Home > Cyber News > Raccine, Ransomware Vaccine that Saves Shadow Volume Copies

Raccine, Ransomware Vaccine that Saves Shadow Volume Copies

Ransomware continues to be a top threat to both home and enterprise users. Fortunately, security researcher Florian Roth just released a ransomware vaccine.

Called Raccine, the tool monitors for the deletion of shadow volume copies, which ransomware typically wipes out.

Raccine, a new vaccine against ransomware

The Windows operating system creates backups and data files, and stores them in the Shadow Volume Copy snapshots. These can be used to recover data which has been lost or deleted. Of course, ransomware criminals are aware of that feature. As these criminals don’t want you to be able to restore your files for free, they usually delete all Shadow Volume copies on the infected computer.

Deleting these copies is usually done via the vssadmin.exe command known as vssadmin delete shadows /all /quiet. Thanks to security researcher Florian Roth, the new ransomware vaccine will monitor for the deletion of these copies using the vssadmin.exe command.

How does Raccine work?

The tool works by registering the raccine.exe as a debugger for vssadmin.exe. This is done by using the Image File Execution Options Windows registry key. Once this file is registered as a debugger, Raccine will be launched every time vssadmin.exe is executed. By doing so, the tool can check if vssadmin is attempting to delete shadow volume copies from the computer.

If the tool detects such a process, it will terminate it automatically.

Unfortunately, some more recent ransomware families delete these copies via other commands. This ransomware vaccine can’t block these ransomware families as they don’t use the vssadmin.exe. Also, please note that the vaccine may terminate legitimate software that utilizes vssadmin.exe as part of their backup routines.

You can download Raccine from Github. In case the tool terminates any legitimate program, you can uninstall by using the raccine-reg-patch-uninstall.reg registry file. Then, delete C:\windows\raccine.exe.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share