/security/new-ransomware-vaccine-kills-programs-wiping-windows-shadow-volumes/
Leave a Reply
You must be logged in to post a comment.