Inhibit System Recovery

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.[1][2] This may deny access to available backups and recovery options.

Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.[1][2] Furthermore, adversaries may disable recovery notifications, then corrupt backups.[3]

A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:

  • vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
  • Windows Management Instrumentation can be used to delete volume shadow copies - wmic shadowcopy delete
  • wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
  • bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  • REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system

On network devices, adversaries may leverage Disk Wipe to delete backup firmware images and reformat the file system, then System Shutdown/Reboot to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.

Adversaries may also delete "online" backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.[4] In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.[5][6]

ID: T1490
Sub-techniques:  No sub-techniques
Tactic: Impact
Platforms: Containers, IaaS, Linux, Network, Windows, macOS
Impact Type: Availability
Contributors: Austin Clark, @c2defense; Joey Lei; Pallavi Sivakumaran, WithSecure; Yonatan Gotlib, Deep Instinct
Version: 1.3
Created: 02 April 2019
Last Modified: 03 October 2023

Procedure Examples

ID Name Description
S0640 Avaddon

Avaddon deletes backups and shadow copies using native system tools.[7][8]

S0638 Babuk

Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet.[9][10]

S0570 BitPaymer

BitPaymer attempts to remove the backup shadow files from the host using vssadmin.exe Delete Shadows /All /Quiet.[11]

S1070 Black Basta

Black Basta can delete shadow copies using vssadmin.exe.[12][13][14][15][16][17][18][19][19][20]

S1068 BlackCat

BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.[21]

S0611 Clop

Clop can delete the shadow volumes with vssadmin Delete Shadows /all /quiet and can use bcdedit to disable recovery options.[22]

S0608 Conficker

Conficker resets system restore points and deletes backup files.[23]

S0575 Conti

Conti can delete Windows Volume Shadow Copies using vssadmin.[24]

S0673 DarkWatchman

DarkWatchman can delete shadow volumes using vssadmin.exe.[25]

S0616 DEATHRANSOM

DEATHRANSOM can delete volume shadow copies on compromised hosts.[26]

S0659 Diavol

Diavol can delete shadow copies using the IVssBackupComponents COM object to call the DeleteSnapshots method.[27]

S0605 EKANS

EKANS removes backups of Volume Shadow Copies to disable any restoration capabilities.[28][29]

S0618 FIVEHANDS

FIVEHANDS has the ability to delete volume shadow copies on compromised hosts.[26][30]

S0132 H1N1

H1N1 disable recovery options and deletes shadow copies from the victim.[31]

S0617 HELLOKITTY

HELLOKITTY can delete volume shadow copies on compromised hosts.[26]

S0697 HermeticWiper

HermeticWiper can disable the VSS service on a compromised host using the service control manager.[32][33][34]

S0260 InvisiMole

InvisiMole can can remove all system restore points.[35]

S0389 JCry

JCry has been observed deleting shadow copies to ensure that data cannot be restored easily.[36]

S0449 Maze

Maze has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process.[37][38]

S0576 MegaCortex

MegaCortex has deleted volume shadow copies using vssadmin.exe.[39]

S0688 Meteor

Meteor can use bcdedit to delete different boot identifiers on a compromised host; it can also use vssadmin.exe delete shadows /all /quiet and C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete.[40]

S0457 Netwalker

Netwalker can delete the infected system's Shadow Volumes to prevent recovery.[41][42]

S0365 Olympic Destroyer

Olympic Destroyer uses the native Windows utilities vssadmin, wbadmin, and bcdedit to delete and disable operating system recovery features such as the Windows backup catalog and Windows Automatic Repair.[1]

S1058 Prestige

Prestige can delete the backup catalog from the target system using: c:\Windows\System32\wbadmin.exe delete catalog -quiet and can also delete volume shadow copies using: \Windows\System32\vssadmin.exe delete shadows /all /quiet.[43]

S0654 ProLock

ProLock can use vssadmin.exe to remove volume shadow copies.[44]

S0583 Pysa

Pysa has the functionality to delete shadow copies.[45]

S0481 Ragnar Locker

Ragnar Locker can delete volume shadow copies using vssadmin delete shadows /all /quiet.[46]

S0496 REvil

REvil can use vssadmin to delete volume shadow copies and bcdedit to disable recovery features.[47][48][49][50][51][52][53][54][55]

S0400 RobbinHood

RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily.[56]

S1073 Royal

Royal can delete shadow copy backups with vssadmin.exe using the command delete shadows /all /quiet.[57][58][59]

S0446 Ryuk

Ryuk has used vssadmin Delete Shadows /all /quiet to to delete volume shadow copies and vssadmin resize shadowstorage to force deletion of shadow copies created by third-party applications.[60]

