- Home
- Techniques
- Enterprise
- Inhibit System Recovery
Inhibit System Recovery
Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.[1][2] Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.[1][2]
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
vssadmin.exe
can be used to delete all volume shadow copies on a system -vssadmin.exe delete shadows /all /quiet
- Windows Management Instrumentation can be used to delete volume shadow copies -
wmic shadowcopy delete
wbadmin.exe
can be used to delete the Windows Backup Catalog -wbadmin.exe delete catalog -quiet
bcdedit.exe
can be used to disable automatic Windows recovery features by modifying boot configuration data -bcdedit.exe /set {{default}} bootstatuspolicy ignoreallfailures & bcdedit /set {{default}} recoveryenabled no
Procedure Examples
Name | Description |
---|---|
H1N1 |
H1N1 disable recovery options and deletes shadow copies from the victim.[3] |
InvisiMole |
InvisiMole can can remove all system restore points.[4] |
JCry |
JCry has been observed deleting shadow copies to ensure that data cannot be restored easily.[5] |
Maze |
Maze has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process.[6][7] |
Netwalker |
Netwalker can delete the infected system's Shadow Volumes to prevent recovery.[8][9] |
Olympic Destroyer |
Olympic Destroyer uses the native Windows utilities |
Ragnar Locker |
Ragnar Locker can delete volume shadow copies using |
REvil |
REvil can use vssadmin to delete volume shadow copies and bcdedit to disable recovery features.[11][12][13][14][15][16][17][18] |
RobbinHood |
RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily.[19] |
Ryuk |
Ryuk has used |
WannaCry |
WannaCry uses |
Mitigations
Mitigation | Description |
---|---|
Data Backup |
Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.[23] Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. |
Operating System Configuration |
Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. |
Detection
Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.
Monitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage
).
References
- Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
- Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
- Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
- Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
- Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
- Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
- Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
- Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
- Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
- SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
- Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
- Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
- Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
- Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.
- McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
- Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
- Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
- Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
- Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.
- Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
- Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
- Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
- Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019.