Author: Florian Roth
Date: 11/11/2020 03:23 PM
Size: 3.13 MB
License: Open Source
Downloads: 1391 times
Raccine is meant as a simple portable ransomware vaccine intended to protect against attacks that target shadow copies for deletion via vssadmin.exe.
Ransomware will often delete all shadow copies using vssadmin; Raccine intercepts that request and kills the invoking process. Raccine is a binary that first collects all PIDs of the parent processes and then attempts to kill all parent processes.
There are several advantages for Raccine, the method is generic, no replacement of a system file (vssadmin.exe or wmic.exe), which could lead to integrity problems and could break the “raccination” on each patch day, these changes are easy to undo, and finally, there is no running executable or additional service required (agent-less).
You have two different installation options:
- Download Raccine.zip from the Release section
- Extract it
- Run raccine-installer.batManual
- Apply Registry Patch raccine-reg-patch-vssadmin.reg to intercept invocations of vssadmin.exe
- Place Raccine.exe from the release section in the PATH, e.g. into C:\Windows
(For i386 architecture systems, use Raccine_x86.exe and rename it to Raccine.exe)