blogs.vmware.com
Open in
urlscan Pro
2a02:26f0:dc:382::2ef
Public Scan
URL:
https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html
Submission: On February 10 via api from US — Scanned from DE
Submission: On February 10 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
GET https://blogs.vmware.com/security/
<form class="search-form" method="get" action="https://blogs.vmware.com/security/">
<label class="sr-only" for="s">Search</label>
<input class="search-field" placeholder="Search" name="s">
<input type="submit" value="Submit Search" class="search-submit btn">
</form>Text Content
Menu VMware Security Blog
Search
Search
* VMware Blogs
* Communities
* Tech Zone
* RSS
* Featured
Announcements
WHY CISOS SHOULD INVEST MORE INSIDE THEIR INFRASTRUCTURE
Tom Gillis June 2, 2022 5 min read
Threat Analysis Unit
SERPENT - THE BACKDOOR THAT HIDES IN PLAIN SIGHT
Threat Analysis Unit April 25, 2022 11 min read
Executive Viewpoint
HOW NOT TO BUILD A SOC
Martin Holzworth April 18, 2022 14 min read
Executive Viewpoint
PODCAST: DISCUSSING THE LATEST SECURITY THREATS AND THREAT ACTORS - TOM
KELLERMANN (VIRTUALLY SPEAKING)
Editorial Staff April 13, 2022 1 min read
* CategoriesToggle submenu
* Announcements
* Executive Viewpoint
* Multi-Cloud Security
* Modern Apps Security
* Workload Security
* Endpoint Security
* Network Security
* Threat Analysis Unit
* VMware Security Response Center
* VMware Security
* Get A Demo
* RSS
Threat Analysis Unit
THREAT REPORT: ILLUMINATING VOLUME SHADOW DELETION
Dana Behling September 20, 2022 45 min read
Share on:
* Share on Twitter
* Share on LinkedIn
* Share on Facebook
* Share on Reddit
* Email this post
* Copy Link
EXECUTIVE SUMMARY
Ransomware is one of the greatest threats to all industries. Threat actors have
the ability to severely hinder, or destroy, the operations of organizations that
range from small non-profits to global corporations. While there are many
research studies on ransomware, this paper will describe specifically its method
of destroying a form of Windows data backups called Volume Shadows.
Specifically, this paper will describe a new method discovered in the wild that
can bypass many forms of detection and prevention.
INTRODUCTION
The trillion-dollar ransomware market continues to grow, evolve, and affect
every industry around the world. The attackers’ goal is simple: prevent access
to data using numerous methods to ensure that data is inaccessible until a
desired ransom is paid. While most ransomware detection techniques focus heavily
on methods of data encryption, which normally follows a narrow set of
techniques, the techniques that ransomware uses to prevent restoration from
backups and thwart system recovery are equally important and often receive less
attention. Security practitioners continue to stress the importance of backups,
and at the same time malicious actors are inventing new ways to inhibit system
recovery. Some of the first tactics ever identified are still in use today.
As part of a large-scale ransomware threat analysis, the VMware Threat Analysis
Unit (TAU) identifies and catalogs the various techniques that impact data
recovery on compromised endpoints. One of the most well-known methods is the
deletion of Windows Volume Shadow Copies. The Volume Shadow Copy Solution (VSS)
was introduced with Windows Server® 2003 and on user systems with Windows XP.
It solved two critical needs. One, it allowed backup of data while it was in
use, and two, it allowed the backup of data that was otherwise too large to
backup all at once. This is possible because rather than make a one-time exact
copy of the data, VSS monitors and records changes to data, and by tracking
these changes, it can produce copies of files and system settings. Known by
users as the “Previous Versions” feature, this built in VSS quickly became and
continues to be a part of individual and corporate backup strategies.
Commonly accepted as one of the first modern-day ransomware, CryptoLocker
emerged in 2013 spreading through the Zeus Banking Trojan. It encrypted files
and requested amounts such as $100 and $300 from victims for decryption. In its
very first iteration this ransomware did not delete volume shadow copies (VSCs),
so a common recovery solution performed by victims was to remove the ransomware
from the system and then restore it from a known-good VSC. The ransomware actors
learned quickly and as expected, this loophole was closed in a matter of months
with new variants that deleted all VSCs. Since then, almost all ransomware
deletes VSCs and uses other techniques to prohibit system recovery.