S0366 WannaCry

WannaCry uses vssadmin, wbadmin, bcdedit, and wmic to delete and disable operating system recovery features.[61][2][62]

S0612 WastedLocker

WastedLocker can delete shadow volumes.[63][64][65]

G0102 Wizard Spider

Wizard Spider has used WMIC and vssadmin to manually delete volume shadow copies. Wizard Spider has also used Conti ransomware to delete volume shadow copies automatically with the use of vssadmin.[66]

Mitigations

ID Mitigation Description
M1053 Data Backup

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.[67] Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. In cloud environments, enable versioning on storage objects where possible, and copy backups to other accounts or regions to isolate them from the original copies.[68]

M1028 Operating System Configuration

Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. Additionally, ensure that WinRE is enabled using the following command: reagentc /enable.[69]

M1018 User Account Management

Limit the user accounts that have access to backups to only those required.

Detection

ID Data Source Data Component Detects
DS0010 Cloud Storage Cloud Storage Deletion

Monitor for unexpected deletion of a cloud storage objects (ex: AWS delete-object), especially those associated with cloud backups.

DS0017 Command Command Execution

Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit.

DS0022 File File Deletion

The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.

DS0009 Process Process Creation

Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. After compromising a network of systems, threat actors often try to delete/resize Shadow Copy in an attempt to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool to interact with shadow copies. This action is often employed by ransomware, may lead to a failure in recovering systems after an attack. The pseudo code detection focus on Windows Security and Sysmon process creation (4688 and 1). The use of wmic to delete shadow copy generates WMI-Activity Operationnal 5857 event and could generate 5858 (if the operation fails). These 2 EventIDs could be interesting when attackers use wmic without process creation and/or for forensics.

Analytic 1 - Detecting Shadow Copy Deletion or Resize

deleted_copy = filter processes where ((event_id ="4688" OR event_id ="1") (CommandLine="vssadmin delete shadows" OR CommandLine="wmic shadowcopy delete" OR CommandLine="vssadmin resize shadowstorage")) OR (event_id ="5857" ProviderName="MSVSS__PROVIDER") OR (event_id ="5858" Operation="Win32_ShadowCopy")

Analytic 2 - BCDEdit Failure Recovery Modification

bcdedit_commands = filter processes where ( exe = "C:\Windows\System32\bcdedit.exe" AND command_line="recoveryenabled" )

DS0019 Service Service Metadata

Monitor the status of services involved in system recovery.

Note: For Windows, Event ID 7040 can be used to alert on changes to the start type of a service (e.g., going from enabled at startup to disabled) associated with system recovery.

DS0020 Snapshot Snapshot Deletion

Monitor for unexpected deletion of snapshots (ex: AWS delete-snapshot), especially those associated with cloud backups.

DS0024 Windows Registry Windows Registry Key Modification

Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage).

References

  1. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  2. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
  3. TheDFIRReport. (2022, March 1). Disabling notifications on Synology servers before ransom. Retrieved October 19, 2022.
  4. Steve Ranger. (2020, February 27). Ransomware victims thought their backups were safe. They were wrong. Retrieved March 21, 2023.
  5. Brian Prince. (2014, June 20). Code Hosting Service Shuts Down After Cyber Attack. Retrieved March 21, 2023.
  6. Spencer Gietzen. (n.d.). AWS Simple Storage Service S3 Ransomware Part 2: Prevention and Defense. Retrieved March 21, 2023.
  7. Security Lab. (2020, June 5). Avaddon: From seeking affiliates to in-the-wild in 2 days. Retrieved August 19, 2021.
  8. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  9. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.
  10. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.
  11. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  12. Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023.
  13. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023.
  14. Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023.
  15. Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.
  16. Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.
  17. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
  18. Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023.
  19. Trend Micro. (2022, September 1). Ransomware Spotlight Black Basta. Retrieved March 8, 2023.
  20. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023.
  21. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
  22. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
  23. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.
  24. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
  25. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  26. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  27. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
  28. Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.
  29. Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021.
  30. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
  31. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  32. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  33. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  34. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  35. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  1. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
  2. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  3. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
  4. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  5. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  6. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  7. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
  8. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
  9. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
  10. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  11. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
  12. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
  13. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  14. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  15. Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.
  16. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  17. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  18. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
  19. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  20. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.
  21. Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.
  22. Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.
  23. Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023.
  24. CISA. (2023, March 2). #StopRansomware: Royal Ransomware. Retrieved March 31, 2023.
  25. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  26. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
  27. Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
  28. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  29. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  30. Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021.
  31. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  32. Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019.
  33. Jay Chen. (2022, May 16). A Look Into Public Clouds From the Ransomware Actor's Perspective. Retrieved March 21, 2023.
  34. Microsoft, EliotSeattle, et al. (2022, August 18). REAgentC command-line options. Retrieved October 19, 2022.