CryptoPrevent, Ransomware Threat Mitigation, and VSSAdmin.exe
As many CryptoPrevent users may be aware, “vssadmin.exe” is a setting automatically enabled with the “default” protection plan, which blocks any usage of this file. This setting prevents launch of the vssadmin.exe file via SRP (aka Software Restriction Policies) a built-in Windows mechanism of controlling what is and is not allowed on a PC, although it is only configurable with native Windows tools on the server/workstation versions of the operating system, but not the “Home” editions found on most consumer PCs.
We often get asked the question: “How important is it to block vssadmin.exe?”
Naturally, being a built-in part of every modern Windows version, one might imagine it is used by something, somewhere, at some point in time. Indeed it is, and before we get to the details on why you should block it, it would be helpful to know what purpose this file actually serves, and where it is most likely used.
What is vssadmin.exe?
The vssadmin.exe file is a command-line tool made available to interface with the “Volume Shadow Copy Service” (aka VSS; yes I know there is a ‘C’ in there…)
To break it down, it’s easy to think of “vssadmin.exe” as the “admin” (aka administrator tool) for the “vss” (see above) with the “.exe” file extension denoting that this is an executable file (in short, a program file which used to start or operate part or all a software application aka “app”.)
Also for the uninitiated, a “volume” in this context isn’t a single book in a set of old encyclopedias, but rather a partitioned area of a physical disk (or a combined set of disks) on which data is stored. A volume is often referred to as a “drive” and less often a “partition” but the important take-away is that your documents and pictures, installed program’s files, Windows operating system files, etc. are stored and accessed on a volume.
Whew. Moving on…
Well then, what exactly is the VSS?
This is a system by which “real-time” backups can be performed on files that are currently “in-use” on a system. To avoid over-simplifying this, we have plenty of links in this article. Take a look at this snippet from the MSDN article: About the Volume Shadow Copy Service
The Volume Shadow Copy Service (VSS) captures and copies stable images for backup on running systems, particularly servers, without unduly degrading the performance and stability of the services they provide.
The VSS solution is designed to enable developers to create services (writers) that can be effectively backed up by any vendor’s backup application using VSS (requesters).
What that really means is this tool (vssadmin.exe) is not used by Windows itself, which controls it’s own VSS functionality via an underlying API (aka Application Programming Interface) therefore Windows doesn’t actually need the file at all. Incidentally, this API is also exposed by Windows to other 3rd party applications, and FYI the documentation is made available in the Volume Shadow Copy API Reference also on MSDN.
So then, what is vssadmin.exe used for? (Legitimately)
For more complete information and technical stuff, see the MSDN articles above for more links, and a good place to start is The VSS Model also on MSDN, but here we will list two primary real-world examples:
First: System administrators and some “power users” may use vssadmin.exe in “batch” scripts, or directly called from Windows Task Scheduler to run on a predetermined schedule, where it performs backup and manipulation of VSS and the “snapshots” that it creates. You’ll most often see this on Windows Servers, but some will set this up on workstations as well. If you have to ask the “IT guy” then most likely it is in use on a server and/or somewhere on the network, if not your workstation (aka PC) itself. If you don’t have a “system administrator” of any sort, then most likely you are well aware if you are using it in this way because you would have set this up.
Second: Backup applications. NOT every backup solution does this, and we’re not certain why some companies refuse to use the API, but many do rely instead on the external vssadmin.exe file provided for users in scripting. It does take a lot of extra time to code the functionality that this tool can do with a few simple commands, so we fully expect smaller/niche developers to use these tools (as you’ll see below) because it makes the most sense. This is often magnified because they also tend to rely on the Windows Task Scheduler to set and execute a backup schedule, which also has command-line tools that are far easier to use than it’s API.
So to summarize vssadmin.exe usage for any reason, it’s really just a shortcut for a much more complicated process.
You might think “why not just copy the file?” This is possible when applications load their data files into “memory” leaving the file itself (on “disk” aka volume) available to manipulation by other applications, however others may lock the file for direct access on the disk (this is almost guaranteed with large data files, but can apply to any files of certain types.) In fact, VSS is far more powerful than any direct file copy, and in practical examples it can backup files (or rather, piece together the unchanged and last changed bits from that file) which otherwise would cause a backup (or copy) operation to fail. For example, the Windows Registry hives are normally “locked” from manipulation while in-use (which is always) and any attempt to backup or copy them should fail, however in fact our own d7x PC technician software uses VSS for backing up the registry, as well as the “Registry Hive Backup” option in the newly released CryptoPrevent v9. There are number of caveats to whether VSS even works for certain files, but that’s another topic entirely.
How do I know if my backup software still relies on vssadmin.exe?
Sorry, we do not provide a current listing of those backup applications using vssadmin.
