Препятствование восстановлению системы
Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
* vssadmin.exe
can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
* Windows Management Instrumentation can be used to delete volume shadow copies - wmic shadowcopy delete
* wbadmin.exe
can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
* bcdedit.exe
can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Примеры процедур |
|
Название | Описание |
---|---|
Ragnar Locker |
Ragnar Locker can delete volume shadow copies using |
InvisiMole |
InvisiMole can can remove all system restore points.(Citation: ESET InvisiMole June 2018) |
WastedLocker |
WastedLocker can delete shadow volumes.(Citation: Symantec WastedLocker June 2020)(Citation: NCC Group WastedLocker June 2020)(Citation: Sentinel Labs WastedLocker July 2020) |
H1N1 |
H1N1 disable recovery options and deletes shadow copies from the victim.(Citation: Cisco H1N1 Part 2) |
RobbinHood |
RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily.(Citation: CarbonBlack RobbinHood May 2019) |
Ryuk |
Ryuk has used |
DarkWatchman |
DarkWatchman can delete shadow volumes using |
EKANS |
EKANS removes backups of Volume Shadow Copies to disable any restoration capabilities.(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS) |
MegaCortex |
MegaCortex has deleted volume shadow copies using |
DEATHRANSOM |
DEATHRANSOM can delete volume shadow copies on compromised hosts.(Citation: FireEye FiveHands April 2021) |
Avaddon |
Avaddon deletes backups and shadow copies using native system tools.(Citation: Hornet Security Avaddon June 2020)(Citation: Arxiv Avaddon Feb 2021) |
HermeticWiper |
HermeticWiper can disable the VSS service on a compromised host using the service control manager.(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wizard March 2022)(Citation: Qualys Hermetic Wiper March 2022) |
WannaCry |
WannaCry uses |
Babuk |
Babuk has the ability to delete shadow volumes using |
BitPaymer |
BitPaymer attempts to remove the backup shadow files from the host using |
HELLOKITTY |
HELLOKITTY can delete volume shadow copies on compromised hosts.(Citation: FireEye FiveHands April 2021) |
Netwalker |
Netwalker can delete the infected system's Shadow Volumes to prevent recovery.(Citation: TrendMicro Netwalker May 2020)(Citation: Sophos Netwalker May 2020) |
FIVEHANDS |
FIVEHANDS has the ability to delete volume shadow copies on compromised hosts.(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021) |
Conti |
Conti can delete Windows Volume Shadow Copies using |
Clop |
Clop can delete the shadow volumes with |
Meteor |
Meteor can use `bcdedit` to delete different boot identifiers on a compromised host; it can also use `vssadmin.exe delete shadows /all /quiet` and `C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete`.(Citation: Check Point Meteor Aug 2021) |
Pysa |
Pysa has the functionality to delete shadow copies.(Citation: CERT-FR PYSA April 2020) |
Conficker |
Conficker resets system restore points and deletes backup files.(Citation: SANS Conficker) |
Olympic Destroyer |
Olympic Destroyer uses the native Windows utilities |
REvil |
REvil can use vssadmin to delete volume shadow copies and bcdedit to disable recovery features.(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)(Citation: Tetra Defense Sodinokibi March 2020) |
Maze |
Maze has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process.(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020) |
Diavol |
Diavol can delete shadow copies using the `IVssBackupComponents` COM object to call the `DeleteSnapshots` method.(Citation: Fortinet Diavol July 2021) |
JCry |
JCry has been observed deleting shadow copies to ensure that data cannot be restored easily.(Citation: Carbon Black JCry May 2019) |
ProLock |
ProLock can use vssadmin.exe to remove volume shadow copies.(Citation: Group IB Ransomware September 2020) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Inhibit System Recovery Mitigation |
Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP) |
Operating System Configuration |
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques. |
Data Backup |
Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. |
Обнаружение
Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.
Monitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage
).
Ссылки
- Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
- Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
- Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
- Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
- Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.
- Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021.
- Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.
- SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
- Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021.
- Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
- Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
- Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
- McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
- Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.
- Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.
- CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
- Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
- Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.
- Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
- Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
- Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
- McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
- Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.
- Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
- Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
- Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
- Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
- Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
- Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
- Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
- Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
- Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
- Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
- Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.
- Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
- Security Lab. (2020, June 5). Avaddon: From seeking affiliates to in-the-wild in 2 days. Retrieved August 19, 2021.
- Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
- Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
- Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
- Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
- CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
- Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
- Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
- ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
- Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
- Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
- Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
- Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019.
Связанные риски
Риск | Связи | |
---|---|---|
Неработоспособность операционной системы из-за
возможности отключения средств восстановления ОС в ОС Windows
Доступность
Отказ в обслуживании
|
|
|
Потеря (уничтожение) данных из-за
возможности отключения средств восстановления ОС в ОС Windows
Доступность
Отказ в обслуживании
|
|
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.