Called Raccine, the tool monitors for the deletion of shadow volume copies, which ransomware typically wipes out.
Raccine, a new vaccine against ransomware
The Windows operating system creates backups and data files, and stores them in the Shadow Volume Copy snapshots. These can be used to recover data which has been lost or deleted. Of course, ransomware criminals are aware of that feature. As these criminals don’t want you to be able to restore your files for free, they usually delete all Shadow Volume copies on the infected computer.
Deleting these copies is usually done via the vssadmin.exe command known as vssadmin delete shadows /all /quiet. Thanks to security researcher Florian Roth, the new ransomware vaccine will monitor for the deletion of these copies using the vssadmin.exe command.
How does Raccine work?
The tool works by registering the raccine.exe as a debugger for vssadmin.exe. This is done by using the Image File Execution Options Windows registry key. Once this file is registered as a debugger, Raccine will be launched every time vssadmin.exe is executed. By doing so, the tool can check if vssadmin is attempting to delete shadow volume copies from the computer.
If the tool detects such a process, it will terminate it automatically.
Unfortunately, some more recent ransomware families delete these copies via other commands. This ransomware vaccine can’t block these ransomware families as they don’t use the vssadmin.exe. Also, please note that the vaccine may terminate legitimate software that utilizes vssadmin.exe as part of their backup routines.
You can download Raccine from Github. In case the tool terminates any legitimate program, you can uninstall by using the raccine-reg-patch-uninstall.reg registry file. Then, delete C:\windows\raccine.exe.