A Simple Ransomware Protection
We see ransomware delete all shadow copies using
vssadmin pretty often. What if we could just intercept that request and kill the invoking process? Let’s try to create a simple vaccine.
How it works
We register a debugger for
wmic.exe), which is our compiled
raccine.exe. Raccine is a binary, that first collects all PIDs of the parent processes and then tries to kill all parent processes.
- The method is rather generic
- We don’t have to replace a system file (
wmic.exe), which could lead to integrity problems and could break our raccination on each patch day
- The changes are easy to undo
- Should work on all Windows versions from Windows 2000 onwards
- No running executable or additional service required (agent-less)
Disadvantages / Blind Spots:
- The legitimate use of
vssadmin.exe delete shadows (or any other blacklisted combination) isn’t possible anymore
- It even kills the processes that tried to invoke
vssadmin.exe delete shadows, which could be a backup process
- This won’t catch methods in which the malicious process isn’t one of the processes in the tree that has invoked
vssadmin.exe (e.g. via
- Invocation of
wmic.exe) gets intercepted and passed to
raccine.exe as debugger (
vssadmin.exe delete shadows becomes
raccine.xe vssadmin.exe delete shadows)
- We then process the command line arguments and look for malicious combinations.
- If no malicious combination could be found, we create a new process with the original command line parameters.
- If a malicious combination could be found, we collect all PIDs of parent processes and the start killing them (this should be the malware processes as shown in the screenshots above). Raccine shows a command line window with the killed PIDs for 5 seconds and then exits itself.
USE IT AT YOUR OWN RISK!
You won’t be able to run commands that use the blacklisted commands on a raccinated machine anymore until your apply the uninstall patch
raccine-reg-patch-uninstall.reg. This could break various backup solutions that run that specific command during their work. It will not only block that request but kills all processes in that tree including the backup solution and its invoking process.
If you have a solid security monitoring that logs all process executions, you could check your logs to see if
vssadmin.exe delete shadows or
vssadmin.exe resize shadowstorage ... is frequently or sporadically used for legitimate purposes in which case you should refrain from using Raccine.
- 0.1.0 - Initial version that intercepted & blocked all vssadmin.exe executions
- 0.2.0 - Version that blocks only vssadmin.exe executions that contain
shadows in their command line and otherwise pass all parameters to a new process that invokes vssadmin with its original parameters
- 0.2.1 - Removed
explorer.exe from the whitelist
- 0.3.0 - Supports the
wmic method calling
delete shadowcopy, no outputs for whitelisted process starts (avoids problems with wmic output processing)
- 0.4.0 - Supports logging to the Windows Eventlog for each blocked attempt, looks for more malicious parameter combinations
- 0.4.1 - Statically linked binaries
- 0.4.2 - Bugfixes provided by John Lambert
- 0.5.0 - Removed Eventlog logging (basic info was unnecessary; cuased higher complexity; can be achieved by process creation logging as well), support for wbadmin filtering
- 0.5.1 - Improvements by @JohnLaTwC
- 0.5.2 - Additional check for
delete shadowstorage by @JohnLaTwC, code review by @_hillu, application icon
- Apply Registry Patch
raccine-reg-patch-vssadmin.reg to intercept invocations of
Raccine.exe from the release section in the
PATH, e.g. into
(For i386 architecture systems use
Raccine_x86.exe and rename it to
Wmic Addon (Optional)
About 10-30% of Ransomware samples use
wmic to delete the local shadowcopies. However,
wmic is used for administrative activity far more often than
vssadmin. The output of wmic often gets processed by automated scripts. It is unknown how a proxied execution through Raccine affects these scripts and programs. We’ve removed all outputs for cases in which no malicious parameter combination gets detected, but who knows?
- Apply the
raccine-reg-patch-wmic.reg patch to intercept invocations of
Wbadmin Addon (Optional)
Ransomware often uses the command
wbadmin delete catalog -quiet to delete the backup catalog of the local computer.
- Apply the
raccine-reg-patch-wbadmin.reg patch to intercept invocations of
raccine.exe and watch the parent process tree die (screenshot of v0.1)
In case that the Ransomware that your’re currently handling uses a certain process name, e.g.
taskdl.exe, you could just change the
.reg patch to intercept calls to that name and let Raccine kill all parent processes of the invoking process tree.
I’d like to extend Raccine but lack the C++ coding skills, especially o the Windows platform.
1. Allow Certain Vssadmin Executions
implemented by Ollie Whitehouse in v0.2.0
Since Raccine is registered as a debugger for
vssadmin.exe the actual command line that starts raccine.exe looks like
raccine.exe vssadmin.exe ... [params]
If we were able to process the command line options and apply filters to them, we could provide the following features:
- Only block the execution in cases in which the parameters contains
- Allow all other executions by passing the original parameters to a newly created process of
vssadmin.exe (transparent pass-through)
2. Whitelist Certain Parents
We could provide a config file that contains white-listed parents for
vssadmin.exe. If such a parent is detected, it would also pass the parameters to a new process and skip killing the process tree.
3. Create Shim Instead of Image File Execution Options Hack
The solution is outlined in this tweet and related talk.
Why did it even kill explorer.exe during its run?
Since malware tends to inject into
explorer.exe, we thought it would be a good idea to kill even
explorer.exe in order to avoid malicious code performing other operations on the system. What happens in real world examples is that a user that executed the Ransomware process would loose its windows task bar and desktop, while other programs like Microsoft Word or Outlook would still be running and the user would be able to save his work and close the respective programs before calling the helpdesk or simpy reboot the system. An expericend user could bring up task manager using
CTRL+ALT+Del and start a new
explorer.exe or just log off.
The right pronounciation is “Rax-Een”.