Shadow Volume Copies have been a feature since Windows Vista that allows snapshots, or backups, of your files to be saved even when the files are currently in use.
These snapshots will attempt to be created every day and allows you to restore documents to previous versions or even to restore them if they were deleted.
This same technology is also used by the Windows' System Restore feature that allows you to roll back Windows to a previously working configuration in case there is a problem.
Since Windows Vista, Microsoft has been bundling a utility called vssadmin.exe in Windows that allows an administrator to manage the Shadow Volume Copies that are on the computer.
Unfortunately, with the rise of Crypto Ransomware, this tool has become more of a problem than a benefit and everyone should disable it.
System Restore is a feature that relies on Shadow Volume Copies
By default, Windows will attempt to create new Shadow Volume snapshots of your C: drive every day.
Since the standard save location for Document files is on the C: drive your documents will be backed up as well.
Though this shouldn't be considered a regular backup method, it does provide an extra security blanket in the event that you need to restore a changed or deleted file.
Unfortunately, the developers of Crypto Ransomware are aware of Shadow Volume Copies and design their infections so that they delete ALL Shadow Volume Copies when the ransomware infects your computer.
This is done to prevent you from using Shadow Volumes to recover encrypted files.
There are a few methods that the ransomware malware developers use to delete the Shadow Volume Copies, but the most prevalent one is to use the vssadmin.exe Delete Shadows /All /Quiet command.
This command will execute the vssadmin.exe utility and have it quietly delete all of the Shadow Volume Copies on the computer.
As this program requires Administrative privileges to run, some ransomware will inject themselves into processes that are running as an Administrator in order to avoid a UAC prompt from being displayed.
As vssadmin.exe is not a tool that is routinely used by an administrator, it is strongly suggested that it be disabled it by renaming it.
Then if a ransomware tries to utilize the program to delete your shadow volume snapshots, it will fail and you will be able to use them to recover your files.
Will this be 100% effective against all ransomware infections? No,but it will help against a good amount of them.
Unfortunately, as this file is owned by the special Windows account called TrustedInstaller, it is not a simple task to rename.
In order to rename vssadmin.exe you first have take ownership of the file, give yourself the permissions to modify it, and then rename it.
In order to make this task easier, I have put together a small batch file that does this for you. Renvbs.bat, which is shown below, will change the ownership of the vssadmin.exe file from TrustedInstaller to the Administrators group.
It will then give the Administrators the Change permission so that they can rename it.
Finally the batch file will rename the file in the format vssadmin.exe-date-time.
Feel free to modify the name of the renamed file in the batch file for extra security.
In the future if you ever need to actually use this utility, you can just rename it back to vssadmin.exe and use it as normal.
When testing this method, I have not found any functionality lost within Windows and the only program that I know of that no longer operates when it is renamed is Shadow Explorer.
Once again, to resolve any issues that may come up, you simply need to rename the file back to vssadmin.exe.
The Renvbs.bat batch file can also be downloaded from here: http://download.bleepingcomputer.com/bats/renvss.bat.
The RenVBS Batch file:
Source and Credit:
http://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
[Lawrence Abrams]
These snapshots will attempt to be created every day and allows you to restore documents to previous versions or even to restore them if they were deleted.
This same technology is also used by the Windows' System Restore feature that allows you to roll back Windows to a previously working configuration in case there is a problem.
Since Windows Vista, Microsoft has been bundling a utility called vssadmin.exe in Windows that allows an administrator to manage the Shadow Volume Copies that are on the computer.
Unfortunately, with the rise of Crypto Ransomware, this tool has become more of a problem than a benefit and everyone should disable it.
System Restore is a feature that relies on Shadow Volume Copies
By default, Windows will attempt to create new Shadow Volume snapshots of your C: drive every day.
Since the standard save location for Document files is on the C: drive your documents will be backed up as well.
Though this shouldn't be considered a regular backup method, it does provide an extra security blanket in the event that you need to restore a changed or deleted file.
Unfortunately, the developers of Crypto Ransomware are aware of Shadow Volume Copies and design their infections so that they delete ALL Shadow Volume Copies when the ransomware infects your computer.