THREE CATEGORIES OF VSC DELETION TECHNIQUES
1. Use of native Windows binaries (Living Off the Land binaries or LOLbins)
2. Scripting which uses objects available in the language (WQL, PowerShell,
VBS)
3. COM object interactions
Use of living off the land binaries is by far both the simplest and most
observed technique, closely followed by the use of objects in scripting
languages. These first two categories of techniques are easily observable
because in most cases, even if obfuscated, they must eventually be interpreted
as text that their perspective interfaces or interpreters can understand.
Markedly different from the first two categories is the direct manipulation of
COM objects. Techniques that use COM to modify VSCs are far more sophisticated,
which makes them both more difficult to detect and more difficult to write. On
both fronts these techniques require a significantly deeper knowledge of Windows
internals including a good understanding of COM.
This paper provides an overview of techniques in all three of these categories
that delete VSCs and reveals a new VSS COM object technique for deleting volume
shadow copies that was recently discovered in ransomware in the wild. To
understand the technique, it helps to have a high-level understanding of the VSS
and COM.
BASICS OF VOLUME SHADOW COPIES
FOUR COMPONENTS OF VOLUME SHADOW COPY SOLUTION
* Volume Shadow Copy Service (VSS) – coordinates the actions of the other
components listed here
* VSS Requestor – applications that request actions on one or more shadow
copies; most commonly this is a backup application
* VSS Writer – enumerates and tracks the state changes of data tagged for
backup, including locations. Numerous VSS Writers are provided for
enumerating data required by Windows features.1
* VSS System Provider – commonly referred to as “providers”, these know about
both copies of the data the original and the backup and interact with
hardware. This is the only component that can also be implemented in
hardware.
Figure 1: Architectural Diagram of Volume Shadow Copy Service (Microsoft, 2021)
OPERATIONAL FLOW OF VOLUME SHADOW COPY SERVICE
An example volume shadow copy creation starts with a VSS Requester asking the
VSS Coordinator for a list of all the VSS Writers available. Generally, each
writer returned represents data associated with a specific Windows feature. Some
examples of VSS Writers include a Registry Writer, Task Scheduler Writer, and
File Replication Service Writer. As requested by the VSS Coordinator, each of
the available VSS Writers provides details about its data, which the VSS
Coordinator then sends to the VSS Requestor, who selects which data to backup.
The VSS then notifies the appropriate VSS Writers to prepare their data for
making a shadow copy. After all preparations have been completed by the VSS
Writers the VSS Coordinator is notified, who then requests that the VSS Writers
freeze changes to their data. Once the VSS Coordinator is notified that the VSS
Writers’ data is frozen, the VSS System Providers is notified to make the Volume
Shadow Copy. On completion, the VSS Provider notifies the VSS Coordinator, who
in turn notifies the VSS Writers that the freeze can be lifted. If everything
goes smoothly, the location of the volume shadow copy is then provided to the
VSS Requestor.
SYSTEM RESTORE POINTS VERSUS VOLUME SHADOW COPIES
Restore points are also an option of the Volume Shadow Copy Solution, and both
Restore Points and Volume Shadow Copies are native features built into Windows.
While both are handled by the in-box Volume Shadow Copy Service, there is an
important difference. System Restore points do not backup user data (i.e.,
anything is the “Users” folders). As the word “System” in the name “System
Restore” implies these backups record configuration changes to the operating
system and its applications. Volume Shadow Copies on the other hand backup both
system configurations and user data. The difference between Volume Shadow
Copies and System Restore Points illustrates how configurable the Volume Shadow
Copy Solution can be. It all comes down to which of the VSS Writers are selected
by the VSS Requestor.
VSC MANAGEMENT WITH WINDOWS UTILITIES
The VSS is a native Windows service, so Microsoft provides convenience utilities
for interacting and managing shadow copies. While they do see regular use by
network administrators the world over, it is hardly surprising to find that
these same utilities are also abused by ransomware to delete or deny access to
VSCs. Many ransomware use more than one to make certain that VSCs are not
available for data recovery. The table below provides a list of some of the
more common utilities.
Table 1: Windows Utilities for VSCs
Utility Description vssadmin.exe Provides functionality to list, delete, and
resize VSCs. wmic shadowcopy The shadowcopy command under the Windows
Management Instrumentation Command line (WMIC) or wmic.exe allows for the
creation, deletion and listing of VSCs. wbadmin.exe Creates a one time or
scheduled Volume Shadow Copy where changes are not tracked or saved. Can create,
list, delete VSCs. This command uses the keyword “catalog” to refer to VSCs.
bcdedit.exe
The BCD in bcdedit.exe is short for Boot Configuration Data. This utility has
many options, but ransomware primarily uses it to prevent automatic recovery
from VSCs.
