Author: Florian Roth
Date: 11/02/2020 03:00 PM
Size: 2.44 MB
License: Open Source
Downloads: 1191 times
Raccine is meant as a simple portable ransomware vaccine intended to protect against attacks that target shadow copies for deletion via vssadmin.exe.
Ransomware will often delete all shadow copies using vssadmin; Raccine intercepts that request and kills the invoking process. Raccine is a binary that first collects all PIDs of the parent processes and then attempts to kill all parent processes.
There are several advantages for Raccine, the method is generic, no replacement of a system file (vssadmin.exe or wmic.exe), which could lead to integrity problems and could break the “raccination” on each patch day, these changes are easy to undo, and finally, there is no running executable or additional service required (agent-less).
You have two different installation options:
- Download Raccine.zip from the Release section
- Extract it
- Run raccine-installer.batManual
- Apply Registry Patch raccine-reg-patch-vssadmin.reg to intercept invocations of vssadmin.exe
- Place Raccine.exe from the release section in the PATH, e.g. into C:\Windows
(For i386 architecture systems, use Raccine_x86.exe and rename it to Raccine.exe)It is important to note that you will be unable to run commands that use the blacklisted commands on a raccinated machine until you apply the uninstall patch raccine-reg-patch-uninstall.reg. This could break various backup solutions that run that specific command. It will not only block that request, but it kills all processes in that tree, including the backup solution and its invoking process.
If you have solid security monitoring that logs all process executions, you could check your logs to see if vssadmin.exe delete shadows or vssadmin.exe resize shadowstorage … are frequently or sporadically used for legitimate purposes, in which case you should refrain from using Raccine.