This is done to prevent you from using Shadow Volumes to recover encrypted files.
There are a few methods that the ransomware malware developers use to delete the Shadow Volume Copies, but the most prevalent one is to use the vssadmin.exe Delete Shadows /All /Quiet command.
This command will execute the vssadmin.exe utility and have it quietly delete all of the Shadow Volume Copies on the computer.
As this program requires Administrative privileges to run, some ransomware will inject themselves into processes that are running as an Administrator in order to avoid a UAC prompt from being displayed.
As vssadmin.exe is not a tool that is routinely used by an administrator, it is strongly suggested that it be disabled it by renaming it.
Then if a ransomware tries to utilize the program to delete your shadow volume snapshots, it will fail and you will be able to use them to recover your files.
Will this be 100% effective against all ransomware infections? No,but it will help against a good amount of them.
Unfortunately, as this file is owned by the special Windows account called TrustedInstaller, it is not a simple task to rename.
In order to rename vssadmin.exe you first have take ownership of the file, give yourself the permissions to modify it, and then rename it.
In order to make this task easier, I have put together a small batch file that does this for you. Renvbs.bat, which is shown below, will change the ownership of the vssadmin.exe file from TrustedInstaller to the Administrators group.
It will then give the Administrators the Change permission so that they can rename it.
Finally the batch file will rename the file in the format vssadmin.exe-date-time.
Feel free to modify the name of the renamed file in the batch file for extra security.
In the future if you ever need to actually use this utility, you can just rename it back to vssadmin.exe and use it as normal.
When testing this method, I have not found any functionality lost within Windows and the only program that I know of that no longer operates when it is renamed is Shadow Explorer.
Once again, to resolve any issues that may come up, you simply need to rename the file back to vssadmin.exe.
The Renvbs.bat batch file can also be downloaded from here: http://download.bleepingcomputer.com/bats/renvss.bat.
The RenVBS Batch file:
Code:
@echo off
REM We are redirecting the output of the commands and any errors to NUL.
REM If you would like to see the output, then remove the 2>NUL from the end of the commands.
REM Check if vssadmin.exe exists. If not, abort the script
if NOT exist %WinDir%\system32\vssadmin.exe (
echo.
echo.%WinDir%\system32\vssadmin.exe does not exist!
echo.
echo Script Aborting!
echo.
PAUSE
goto:eof
)
REM Check if the script was started with Administrator privileges.
REM Method from http://stackoverflow.com/questions/4051883/batch-script-how-to-check-for-admin-rights
net session >nul 2>&1
if %errorLevel% NEQ 0 (
echo.
echo You do not have the required Administrator privileges.
echo.
echo Please run the script again as an Administrator.
echo.
echo Script Aborting!
echo.
PAUSE
goto:eof
)
REM We need to give the Administrators ownership before we can change permissions on the file
takeown /F %WinDir%\system32\vssadmin.exe /A >nul 2>&1
REM Give Administrators the Change permissions for the file
CACLS %WinDir%\system32\vssadmin.exe /E /G "Administrators":C >nul 2>&1
REM Generate the name we are going to use when rename vssadmin.exe
REM This filename will be based off of the date and time.
REM http://blogs.msdn.com/b/myocom/archive/2005/06/03/so-what-the-heck-just-happened-there.aspx
for /f "delims=/ tokens=1-3" %%a in ("%DATE:~4%") do (
for /f "delims=:. tokens=1-4" %%m in ("%TIME: =0%") do (
set RenFile=vssadmin.exe-%%c-%%b-%%a-%%m%%n%%o%%p
)
)
REM Rename vssadmin.exe to the filename in the RenFile variable
ren %WinDir%\system32\vssadmin.exe %RenFile% >nul 2>&1
REM Check if the task was completed successfully
if exist %WinDir%\system32\%RenFile% (
echo.
echo vssadmin.exe has been successfully renamed
echo to %WinDir%\system32\%RenFile%.
pause
) else (
echo.
echo There was a problem renaming vssadmin.exe
echo to %WinDir%\system32\%RenFile%.
echo.
pause
)
:ENDSource and Credit:
http://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
[Lawrence Abrams]
Thanks, Pete!