NATIVE WINDOWS BINARIES FOR VSC DELETION
In ransomware, the most common method of deleting VSCs is to use tools resident
on the system, otherwise known as Living Off the Land binaries (LOLbins), and
the most common of these by far is the LOLbin vssadmin.exe. The behavior and
available options of vssadmin.exe may vary depending on the version of Windows
or if running these commands on a server version, but in general it provides the
ability to show details about most VSS objects and resize or delete VSCs.
Figure 2: Available vssadmin Commands
Example usage that loops over each volume deleting the VSCs associated with
each.
vssadmin delete shadows /for=<ForVolumeSpec> [/oldest | /all | /shadow=<ShadowID>] [/quiet]
Command 1: vssadmin delete shadows
Another way to abuse the vssadmin command is to resize the volume shadow copy
storage to anything smaller than its currently used space. This leaves malware
authors with the choice of guessing the VSC used space, simply picking a small
value and hoping it deletes the VSCs, or adding functionality to determine the
actual used space. One way to get the amount of space currently used by the VSC
is to run the below command.
vssadmin list shadowstorage
Command 2: vssadmin list shadowstorage
To achieve a resize deletion the malware authors need to set the maxsize
parameter to any value less than what is currently used. According to Microsoft,
the minimum value allowed for allocation by the maxsize parameter is 1MB2, so it
follows that setting maxsize to 1MB should have the best chance of deleting the
VSCs.
vssadmin resize shadowstorage /for=<ForVolumeSpec> /on=<ForVolumeSpec> /maxsize=1MB
Command 3: vssadmin resize shadowstorage
VSSADMIN USED IN DARKGATE RANSOMWARE
The DarkGate ransomware written in Delphi takes full advantage of those
unfortunate enough to become infected by not only encrypting files and adds
insult to injury by using the infected systems to mine cryptocurrency. If that’s
not enough, it also has the capability to download and execute additional
payloads that can steal crypto wallets or gain complete control of the system.
The below image is taken from DarkGate and shows the vssadmin command being
passed to the command prompt to delete the volume shadow copies.
Figure 3: Example of vssadmin in
10bfaeb0c00425c4749140d5c7d9f3d88537cf2f621ba7af5322b15cf205b896
VSSADMIN RESIZE SHADOWSTORAGE USED BY CONTI
In a 2020 version of the now notorious Conti ransomware, the vssadmin resize
technique is used. The choice to set the maxsize to 401MB is interesting for the
value selected. Popular consensus at the time was that the number was picked by
the author at random.
vssadmin Delete Shadows /all /quiet
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
Figure 4: Example of vssadmin in
eae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe
VSSADMIN & WMIC USED IN MSILZILLA (.NET RANSOMWARE)
MSILZilla ransomware was originally written in one of the Microsoft .NET
languages (C#, F# or Visual Basic) and compiled into MicroSoft Intermediate
Language (MSIL). MSIL is a CPU-independent set of instructions that can be
efficiently converted to native code usually at runtime by the .NET just-in-time
(JIT) compiler. Although an exhaustive study was not made on the topic,
experience shows that there are numerous named MSIL ransomware circulating. One
recently in the news is Chaos, but the .NET ransomware legacy can be traced back
to at least 2016.
Figure 5: Example of vssadmin and wmic in
390f6c71817dcf576d2b59878684ff46a78e2292fdd60df090b77730206a537a
The above screenshot not only shows hints of a Kaspersky masquerade, but the
death blow to this system’s VSCs. The ransomware sample is shown running the
command, “vssadmin delete shadows /all /quiet && wmic shadowcopy delete”. The
first part of this two-part command that is separated by double-ampersands uses
the Windows vssadmin utility to delete all shadow copies and suppresses any user
feedback. Then, the second part makes doubly sure the VSCs are deleted by
running “wmic shadowcopy delete”, which achieves the same outcome through
different means. If this doesn’t seem quite right, it’s because it contains an
error. The double-ampersands should be replaced either with a single-ampersand
or double-vertical bar. The single ampersand will run the wmic part of the
command regardless of the outcome of the vssadmin command, and the
double-vertical bar would run the wmic command only if the vssadmin part of the
command fails. While looking at methods of VSC deletion, it was common to see
these two commands used together. They were usually separated by a single
ampersand.
WMIC SHADOWCOPY
WMIC is short for Windows Management Instrumentation Command Line. As the name
suggests it is a command line utility that is part of the larger Windows
Management Instrumentation (WMI) infrastructure. WMI, and on a smaller scale
WMIC, provides tools for the automation and remote administration of distributed
systems. A relatively small part of this is the management of volume shadow
copies. As shown below, the wmic shadowcopy command provides a robust set of
options for interacting with volume shadow copies.
Figure 6: WMIC Shadowcopy Commands
The simple three-word command to delete all shadow copies with WMIC is shown
here. The default is to delete all shadow copies; the easiest way to delete a
single VSC using WMIC is to type WMIC in an administrator privileged command
prompt, which will enable WMIC interactive mode. In this mode typing “shadowcopy
delete” will prompt the user about the deletion of individual VSCs. Outside of
interactive mode, there is no prompt, and all shadow copies are deleted.
wmic SHADOWCOPY DELETE
Command 4: The wmic shadowcopy delete command
WMIC SHADOWCOPY DELETE USED IN WANA DECRYPT0R 2.0
The confusingly named Wana Decrypt0r 2.0 also uses a very conservative approach;
as shown, the command calls not only vssadmin to delete shadows, but also wmic
shadowcopy delete. Then, just to hamper recovery further, bcdedit is called to
prevent automatic recovery from the VSCs that were presumably already deleted.
Wana Decrypt0r 2.0 is an ancestor of WannaCry, which wormed its way around the
world starting in 2017 using the EternalBlue SMB exploit. The large number of
variants associated with this Wana Decrypt0r 2.0 can be attributed in part to a
ransomware generator. This program, Aron WanaCryptor 2.0 Generator v1.0, allows
enterprising criminals to customize the WannaCry lock screen text, images, and
colors. For this reason, there are many variants of this ransomware that are
functionally identical, but given new names based on the text from the ransom
window.
Figure 7: Use of vssadmin and wmic shadowcopy in
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
WMIC SHADOWCOPY USED IN SOMHOVERAN
Known for being distributed on Discord’s content delivery network under the
guise of game related hacks or cheats, the Somhoveran ransomware arrives as a
self-extracting archive, which runs a batch script to kick off a .NET (MSIL)
file that ultimately locks the user out of their own desktop. To add insult to
injury a countdown timer is displayed to pressure those affected to pay the
ransom promptly.
Figure 8: Use of vssadmin and wmic shadowcopy
in31dfd40951e006b0a2f2fa439d4bbb37db01120478155d48b533453676e71073
SCRIPTING OBJECTS USED FOR VSC DELETION
Interacting with VSC using Windows utilities is without question the most
straight forward method to delete shadow copies, but it is also very well-known,
and detectable by security projects. By using objects available in scripting
languages like PowerShell, VBScript or Python, actors can achieve the same
outcome, with minimal additional effort, and gain some anonymity in the
operating system.
POWERSHELL SCRIPT WITH WMI TO DELETE VSCS
The WMI command line utility isn’t the only way to use WMI to delete volume
shadow copies. From a ransomware authors’ perspective, it could be beneficial
to avoid the use of command line tools like wmic.exe, as calls to this and
similar can be easily monitored by security products. To hide in the noise of
corporate network environments ransomware can use cmdlets in PowerShell to
delete VSCs. As shown here, with just a simple for-loop, PowerShell can make
quick work of all the VSCs.
Get-WmiObject Win32_Shadowcopy | ForEach-Object{$_.Delete();}
Command 5: One Line PowerShell Script to Delete VSCs
POWERSHELL SCRIPT WITH WMI USED IN ANCHOR
Anchor is publicly attributed to the Trickbot group whose toolkit started out
primarily with banking trojans and later branched into multiple ransomware
tools. Like the other examples described, Anchor uses multiple methods to delete
VSCs including a call to PowerShell that uses WMI to delete shadow copies.
Figure 9: PowerShell Script to Delete VSCs in
e26b2ffb2ee711fc7b04d62911580560794ee4fa9b7fcfade65ee6ff2eed0274
POWERSHELL WITH WMI USED IN BLACKSUN RANSOMWARE
Implemented entirely in PowerShell, BlackSun is an all-in-one ransomware, which
arrives with all its functionality and does not download or load additional
payloads. Part of the prepacked functionality deletes the shadow copies as
shown here in the author named function, “DoCleanShadows”.
Figure 10: PowerShell Scrip to Delete VSCs in
8de8134635cfbbf3cda763208262ceb07633d65f394e0395abf0c543c4d7f76b
VBSCRIPT AND PYTHON USE WMI TO DELETE SHADOW COPIES
Unlike PowerShell VBScript doesn’t have a built-in object for interacting
directly with VSCs. The below example script goes back to at least 2016, and
while it still works, it has fallen out of favor in newer ransomware samples, it
was popular at the dawn of the modern ransomware age, when criminal groups began
to adopt ransomware as a business model. In the below example, VBScript
retrieves a handle to WMI and then uses that handle to invoke the WQL3 request,
“Select * From Win32_ShadowCopy”. The For Each loop then deletes each VSC. A
very similar script can be written in Python or other scripting languages where
an interface to WMI is provided.
strComputer = “.”
Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2”)
Set colItems = objWMIService.ExecQuery(“Select * From Win32_ShadowCopy”)
For Each objItem in colItems
objItem.Delete_
Next
Command 6: VBScript for Volume Shadow Deletion
COMPONENT OBJECT MODEL (COM) FOR VSC DELETION
Interacting with Windows COM objects is not new in malware. As covered soon,
without the layer of Windows Privileges on the proverbial COM cake, COM allows
direct access to the operating system’s underlying component objects. This
low-level direct access combined with the difficulty of differentiating
malicious behavior from bona fide behavior make COM an attractive vector to
achieve malicious goals. This includes COM techniques for deleting VSCs.
NEW TECHNIQUE: COM VSS COORDINATOR USED FOR VSC DELETION
During the study of ongoing ransomware tactics and techniques, TAU uncovered a
newer method of Volume Shadow deletion in the wild. This never reported
technique instantiates the Component Object Model (COM) Volume Shadow Copy
Coordinator (VssCoordinator), a part of the Volume Shadow Copy Service (VSS)
using its CLSIDs. Short for class identifier, a CLSID is a globally unique
identifier for a COM Class Object. This direct access to the VSS Coordinator
provides full access to VSCs.
Table 2: CLSIDs Used in New COM VSC Deletion Technique
CLSID Value VSS COM Interface DA9F41D4-1A5D-41D0-A614-6DFD78DF5D05 VSS
Coordinator E579AB5F-1CC4-44B4-BED9-DE0991FF0623
HIGH LEVEL SUMMARY OF THE COMPONENT OBJECT MODEL (COM)
A complete understanding of COM goes beyond what is needed to understand this
technique, but a high-level understanding is helpful. Here are the basics. COM
goes back to the beginning of Windows, and there are entire books written about
it. At the risk of oversimplification, it is provided by Windows as a way for
one or more process’ objects to interact with any other COM process’ objects
regardless of language, structure, or location through a specifically defined
COM interface. These interfaces commonly facilitate communication between
applications and the operating system. It can be helpful to think of it as
object-to-object communication regardless of all else.
While COM has a no-rules-anything-goes philosophy, Windows privileges inject
order into this anarchist methodology. The relevant thing about Windows
privileges for this paper’s purpose is that they define which applications and
COM objects can interact, and what operations are allowed. This new technique to
delete VSCs requires access to the VSS Coordinator COM Object, and that requires
SeBackupPrivilege.
SeBackupPrivilege allows file content retrieval, even if the security descriptor
on the file might not grant such access. A caller with SeBackupPrivilege enabled
obviates the need for any ACL-based security check. (Microsoft, 2021)
Figure 11: Enables SeBackupPrivilege
The above code shows the sample retrieving the LUID or Local Unique Identifier
struct for SeBackupPrivilege. A new TOKEN_PRIVILEGES structure is created with
this LUID to grant itself the same privilege. Then the created structure is
passed to AdjustTokenPrivileges to ensure SeBackupPrivilege, which allows access
to the necessary interface.
The ransomware now has access to the VSS Coordinator Object through the VSS COM
Interface and complete control over volume shadow copies, including the ability
to delete them, but before we analyze the technique any further; let’s look at
the ransomware sample that contained it.
HELLO RANSOMWARE CONTAINING NEW COM TECHNIQUE FOR DELETING VSCS
The new technique was discovered in a sample of Hello ransomware, which has been
circulating since at least mid-2021. The table provides a high-level overview
of its execution flow.
Table 3: Summary of Hello Ransomware Files
Name SHA256 Relationship xd.exe
ffebda7512c78ba73ffa40dd02b59fd22cfa8e1bf48cd86e7b2d54e19c061134 Origin File
(Hello Ransomware) di.dll
5cd61b2f5f3f2d8af51b3635ba85f708e58a0961e4496e1cc37fdce58b3c04fb Dropped by
xd.exe
(Drops vs.exe) vs.exe
cff04aa0a317d6b7c498faccdfbe7353b2676ea97acb1bee1bda650f29a8e423 Dropped by
di.dll
(Deletes VSCs)
Figure 12: Hello Ransomware Icon
The primary parent of the EXE that contains the new VSC deletion technique is
named xd.exe. Its icon is shown here. The xd.exe loads an AES encrypted blob
into memory and decrypts it in place. This decoded in-memory content initiates
encryption of files and drops the dynamic link library (DLL) file di.dll, which
it spawns in a new process. The di.dll file has two objectives. One, it finds a
process with SeDebugPrivilege, and two, it drops and runs vs.exe as a new
process. Then vs.exe exercises the new VSC deletion technique.
Figure 13: Red Mask Desktop Image
While di.dll and vs.exe are prepping for and deleting the VSCs, the parent file,
xd.exe continues to encrypt files, each encrypted file’s extension is appended
with “.hello”, and the desktop background is changed to a centered image of a
red mask.
NEW COM VSSCOORDINATOR TECHNIQUE FOR DELETING VSCS
As described, the ransomware is not particularly noteworthy, except in its
method of volume shadow copy deletion, so let’s take a closer look at that
technique specifically. As illustrated in the decompiled code, a handle to the
COM interface associated with the Volume Shadow Copy Coordinator is retrieved
with a call to CoCreateInstance. Using this interface, a list of VSCs is
secured, and this list enables the deletion of all shadow copies. As of this
writing this technique has no detections by security vendors, which is likely
because this method of deleting volume shadow copies has legitimate uses in the
backup and recovery lifecycle. In fact, while researching this technique
several legitimate backup solutions were evaluated and dismissed as known-good
applications.
Figure 14: New Technique for Deleting VSCs
MITRE ATT&CK TECHNIQUES
This table was built using v11.2 of the framework.
Table 4: MITRE ATT&CK Techniques for Hello Ransomware
ffebda7512c78ba73ffa40dd02b59fd22cfa8e1bf48cd86e7b2d54e19c061134
Tactic ID Name Description of this implementation
Execution
TA0002 T1129 Shared Modules Calls CreateProcessW to execute decrypted
content. T1106 Native API Makes direct system calls. T1559.001 Component
Object Model Uses COM to delete VSCs. Privilege Escalation
TA0004
T1134 Access Token Manipulation
Ensures SeBackupPrivilege Defense Evasion
TA0005 T1027.002 Obfuscated Files or Information: Software Packing Software
packing and dynamic resolution of windows function addresses, which are then
called from non-standard registers. T1218.011 System Binary Proxy Execution:
Rundll32 Runs dropped file using rundll32.exe. T1140 Deobfuscate/Decode Files
or Information Embedded files are decrypted and dropped to the file system.
T1070.004 Indicator Removal on Host: File Deletion Dropped file is deleted.
T1140 Deobfuscate/Decode File or Information Decrypts and runs embedded
files. Impact
TA0040 T1486 Data Encrypted for Impact Files are encrypted for financial
gain. T1491.001 Defacement: Internal Desktop image is changed. T1490
Inhibit System Recovery Deletes Volume Shadow Copies
YARA RULE
The nature of this technique dictates that this rule will return false positive
results in some environments. By excluding validly signed files, a partial
mitigation is achieved, however as most are already aware not all legitimate
files are signed, and subsequently sometimes malicious files can have a valid
signature. With this caveat in mind, the below rule is provided as a starting
point for further customization to meet the needs of one’s situation. For
example, if the organization has software for managing backups that interacts
directly with the VSS Coordinator, it will likely need to exclude executable
files associated with it.
import "pe"
/*
Detects COM technique for deleting volume shadow copies using the
Volume Shadow Copy Coordinator.
