A Simple Ransomware Protection
We see ransomware delete all shadow copies using vssadmin
pretty often. What if we could just intercept that request and kill the invoking process? Let's try to create a simple vaccine.
We register a debugger for vssadmin.exe
(and wmic.exe
), which is our compiled raccine.exe
. Raccine is a binary, that first collects all PIDs of the parent processes and then tries to kill all parent processes.
Advantages:
vssadmin.exe
or wmic.exe
), which could lead to integrity problems and could break our raccination on each patch day Disadvantages / Blind Spots:
vssadmin.exe delete shadows
(or any other blacklisted combination) isn't possible anymorevssadmin.exe delete shadows
, which could be a backup processvssadmin.exe
(e.g. via schtasks
)vssadmin.exe
(and wmic.exe
) gets intercepted and passed to raccine.exe
as debugger (vssadmin.exe delete shadows
becomes raccine.exe vssadmin.exe delete shadows
)Malicious combinations:
delete
and shadows
(vssadmin, diskshadow)resize
and shadowstorage
(vssadmin)delete
and shadowstorage
(vssadmin)delete
and shadowcopy
(wmic)delete
and catalog
and -quiet
(wbadmin)win32_shadowcopy
or element from a list of encoded commands (powershell)recoveryenabled
(bcedit)ignoreallfailures
(bcedit)^ outdated list: check the corresponding YARA rule
Powershell list of encoded commands: JAB
, SQBFAF
, SQBuAH
, SUVYI
, cwBhA
, aWV4I
, aQBlAHgA
and many more
Emotet without Raccine - Link
Emotet with Raccine - Link (ignore the process activity that is related to the Raccine installation)
The infection gets nipped in the bud.
USE IT AT YOUR OWN RISK!
You won't be able to run commands that use the blacklisted commands on a raccinated machine anymore until you apply the uninstall patch raccine-reg-patch-uninstall.reg
. This could break various backup solutions that run that specific command during their work. It will not only block that request but kill all processes in that tree including the backup solution and its invoking process.
If you have a solid security monitoring that logs all process executions, you could check your logs to see if vssadmin.exe delete shadows
, vssadmin.exe resize shadowstorage ...
or the other blocked command lines are frequently or sporadically used for legitimate purposes in which case you should refrain from using Raccine.
delete
and shadows
in their command line and otherwise pass all parameters to a new process that invokes vssadmin with its original parametersexplorer.exe
from the whitelistwmic
method calling delete shadowcopy
, no outputs for whitelisted process starts (avoids problems with wmic output processing)delete shadowstorage
by @JohnLaTwC, code review by @_hillu, application icon bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
and bcdedit.exe /set {default} recoveryenabled no
powershell.exe
and win32_shadowcopy
or a list of encoded commandsC:\ProgramData\Raccine_log.txt
diskshadow.exe delete shadows
commandBoth the Visual C++ Redistributable package and the .NET Framework will be automatically installed running install-raccine.bat
.
Raccine.zip
from the Release sectionraccine-installer.bat
as administratorThe batch installer includes an "uninstall" option.
As Administrator do:
raccine-reg-patch-uninstall.reg
%ProgramFiles%\Raccine
and %ProgramData%\Raccine
foldersreg delete HKCU\Software\Raccine /F
taskkill /F /IM RaccineSettings.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
schtasks /DELETE /TN "Raccine Rules Updater" /F
We recommend an uninstall and reinstall to upgrade. An uninstall removes all registry keys with configurations.
Raccine has an integrated signature-updater since version 1.2. This program named RaccineRulesSync.exe
is configured to run once a day via scheduled task. You can run a signature update manually using the option in the tray icon menu.
Since version 1.0, Raccine additionally uses YARA rules to determine if a process command line or parent process is malicious or not. Raccine uses 2 sets of rules for two different purposes.
./yara
- rules that get applied to the command line with all parameters, e.g. WMIC.exe delete justatest
./yara/in-memory
- rules that get applied to process memory of the parent process of our intercepted process, e.g. ransomware.exe running our intercepted process vssadmin.exe Since version 1.1 we pass a list of external variables into the YARA matching process to allow for much more complex and clever YARA rules that take attributes of the process and its parent into account.
Variable | Description | Example Value |
---|---|---|
FromRaccine | true | |
Name | Image file name | WMIC.exe |
ExecutablePath | Full path to binary | C:\Windows\System32\wbem\WMIC.exe |
CommandLine | Full command line with parameters | WMIC.exe delete justatest |
Priority | Process priority | 32 |
ParentName | Parent image file name | cmd.exe |
ParentExecutablePath | Full path to parent executable | C:\Windows\System32\cmd.exe |
ParentCommandLine | Full parent command line with parameters | C:\WINDOWS\system32\cmd.exe |
ParentPriority | Parent process priority | 32 |
The matching process looks like this on the command line:
"C:\Program Files\Raccine\yara64.exe" -d FromRaccine="true" -d Name="WMIC.exe" -d ExecutablePath="C:\Windows\System32\wbem\WMIC.exe" -d CommandLine="WMIC.exe delete justatest" -d Priority=32 -d FromRaccine="true" -d ParentName="cmd.exe" -d ParentExecutablePath="C:\Windows\System32\cmd.exe" -d ParentCommandLine="'C:\WINDOWS\system32\cmd.exe' " -d ParentPriority=32 C:\ProgramData\Raccine\yarayara\mal_emotet.yar C:\ProgramData\Raccine\yara\Rac1C6A.tmp
The following listing shows an example YARA rule that makes use of the external variables in its condition.
rule env_vars_test {
condition:
Name contains "WMIC.exe"
and CommandLine contains "delete justatest"
and ParentPriority >= 8
and (
ParentCommandLine contains "cmd"
or ParentCommandLine contains "powershell"
)
}
The folder GPO
includes Raccine.ADMX
and Raccine.ADML
. In deployment the Raccine.ADMX
file goes in C:\Windows\PolicyDefinitions
. The accompanying Raccine.ADML
files goes in C:\Windows\PolicyDefinitions\en-US
.
To use: Open GPEDIT.MSC
> Computer Configuration > Administrative Templates > System > Raccine
After configuring the changes, you may need to bump gpo by running gpupdate.exe
.
A logfile with all interceptions and actions taken is written to C:\ProgramData\Raccine\Raccine_log.txt
An entry is generated by every blocking event in the Application
eventlog.
The IDs that Raccine generates
Since version 0.10.0, Raccine can be installed in "simulation mode", which activates all triggers, logs all actions but doesn't kill anything. This mode should be used in environments in which backup solutions or other legitimate software for a reasonable amount of time to check if Raccine would interfere with other software. The idea is to install Raccine in simulation mode, let it log for a week or month and then check the logs to see if it would have blocked legitimate software used in the organisation.
Run raccine.exe
and watch the parent process tree die (screenshot of v0.1)
Available and required since version 1.
In case that the Ransomware that your're currently handling uses a certain process name, e.g. taskdl.exe
, you could just change the .reg
patch to intercept calls to that name and let Raccine kill all parent processes of the invoking process tree.
I'd like to extend Raccine but lack the C++ coding skills, especially on the Windows platform.
If anything happens to your installation, e.g. sudden error messages, broken services or programs that won't start anymore, run the file raccine-reg-patch-uninstall.reg
in the reg-patches
sub folder. This should bring everything back to normal.
After that your should also be able to run a full uninstallation using install-raccine.bat
.
The right pronounciation is "Rax-Een".