Ransomware Vaccine Intercepts Requests to Erase Shadow Copies
A new ransomware “vaccine” could transform the way organizations treat cyberattacks, preventing certain ransomware families from erasing shadow copies and promoting data recovery. The technology, which has been named “Raccine,” targets ransomware families that leverage the command vssadmin.exe to delete shadow copies on the targeted machine. The preventative software was released by security researchers Ollie Whitehouse and Florian Roth.
The previously mentioned command serves as a legitimate utility in Windows, allowing users the ability to administer shadow copies. However, ransomware variants often take advantage of this and use it to erase all shadow copies. Raccine can intercept the erasure request, and kill the process that made the request. Raccine is a tool compatible with all Windows devices dating back to 2000.