*/
rule VSS_COM_Deletion_Technique_without_WMI
{
strings:
$IID_IVssCoordinator = {D4 41 9F DA 5D 1A D0 41 A6 14 6D FD 78 DF 5D 05}
$CLSID_CVssCoordinator = {5F AB 79 E5 C4 1C B4 44 BE D9 DE 09 91 FF 06 23}
$SeBackupPrivilege = "SeBackupPrivilege" ascii wide fullword
condition:
uint32(uint32(0x3C)) == 0x00004550 and
$IID_IVssCoordinator and
$CLSID_CVssCoordinator and
$SeBackupPrivilege and
not for all i in (0..pe.number_of_signatures - 1):
pe.signatures[i].valid_on(pe.timestamp)
)
}
Command 7: YARA Rule to Detect COM VssCoordinator VSC Deletion
OTHER COM VSC DELETION TECHNIQUES
Of course, this new technique isn’t the first-time malicious actors tapped into
COM to delete volume shadow copies and interacting directly with the VSS
Coordinator is not the only access to the VSCs. To illustrate this, two more
techniques are provided. This should not be considered a complete anthology of
COM techniques for deleting VSC and is provided as an overview. The vast
capabilities of COM almost certainly ensure there are more techniques both
already in the wild and yet to be written.
COM WMI OBJECT FOR VSC DELETION IN FIVE HANDS RANSOMWARE
Five Hands ransomware uses a different COM interface for deleting volume shadow
copies, but one that is familiar. The highlighted portion of the below image
shows the CLSID of the WMI interface. Gaining access to the COM WMI interface
provides the author with an incredible amount of built-in functionality
including the ability to delete volume shadow copies.
Five Hands is reported to be used by an espionage-for-hire criminal group.
While many ransomware samples gain access by phishing, initial access for this
ransomware is strongly tied to an unpatched vulnerability in an externally
facing VPN product. It is both always too late and never too late to patch
those vulnerable systems, but mostly too late once Five Hands finds a way into
the network.
Figure 15: COM WMI Access in
02a08b994265901a649f1bcf6772bc06df2eb51eb09906af9fd0f4a8103e9851
VSS REQUESTOR & WRITER COM OBJECTS USED FOR VSC DELETION IN DIAVOL
Diavol ransomware shares code similarities with Trickbot malware and Conti
ransomware, and it has been observed as early as October 2021. Its name, Diavol,
is the Bulgarian word for devil, however one might be able to escape this
“diavol”. If the unfortunate situation occurs, that causes the network to fall
victim to this ransomware, check out the free decryption tool provided by
Emsisoft4. The VSCs will likely be gone, but maybe some data may still be
recoverable.
Through the Microsoft Volume Shadow Copy Requestor/Writer Services API DLL
(vssapi.dll) Microsoft offers another method of interaction with VSCs that is in
use by Diavol. Very similar to the new technique outlined that uses the
VssCoordinator, authors of the Diavol ransomware use COM to request the
VssBackupComponents interface by calling the public function
CreateVssBackupComponentsInternal, which is a COM interface used by VSS
Requesters to poll the VSS Writers. Diavol uses this interface to query the VSS
Writers for a list of all the completed shadow copies. Then it iteratively
calls DeleteSnapshots on each VSC until all VSCs have been deleted.
Figure 16: COM VssBackupComponents Use in
e0c0e663bf44c9820b049f73f2910843ede20fd3e6cd0c9a22cbd2a48e1a228a
CONCLUSION
It is worth asking, “Is there a way to recover a VSC once it’s deleted?” The
short answer is, “no.” File recovery software could offer some hope, but success
would be unpredictable at best. It is important to acknowledge and quantify the
unique risk for every situation, do not consciously or unconsciously decide
ransomware will not affect the network. This is unrealistic and akin to the
biological equivalent of deciding; no one will never get sick. Even in the very
best, most security aware network environments bad things happen. Products from
VMware Carbon Black can play a key role in the detection and prevention of
malicious behavior, and if necessary, can assist in remediation before the
effects are out-of-control.
There are open source freely available counter techniques and tools available to
hedge the adversary’s ability to delete VSCs. A notable mention is Raccine5,
whose name is a portmanteau of Ransomware and Vaccine. This tool registers
itself as a debugger with vssadmin and wmic, which allows it to monitor for
deletion commands. When offending commands are recognized, it kills the
associated processes. This offers a good amount of protection against the most
common category of VSC deletion techniques with two of the most common LOLbins,
however no protection is offered for deletion through scripting language objects
or COM objects. It is essential to have quality backups in the event of
ransomware, and not depend solely on VSCs. As much as possible, backups should
be kept offline and completely inaccessible to ransomware. There is simply no
substitute for high quality offline backups and skilled professionals who can
orchestrate their restoration.