Your best bet is to contact support for your backup software vendor, but you could also search their particular support forums for the word “vssadmin” itself (chances are you’ll find a post or two involving this) but DO NOT assume your software uses vssadmin just because you see an article reference a “fix” which involves manually using a vssadmin command to delete all shadow copies, as even the malware would do (this is actually a common fix for VSS errors which prevent backup applications from backing up in-use files.)
Additionally, and perhaps a good first check, is to simply open the Windows Task Scheduler and look for any task referencing usage of “vssadmin” (hint, use the “Actions” tab for each task to find the commands used) but if you don’t find it or aren’t sure how to do this, just contact your backup software vendor and/or even better, have your IT staff do this where applicable.
I can only say from personal experience that CrashPlan and CrashPlan Pro do not use vssadmin, instead opting for the long and proper route, therefore you should be safe to disable vssadmin (as long as other products you may have aren’t using it, of course.) While we love and have often recommended them in the past, unfortunately for new users they have moved to supporting only businesses through more expensive plans (I can’t even find pricing on their site currently, you fill out the contact form) and we’re not fans of their recommended switch-to product, a topic we’ll stay out of, but there’s plenty of others willing to tackle that one.
How is vssadmin.exe used maliciously?
Almost all ransomware will use vssadmin.exe to delete “shadow copies” of your files, which you probably didn’t even know you had, before encrypting the files you do know about. This ensures that you’ll want to pay up to decrypt your valuable files when they can’t be decrypted, nor can they be retrieved from VSS using an application like ShadowExplorer.
Quite simply, after infecting your system and usually before encrypting any data, ransomware will execute this command:
vssadmin.exe Delete Shadows /All /Quiet
In fact, you could even execute this yourself from an administrative command prompt.
Some readers might even remember the article over at BleepingComputer.com “Why Everyone Should disable VSSAdmin.exe Now!” although the depth of the article doesn’t really cover the scope of the situation at all, and is more about actually renaming the vssadmin.exe file than providing justification (but you can find other good articles both there and in many other places about this.) I should note that at one point we considered this idea for CryptoPrevent rather than blocking it, in fact the 4th comment is my own “good idea” post, but since putting some thought into it, we disagree with this idea altogether for a number of reasons that would make this article much longer, aside from ransomware using the additional tactics already discussed further below.
Is it important to block vssadmin.exe with CryptoPrevent?
If you aren’t using it for any other reason, then it’s extremely important to disable it!
Disabling vssadmin.exe with CryptoPrevent (a setting available in even the earliest editions) serves to prevent ransomware from using vssadmin.exe, should it infect the system. This is a great “fail-safe” tactic to enable data recovery tactics if infected. In practice, this has actually worked very well, and we hear the stories from many happy CryptoPrevent users as this second line of defense has worked out for them.
In fact, we’ve posted about this very thing before in our article “CryptoPrevent, ShadowExplorer, and VSSADMIN” where we explain how they work together so that in the event of a ransomware attack getting past CryptoPrevent or your other defenses, you (or a qualified technician) will have a good chance of recovering files yourself with Shadow Explorer or similar (of course, this is after first disinfecting your system, then disabling the vssadmin.exe setting temporarily in CryptoPrevent.)
It still works to this day, largely because it seems as if the ransomware authors don’t bother with the extra work involved in using the provided APIs, and they are now only recently experimenting with other methodologies in the latest ransomware threats, which we discuss below. The thing to remember is that not every ransomware infection you may be at risk of is the newest or latest thing out there, and there are situations where you can in fact become infected by last year’s best quite easily (or the one before it, or the one before that.)
In fact, you can also be “infected” by just about anyone with a few hundred dollars and the right search skills, as Brian Krebs writes on his security blog in “Ransomware for Dummies: Anyone Can Do It” although this represents another fine example of cheap and unsophisticated attacks that will use older tactics (including vssadmin.exe) rather than newer “cutting edge” attack strategies.
So what ransomware uses vssadmin? Just about all of it (at some point in it’s evolution it is added if it wasn’t there to begin with) but this list is a great start:
TeslaCrypt / AlphaCrypt https://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information
and WCry (also known as WanaCry/WannaCry, WanaCrypt/WannaCrypt , and Wana Decrypt0r/Wanna Decrypt0r) https://www.foolishit.com/2017/05/cryptoprevent-vs-wannacry-wannacryptorwcry-wcry-ransomware/
… we could probably go on, but there’s more to cover in the next section.
What else can ransomware use to accomplish the same task?
While it seems that even the newest ransomware will use vssadmin.exe, we are also beginning to see redundant methods in use, including scripting languages such as “powershell” or even the older “visual basic script” interpreters.
These are actually executing WMI code to accomplish the same task without running vssadmin.exe (there are quite a few ways to skin this cat when you apply some imagination) however it does seem that currently none are using the API to directly manipulate VSS. For an example of WMI usage through powershell, see “PowerShell Script to delete shadow copies over 30 days old” in the Script Center on Microsoft’s TechNet.
