Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.[1][2] This may deny access to available backups and recovery options.
Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.[1][2]
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
vssadmin.exe
can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
wmic shadowcopy delete
wbadmin.exe
can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
bcdedit.exe
can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {{default}} bootstatuspolicy ignoreallfailures & bcdedit /set {{default}} recoveryenabled no
ID | Name | Description |
---|---|---|
S0640 | Avaddon |
Avaddon deletes backups and shadow copies using native system tools.[3][4] |
S0638 | Babuk |
Babuk has the ability to delete shadow volumes using |
S0570 | BitPaymer |
BitPaymer attempts to remove the backup shadow files from the host using |
S0611 | Clop |
Clop can delete the shadow volumes with |
S0608 | Conficker |
Conficker resets system restore points and deletes backup files.[9] |
S0575 | Conti |
Conti can delete Windows Volume Shadow Copies using |
S0673 | DarkWatchman |
DarkWatchman can delete shadow volumes using |
S0616 | DEATHRANSOM |
DEATHRANSOM can delete volume shadow copies on compromised hosts.[12] |
S0659 | Diavol |
Diavol can delete shadow copies using the |
S0605 | EKANS |
EKANS removes backups of Volume Shadow Copies to disable any restoration capabilities.[14][15] |
S0618 | FIVEHANDS |
FIVEHANDS has the ability to delete volume shadow copies on compromised hosts.[12][16] |
S0132 | H1N1 |
H1N1 disable recovery options and deletes shadow copies from the victim.[17] |
S0617 | HELLOKITTY |
HELLOKITTY can delete volume shadow copies on compromised hosts.[12] |
S0697 | HermeticWiper |
HermeticWiper can disable the VSS service on a compromised host using the service control manager.[18][19][20] |
S0260 | InvisiMole |
InvisiMole can can remove all system restore points.[21] |
S0389 | JCry |
JCry has been observed deleting shadow copies to ensure that data cannot be restored easily.[22] |
S0449 | Maze |
Maze has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process.[23][24] |
S0576 | MegaCortex |
MegaCortex has deleted volume shadow copies using |
S0688 | Meteor |
Meteor can use |
S0457 | Netwalker |
Netwalker can delete the infected system's Shadow Volumes to prevent recovery.[27][28] |
S0365 | Olympic Destroyer |
Olympic Destroyer uses the native Windows utilities |
S0654 | ProLock |
ProLock can use vssadmin.exe to remove volume shadow copies.[29] |
S0583 | Pysa | |
S0481 | Ragnar Locker |
Ragnar Locker can delete volume shadow copies using |
S0496 | REvil |
REvil can use vssadmin to delete volume shadow copies and bcdedit to disable recovery features.[32][33][34][35][36][37][38][39][40] |
S0400 | RobbinHood |
RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily.[41] |
S0446 | Ryuk |
Ryuk has used |
S0366 | WannaCry |
WannaCry uses |
S0612 | WastedLocker |
WastedLocker can delete shadow volumes.[45][46][47] |
ID | Mitigation | Description |
---|---|---|
M1053 | Data Backup |
Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.[48] Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. |
M1028 | Operating System Configuration |
Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. |
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Deletion |
DS0009 | Process | Process Creation |
DS0019 | Service | Service Metadata |
DS0024 | Windows Registry | Windows Registry Key Modification |
Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.
Monitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage
).