A Ransomware 'Vaccine' - Showing Some Promise

8018557471?profile=RESIZE_400xA ransomware vaccine, called "Raccine," was released as an open source tool by Nextron Systems on 3 October 2020.  Raccine prevents ransomware from attacking vssadmin.exe, a Windows utility that manages shadow copies of a Windows system's data.  Threat actors can take advantage of vssadmin.exe to delete shadow volumes in Windows so that ransomware victims cannot restore their data from local backups.

"We see ransomware delete all shadow copies using vssadmin pretty often," post in the GitHub text for Raccine. "What if we could just intercept that request and kill the invoking process? Let's try to create a simple vaccine."

While administrators can disable vssadmin.exe or require permissions to access it, many ransomware variants are designed to abuse the utility.  Raccine was designed to automatically intercept any requests for vssadmin.exe and review the command lines for any potentially malicious processes, such as "vssadmin.exe delete shadows."  If those commands are detected, Raccine automatically stops the malicious process.

While Raccine was built with stopping ransomware in mind, it comes with a few catches. For one, organizations cannot use the "vssadmin.exe delete shadows" legitimately.  More importantly, it can interfere with backups.

"You won't be able to run commands that use the blacklisted commands on a raccinated machine anymore until your (sic) apply the uninstall patch raccine-reg-patch-uninstall.reg," Nextron wrote on GitHub. "This could break various backup solutions that run that specific command during their work. It will not only block that request but kills all processes in that tree including the backup solution and its invoking process."

Nextron researchers also encourages network administrators to check logs to see how frequently vssadmin.exe is invoked for the legitimate deletion or modification of shadow storage and refrain from using the vaccine if the Windows utility is frequently used.   Raccine intercepts various processes for vssadmin.exe and kills any suspicious commands that are commonly abused by ransomware. 8014948074?profile=RESIZE_400x

In the days since its release, Raccine has been updated on GitHub from version 0.1.0 to 0.5.1.  Throughout the development process, Nextron recruited people to help with various tasks, and several infosec professionals, including the NCC Group and the Microsoft Threat Intelligence Center. 

"I saw on Twitter he (Nextron) was asking for C/C++ programmers to help. It was a rainy weekend during lockdown, and it was a worthwhile cause, so I turned around his first request for features in about an hour," NCC told SearchSecurity.

The concept of ransomware vaccines has been viable for the last several years.  In 2016, a threat intelligence firm called Lexsi and antimalware vendor Bitdefender, released tools designed to inoculate organizations from specific variants of ransomware.  But even as more products and services come to market, the problem of ransomware is only getting worse. NCC calls Raccine "one small step" in the fight against ransomware.

"As with all things in cyber, it is a continual arms race between attack and defense. Ransomware authors will adapt, but the trick is for defense to make their operating environments as expensive and as hostile as possible. This is one small step in that endeavor," NCC said.

The installation, updating and monitoring of firewalls and vaccines, cyber security and proper employee training are keys to blocking attacks such as ransomware.  Red Sky Alliance offers tools and services to help pro-actively identify ransomware types of cyber-attacks.   Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.[1]

What can you do to better protect your organization today?

  • All data in transmission and at rest should be encrypted.
  • Proper data back-up and off-site storage policies should be adopted and followed.
  • Implement 2-Factor authentication company wide.
  • Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
  • Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
  • Institute cyber threat and phishing training for all employees, with testing and updating.
  • Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
  • Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
  • Ensure that all software updates and patches are installed immediately.
  • Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network. 
  • Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.

Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.

Articles about the cyber threat groups mentioned in this report can be found at https://redskyalliance.org    There is no charge for access to these reports.

Our services can help protect with attacks such as these.  We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.

The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks.  Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com    

 TR-20-282-001_ARansomware.pdf

 

[1] https://searchsecurity.techtarget.com/news/252490230/Raccine-A-ransomware-vaccine-with-a-few-catches

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!