You can also use WMIC (a command line interface for WMI) and given the broad usage of this tool, disabling it would possibly create more issues than simply disabling vssadmin. I believe this command is actually used by some newer ransomware:
WMIC shadowcopy delete /nointeractive
The option to disable the Windows Scripting Host in CryptoPrevent (also available from early CryptoPrevent releases) will stop much of the scripting based attacks, with the exception of powershell based and WMIC exploits. We’ve examined (and are considering implement of) some newer ideas to stop this code from executing via powershell and WMIC, however the challenge is not to disable these entirely due to widespread usage, although you COULD easily block these tools with CryptoPrevent by using a custom blacklist policy, if you were certain legitimate software didn’t use either of them.
But guess what? There’s another built-in tool with Windows 8, Server 2008, and Server 2012 and that’s DiskShadow (although it doesn’t appear that “and above” is the case, as it is not present in Windows 10 at all.) At first glance this seems to be a redundant vssadmin.exe like tool, it is in fact scriptable, and it does include a “delete shadows” command, so the command below would be as destructive as any other already discussed:
diskshadow delete shadows all
So while we could go crazy blocking this and that, keep in mind it is only a matter of time before ransomware begins to use the actual API to interface with the VSS, at which point the only opportunity to stop the deletion of your shadow copy data is to actually prevent the infection itself in the first place (remember, blocking vssadmin.exe is a fail-safe in case you are infected to begin with…)
Didn’t you just give away too much?
No, and this is another huge topic to keep short or maybe it could, but this is exactly why our posts on these topics have been limited in scope since CryptoPrevent became the first effective tool to stop the original “CryptoLocker” ransomware. I might also point to the fact that our original methods were well-known, yet they still remained effective with very little change for years (and still are today in many cases, albeit with more aggressive rule additions) and I’m not even considering any of the entirely new tactics we’ve piled on.
So at best the tactics revealed here are only of minor concern with the current scope of threats, and anyone paying attention can read about them in more detail elsewhere. A possible exception is the mention of API, but we’ve given nothing away, and it’s existence should be quite well known. Also, this is far more difficult to implement or you would have seen it by now (remember, many popular backup applications from big software vendors still don’t do it!) Alternately, the rest of these methodologies would be implemented exactly the same as vssadmin.exe (ultimately by calling upon an external process to do the “heavy lifting”) yet they still aren’t used today by all malware (keyword “all” instead of “any”) despite the ease of implementation, where essentially a copy/paste can do it, if that tells you anything…
Aside from the malicious tactics, you didn’t think we gave away all of CryptoPrevent’s current and future prevention secrets did you? If you did, then guess again…
What is the bottom line?
Please remember that these CryptoPrevent features (such as the setting to block vssadmin.exe, or disable scripts, or even applying custom blacklist policies for the other items mentioned above) are all optional features which we recommend to help you, but nothing is “fool proof” … so even though we do strongly recommend disabling vssadmin.exe if you know that it isn’t used on your PC, our #1 recommendation is to keep good backups that are tested regularly (not just installing some software that you assume to be working!)
In addition to the automated and/or continuous backup software you may already be using, you would also do well with using “on-demand” backup tools (meaning you should remember to use them.) These are often used to backup data to a physically external drive that you would plug in for the backup; the same could also be said for backing up to a network location that you would connect to and disconnect from manually as necessary.
Many of the “on-demand” programs I’m thinking of generally don’t use vssadmin or any other method of getting at shadow copies, because they do expect you to stop your apps/databases/etc. and your work on that PC during usage (unless they are backing up the Windows registry perhaps, not so much necessary here, but that is generally an acceptable sacrifice for our purposes, or you can always disable the setting in CryptoPrevent and reboot before backup…)
You can also setup many of these to run automatically in Windows Task Scheduler, having it backup to an external device from time to time, but this isn’t nearly as useful as it sounds. The reason why this isn’t a great idea is that you should always unplug after the backup completes, and do not plug that backup drive in again until your next backup (when you know the system is clean and in working order) or until your next backup test, to verify that data can be restored. Otherwise, you can expect an infected/encrypted backup which is absolutely worthless. So if you have to remember to plug it up, and you need to know first that you aren’t already infected or that you may be backing up encrypted data over top of good data, then surely you can remember to start the program yourself after all of these other checks. Sorry, we love automation, but nothing done fully or properly is truly “set and forget” in our collective opinion.
While our own DataGrab tool was once really awesome for on-demand backups, and it got a lot of attention in the pre-CryptoPrevent development era, it hasn’t been maintained in quite a while, so it is very, very unsupported. Since that time, for “on-demand” backups we’ve often recommended Fab’s AutoBackup for most user scenarios, and specifically Fab’s AutoBackup Pro for technicians; we like the vendor and we constantly hear about how well it works from our tech customers, so even for the home users out there it’s worth a try if you haven’t heard of it.
If you were looking for information on why you should block vssadmin.exe (and why it isn’t a complete solution) then we hope this has been of some help to you. Stay safe on them internets!