download Raccine 0.8.0

Author: Florian Roth
Date: 10/17/2020 10:05 AM
Size: 279 KB
License: Open Source
Requires: 10|8|7
Downloads: 604 times

Raccine is meant as a simple portable ransomware vaccine intended to protect against attacks that target shadow copies for deletion via vssadmin.exe.

Ransomware will often delete all shadow copies using vssadmin; Raccine intercepts that request and kills the invoking process. Raccine is a binary, that first collects all PIDs of the parent processes and then attempts to kill all parent processes.

There are several advantages for Raccine, the method is generic, no replacement of a system file (vssadmin.exe or wmic.exe), which could lead to integrity problems and could break the “raccination” on each patch day, these changes are easy to undo, and finally, there is no running executable or additional service required (agent-less).

You have two different installation options:

Download from the Release section
Extract it
Run raccine-installer.bat

Apply Registry Patch raccine-reg-patch-vssadmin.reg to intercept invocations of vssadmin.exe
Place Raccine.exe from the release section in the PATH, e.g. into C:\Windows
(For i386 architecture systems, use Raccine_x86.exe and rename it to Raccine.exe)

It is important to note that you will be unable to run commands that use the blacklisted commands on a raccinated machine until you apply the uninstall patch raccine-reg-patch-uninstall.reg. This could break various backup solutions that run that specific command. It will not only block that request, but it kills all processes in that tree, including the backup solution and its invoking process.

If you have solid security monitoring that logs all process executions, you could check your logs to see if vssadmin.exe delete shadows or vssadmin.exe resize shadowstorage … is frequently or sporadically used for legitimate purposes, in which case you should refrain from using Raccine.

download Raccine 0.8.0

Leave a Reply

Your email address will not be published. Required fields are marked *