MITRE ATT&CK T1490 Inhibit System Recovery - The Ransomware’s Favorite

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

As the prevalence of ransomware attacks increases, built-in recovery features of operating systems such as Windows Restore Point and Volume Shadow Copy Service become essential tools for restoring encrypted data. Thanks to these recovery systems, some organizations avoided the negative impact of ransomware attacks with little to no damage to their operations. 

As a result, ransomware threat actors embraced new techniques that delete or damage recovery systems to extort organizations by eliminating their built-in ways of recovery. 

In our previous two ransomware blogs, we discussed the recent ransomware trends and the most used ransomware technique, T1486 Data Encrypted for Impact. In this blog post, we explained the Inhibit System Recovery technique that is used by adversaries to disrupt recovery systems. You can also read the Red Report to learn more about most prevalent attack techniques by adversaries.

The Red Report - Top Ten MITRE ATT&CK Techniques

MITRE ATT&CK T1490 Inhibit System Recovery Technique

The MITRE ATT&CK Framework’s T1490 Inhibit System Recovery technique is deleting or removing built-in operating system recovery data and turning off recovery features used to fix a corrupted system. Ransomware threat actors use this technique to force the victim into paying the ransom. Inhibiting system recovery is not the ultimate goal of ransomware attacks; however, this technique dramatically improves the impact of the attack.

Adversaries use the following methods to prevent system recovery:

1. Deleting volume shadow copies

2. Resizing volume shadow copy storage space 

3. Disabling automatic Windows Recovery features

4. Removing backup catalog and backup data
 

1. Deleting Volume Shadow Copies

1.1 Volume Shadow Copy Service Admin (vssadmin)

Volume Shadow Copy Service (VSS) is a Windows service that creates shadow copies of files in the system. Ransomware threat actors use several built-in Windows tools to delete volume shadow copies. The first tool used is vssadmin. vssadmin is a Windows command-line utility that can display, manage, and delete volume shadow copies in the system. Ransomware group REvil ( also known as Sodinokibi) is known to abuse this feature with the following command:

vssadmin.exe delete shadows /all /quiet

1.2 Windows Management Instrumentation Command (WMIC)

Another common method to delete volume shadow copies is utilizing wmic. wmic is a command-line utility used to access Windows Management Instrumentation, the infrastructure for management data and operations on Windows-based operating systems. Administrative tasks can be automated using WMI scripts and applications. The example wmic command below is used by ransomware group Nefilim to delete shadow copies.

wmic shadowcopy delete /nointeractive

1.3 PowerShell

PowerShell’s Get-WmiObject commandlet can access WMI and run WMI’s Win32_ShadowCopy class to delete volume shadow copies. For example, the NetWalker ransomware uses the PowerShell command below to inhibit system recovery.

Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }

2. Resizing Volume Shadow Copy Storage Space

Although deleting volume shadow copies is the obvious way to inhibit system recovery, a more subtle method exists as an alternative. Adversaries hinder shadow copies by resizing the maximum amount of storage space for the volume shadow copies.

In this method, ransomware decreases the allocated storage for snapshots of volume shadow copies. Then, when the existing snapshots exceed the size of allocated storage, the operating system deletes those snapshots and effectively hinders the recovery capabilities of the victim. Vssadmin is capable of resizing shadow copy storage, and the minimum allowed size is 320 MB. For example, Hakbit ransomware decreases allocated space for shadow copies to 401 MB to trigger deleting shadow copies:

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

Volume Shadow Copy Service (VSS) relies on the device driver that waits for control codes, and this opens up another method for resizing volume shadow copy storage by directly accessing the device driver using the Device IO Control calls. 

DeviceIoControl() function

  • IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE control call
  • The control code: 0x53c028
    • Device type: 0x53
    • Function code: 0xa
    • Method: 0x0 METHOD_BUFFERED
    • Access rights: Read and Write

3. Disabling Automatic Windows Recovery Features

In Windows, Boot Configuration Data (BCD) stores data that describes boot applications and boot application settings. Boot Configuration Data Editor (bcdedit) is a command-line tool that can manage BCD, create new stores, modify existing ones and add boot menu parameters. 

bcdedit can be used to disable automatic Windows recovery features, as utilized by ransomware groups such as Ranzy Locker, REvil, and Nefilim use bcdedit

  • The command below sets the “recoveryenabled” boot setting as “No” to disable Startup Repair from automatically booting when there is a problem.

bcdedit /set {default} recoveryenabled No

  • The following command sets the “boot status policy” boot setting as “ignore all failures”, which means Windows will ignore errors if there is a failed boot, failed shutdown, or failed checkpoint. The computer will attempt to boot normally after an error occurs.

bcdedit /set {default} bootstatuspolicy ignoreallfailures

4. Removing Backup Catalog and Backup Data

Windows Backup Admin or wbadmin is a built-in Windows tool that allows you to backup and restore your operating system, volumes, files, folders, and programs. Ransomware groups abuse the capabilities of wbadmin in different ways to remove backup data. 

  • Ranzy Locker ransomware uses the first command below to delete system state backups. 
  • Nefilim uses the second command below to delete the backup catalog. Although backup data itself remains intact, the recovery system cannot access the backup since the backup catalog is deleted.

wbadmin DELETE SYSTEMSTATEBACKUP

wbadmin delete catalog -quiet

Open Online Ransomware Attacks and Defense Course

Our Purple Academy has a new learning path about Ransomware attacks and defense. Check out Purple Academy’s free course on Ransomware Attacks: Basics, TTPs, and Countermeasures Course to learn more about ransomware attacks.

Ransomware Attacks: Basics, TTPs, and Countermeasures Course