APPENDIX: HELPFUL TIPS
It might be useful to create a shadow copy on demand to experiment or reproduce
the analysis here. The below example commands, run as administrator, in CMD or
PowerShell will accomplish this.
wmic shadowcopy call create Volume=’C:\’ vssadmin list shadows
DANA BEHLING
RELATED ARTICLES
Modern Apps Security
EXTENDING THE ZERO TRUST ARCHITECTURE CONCEPT TO APIS
Sergio Pozo-Hidalgo, Paul Mancuso, Jacob Rapp, Tar ... Sergio Pozo-Hidalgo, Paul
Mancuso, Jacob Rapp, Tarun Viswanathan August 23, 2022 16 min read
Threat Analysis Unit
HOW TO REPLICATE EMOTET LATERAL MOVEMENT
Oleg Boyarchuk, Stefano Ortolani August 19, 2022 15 min read
Threat Intelligence
DEEPFAKE ATTACKS AND CYBER EXTORTION ARE THE FOCUS OF NEW VMWARE REPORT
Nicholas Morpus August 8, 2022 2 min read
×
Company
About Us Executive Leadership News & Stories Investor Relations Customer Stories
Diversity, Equity & Inclusion Environment, Social & Governance
Careers Blogs Communities Acquisitions Office Locations VMware Cloud Trust
Center COVID-19 Resources
Support
VMware Customer Connect Support Policies Product Documentation Compatibility
Guide Terms & Conditions California Transparency Act Statement
Twitter YouTube Facebook LinkedIn Contact Sales
--------------------------------------------------------------------------------
© 2023 VMware, Inc. Terms of Use Your California Privacy Rights Privacy
Accessibility Site Map Trademarks Glossary Help Feedback
Cookie Settings
We use cookies to provide you with the best experience on our website, to
improve usability and performance and thereby improve what we offer to you. Our
website may also use third-party cookies to display advertising that is more
relevant to you. By clicking on the “Accept All” button you agree to the storing
of cookies on your device. If you want to know more about how we use cookies,
please see our Cookie Policy.
Cookie Settings Accept All Cookies
COOKIE PREFERENCE CENTER
GENERAL INFORMATION ON COOKIES
GENERAL INFORMATION ON COOKIES
When you visit our website, we use cookies to ensure that we give you the best
experience. This information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies by clicking on the
different category headings to find out more and change your settings. However,
blocking some types of cookies may impact your experience on the site and the
services we are able to offer. Further information can be found in our
Cookie Policy.
* STRICTLY NECESSARY
STRICTLY NECESSARY
Always Active
Strictly Necessary
Strictly necessary cookies are always enabled since they are essential for
our website to function. They enable core functionality such as security,
network management, and website accessibility. You can set your browser to
block or alert you about these cookies, but this may affect how the website
functions. For more information please visit www.aboutcookies.org or
www.allaboutcookies.org.
Cookie Details
* PERFORMANCE
PERFORMANCE
Performance
Performance cookies are used to analyze the user experience to improve our
website by collecting and reporting information on how you use it. They allow
us to know which pages are the most and least popular, see how visitors move
around the site, optimize our website and make it easier to navigate.
Cookie Details
* FUNCTIONAL
FUNCTIONAL
Functional
Functional cookies help us keep track of your past browsing choices so we can
improve usability and customize your experience. These cookies enable the
website to remember your preferred settings, language preferences, location
and other customizable elements such as font or text size. If you do not
allow these cookies, then some or all of these services may not function
properly.
Cookie Details
* ADVERTISING
ADVERTISING
Advertising
Advertising cookies are used to send you relevant advertising and promotional
information. They may be set through our site by third parties to build a
profile of your interests and show you relevant advertisements on other
sites. These cookies do not directly store personal information, but their
function is based on uniquely identifying your browser and internet device.
Cookie Details
* SOCIAL MEDIA
SOCIAL MEDIA
Social Media
Social media cookies are intended to facilitate the sharing of content and to
improve the user experience. These cookies can sometimes track your
activities. We do not control social media cookies and they do not allow us
to gain access to your social media accounts. Please refer to the relevant
social media platform’s privacy policies for more information.
Cookie Details
Back Button
ADVERTISING COOKIES
Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts
Select All
* REPLACE-WITH-DYANMIC-HOST-ID
View Third Party Cookies
* Name
cookie name
Clear Filters
Information storage and access
Apply
Confirm My Choices Allow All
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1