adimas - Fotolia

Raccine: A ransomware 'vaccine' with a few catches

Raccine, an open source 'vaccine,' prevents ransomware threat actors from using a Windows utility to delete shadow copies of a system's data, but there are a few drawbacks.

There's yet another antiransomware tool in the world, and this time it's a "vaccine."

A ransomware vaccine, dubbed "Raccine," was released as an open source tool by Nextron Systems CTO Florian Roth on Saturday. Raccine prevents ransomware from abusing vssadmin.exe, a Windows utility that manages shadow copies of a Windows system's data. Threat actors take advantage of vssadmin.exe to delete shadow volumes in Windows so that ransomware victims can't restore their data from local backups.

"We see ransomware delete all shadow copies using vssadmin pretty often," Roth wrote in the GitHub post for Raccine. "What if we could just intercept that request and kill the invoking process? Let's try to create a simple vaccine."

While administrators can disable vssadmin.exe or require permissions to access it, many ransomware variants are designed to abuse the utility. Raccine was designed to automatically intercept any requests for vssadmin.exe and review the command lines for any potentially malicious processes, such as "vssadmin.exe delete shadows." If those commands are detected, Raccine automatically kills the process.

However, while Raccine is built with stopping ransomware in mind, it comes with a few catches. For one, organizations can't use the "vssadmin.exe delete shadows" legitimately. More importantly, it can interfere with backups.

"You won't be able to run commands that use the blacklisted commands on a raccinated machine anymore until your (sic) apply the uninstall patch raccine-reg-patch-uninstall.reg," Roth wrote on GitHub. "This could break various backup solutions that run that specific command during their work. It will not only block that request but kills all processes in that tree including the backup solution and its invoking process."

Raccine ransomware vaccine
Raccine intercepts various processes for vssadmin.exe and kills any suspicious commands that are commonly abused by ransomware.

In the days since its release, it has been updated on GitHub from version 0.1.0 to 0.5.1. Throughout the development process, Roth recruited people to help with various tasks, and several infosec professionals, including Ollie Whitehouse, group CTO at NCC Group, and John Lambert, general manager at Microsoft Threat Intelligence Center, volunteered.

"I saw on Twitter he was asking for C/C++ programmers to help. It was a rainy weekend during lockdown, and it was a worthwhile cause, so I turned around his first request for features in about an hour," Whitehouse told SearchSecurity.

The concept of ransomware vaccines is at least several years old; in 2016, Lexsi, a threat intelligence firm, and antimalware vendor Bitdefender, released tools designed to inoculate organizations from specific variants of ransomware. But even as more products and services come to market, the problem of ransomware is only getting worse. Whitehouse calls Raccine "one small step" in the fight against ransomware.

"As with all things in cyber, it is a continual arms race between attack and defense. Ransomware authors will adapt, but the trick is for defense to make their operating environments as expensive and as hostile as possible. This is one small step in that endeavor," Whitehouse said.

Roth was unavailable for comment.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing