1. Home
  2. Techniques
  3. Enterprise
  4. 系统恢复抑制

系统恢复抑制

ID Name
T1490.001 合法工具链组合擦除
T1490.002 备份元数据加密破坏
T1490.003 云端备份同步污染

系统恢复抑制是指攻击者通过禁用或破坏操作系统及应用程序的恢复机制,阻止受害系统从故障或攻击中复原的破坏性技术。该技术常被用于勒索软件攻击链的最后阶段,通过删除卷影副本、清除备份目录、禁用自动修复功能等手段,确保数据加密破坏的不可逆性。传统防御手段主要依赖进程监控(如vssadmin、wbadmin调用检测)、事件日志分析(如Windows事件ID 524)和备份完整性校验等方法来识别异常恢复抑制行为。

为规避传统检测机制,攻击者逐步发展出融合合法工具滥用、密码学破坏和云环境渗透的新型隐蔽抑制技术。这些技术不再依赖显式的破坏性指令,而是通过系统功能深度操纵和信任链污染实现持久化破坏,显著提高了攻击行为的隐蔽性和破坏后果的不可修复性。

当前系统恢复抑制匿迹技术的核心演进方向体现为三个维度:首先是操作形态的合法化,通过系统管理工具的参数化滥用和进程注入,将恶意操作伪装成日常维护行为;其次是破坏机制的密码学增强,采用与目标系统兼容的加密算法实施元数据破坏,规避基于文件完整性监控的检测;最后是攻击平面的云化扩展,利用云服务API和同步机制的自动化特性实施跨平台污染。三类技术的共性在于突破传统文件删除/服务停止的显式操作模式,转而通过系统功能重组、数据流劫持和信任关系滥用实现恢复能力的渐进式瓦解,使得防御方难以通过单一维度的监控策略及时感知攻击。

匿迹技术的演进迫使防御体系从进程监控转向行为链分析,需建立备份操作基线模型、云API调用关系图谱等新型检测能力,并引入密码学证明机制验证备份元数据真实性,方能有效应对隐蔽式系统恢复抑制攻击。

ID: T1490
Sub-techniques:  T1490.001, T1490.002, T1490.003
Tactic: 影响释放
Platforms: Containers, IaaS, Linux, Network, Windows, macOS
Impact Type: Availability
Contributors: Austin Clark, @c2defense; Harjot Shah Singh; Joey Lei; Pallavi Sivakumaran, WithSecure; Yonatan Gotlib, Deep Instinct
Version: 1.5
Created: 02 April 2019
Last Modified: 24 September 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过滥用系统管理工具和云服务API,将恢复抑制操作伪装成合法维护行为。例如使用vssadmin.exe的标准参数执行卷影副本删除,或通过AWS CLI工具调用合规API执行备份版本清除。此类操作在进程树、命令行日志等维度均呈现合法特征,使得基于白名单机制的防御系统难以识别异常。

数据遮蔽

在备份元数据加密破坏子技术中,攻击者使用标准加密协议对关键元数据进行转换,加密后的数据仍保持格式合规性和数字签名有效性。这种加密遮蔽使得基于内容扫描或哈希比对的检测机制失效,防御方必须实施密钥管理审计或解密验证才能发现数据异常。

Procedure Examples

ID Name Description
S1129 Akira

Akira will delete system volume shadow copies via PowerShell commands.[1]
S0640 Avaddon

Avaddon deletes backups and shadow copies using native system tools.[2][3]
S0638 Babuk

Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet.[4][5]
S1136 BFG Agonizer

BFG Agonizer wipes the boot sector of infected machines to inhibit system recovery.[6]
S0570 BitPaymer

BitPaymer attempts to remove the backup shadow files from the host using vssadmin.exe Delete Shadows /All /Quiet.[7]
S1070 Black Basta

Black Basta can delete shadow copies using vssadmin.exe.[8][9][10][11][12][13][14][15][15][16]
S1068 BlackCat

BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.[17]
S0611 Clop

Clop can delete the shadow volumes with vssadmin Delete Shadows /all /quiet and can use bcdedit to disable recovery options.[18]
S0608 Conficker

Conficker resets system restore points and deletes backup files.[19]
S0575 Conti

Conti can delete Windows Volume Shadow Copies using vssadmin.[20]
S1111 DarkGate

DarkGate can delete system restore points through the command cmd.exe /c vssadmin delete shadows /for=c: /all /quiet".[21]
S0673 DarkWatchman

DarkWatchman can delete shadow volumes using vssadmin.exe.[22]
S0616 DEATHRANSOM

DEATHRANSOM can delete volume shadow copies on compromised hosts.[23]
S0659 Diavol

Diavol can delete shadow copies using the IVssBackupComponents COM object to call the DeleteSnapshots method.[24]
S0605 EKANS

EKANS removes backups of Volume Shadow Copies to disable any restoration capabilities.[25][26]
S0618 FIVEHANDS

FIVEHANDS has the ability to delete volume shadow copies on compromised hosts.[23][27]
S0132 H1N1

H1N1 disable recovery options and deletes shadow copies from the victim.[28]
S0617 HELLOKITTY

HELLOKITTY can delete volume shadow copies on compromised hosts.[23]
S0697 HermeticWiper

HermeticWiper can disable the VSS service on a compromised host using the service control manager.[29][30][31]
S1139 INC Ransomware

INC Ransomware can delete volume shadow copy backups from victim machines.[32]
S0260 InvisiMole

InvisiMole can can remove all system restore points.[33]
S0389 JCry

JCry has been observed deleting shadow copies to ensure that data cannot be restored easily.[34]

S0449 Maze

Maze has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process.[35][36]
S0576 MegaCortex

MegaCortex has deleted volume shadow copies using vssadmin.exe.[37]
S0688 Meteor

Meteor can use bcdedit to delete different boot identifiers on a compromised host; it can also use vssadmin.exe delete shadows /all /quiet and C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete.[38]
S1135 MultiLayer Wiper

MultiLayer Wiper wipes the boot sector of infected systems to inhibit system recovery.[6]
S0457 Netwalker

Netwalker can delete the infected system's Shadow Volumes to prevent recovery.[39][40]
S0365 Olympic Destroyer

Olympic Destroyer uses the native Windows utilities vssadmin, wbadmin, and bcdedit to delete and disable operating system recovery features such as the Windows backup catalog and Windows Automatic Repair.[41]
S1162 Playcrypt

Playcrypt can use AlphaVSS to delete shadow copies.[42]
S1058 Prestige

Prestige can delete the backup catalog from the target system using: c:\Windows\System32\wbadmin.exe delete catalog -quiet and can also delete volume shadow copies using: \Windows\System32\vssadmin.exe delete shadows /all /quiet.[43]
S0654 ProLock

ProLock can use vssadmin.exe to remove volume shadow copies.[44]
S0583 Pysa

Pysa has the functionality to delete shadow copies.[45]

S0481 Ragnar Locker

Ragnar Locker can delete volume shadow copies using vssadmin delete shadows /all /quiet.[46]
S0496 REvil

REvil can use vssadmin to delete volume shadow copies and bcdedit to disable recovery features.[47][48][49][50][51][52][53][54][55]
S1150 ROADSWEEP

ROADSWEEP has the ability to disable SystemRestore and Volume Shadow Copies.[56][57]
S0400 RobbinHood

RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily.[58]

S1073 Royal

Royal can delete shadow copy backups with vssadmin.exe using the command delete shadows /all /quiet.[59][60][61]
S0446 Ryuk

Ryuk has used vssadmin Delete Shadows /all /quiet to to delete volume shadow copies and vssadmin resize shadowstorage to force deletion of shadow copies created by third-party applications.[62]
G0034 Sandworm Team

Sandworm Team uses Prestige to delete the backup catalog from the target system using: C:\Windows\System32\wbadmin.exe delete catalog -quiet and to delete volume shadow copies using: C:\Windows\System32\vssadmin.exe delete shadows /all /quiet. [43]

S0366 WannaCry

WannaCry uses vssadmin, wbadmin, bcdedit, and wmic to delete and disable operating system recovery features.[63][64][65]
S0612 WastedLocker

WastedLocker can delete shadow volumes.[66][67][68]

G0102 Wizard Spider

Wizard Spider has used WMIC and vssadmin to manually delete volume shadow copies. Wizard Spider has also used Conti ransomware to delete volume shadow copies automatically with the use of vssadmin.[69]

Mitigations

ID Mitigation Description
M1053 Data Backup

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.[70] Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. In cloud environments, enable versioning on storage objects where possible, and copy backups to other accounts or regions to isolate them from the original copies.[71]
M1038 Execution Prevention

Consider using application control configured to block execution of utilities such as diskshadow.exe that may not be required for a given system or network to prevent potential misuse by adversaries.

M1028 Operating System Configuration

Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. Additionally, ensure that WinRE is enabled using the following command: reagentc /enable.[72]
M1018 User Account Management

Limit the user accounts that have access to backups to only those required. In AWS environments, consider using Service Control Policies to restrict API calls to delete backups, snapshots, and images.

Detection

ID Data Source Data Component Detects
DS0010 Cloud Storage Cloud Storage Deletion

Monitor for unexpected deletion of a cloud storage objects (ex: AWS DeleteObject), especially those associated with cloud backups.
DS0017 Command Command Execution

Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit.
DS0022 File File Deletion

The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.
DS0009 Process Process Creation

Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. After compromising a network of systems, threat actors often try to delete/resize Shadow Copy in an attempt to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool to interact with shadow copies. This action is often employed by ransomware, may lead to a failure in recovering systems after an attack. The pseudo code detection focus on Windows Security and Sysmon process creation (4688 and 1). The use of wmic to delete shadow copy generates WMI-Activity Operationnal 5857 event and could generate 5858 (if the operation fails). These 2 EventIDs could be interesting when attackers use wmic without process creation and/or for forensics.

Analytic 1 - Detecting Shadow Copy Deletion or Resize

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")(CommandLine="vssadmin delete shadows" OR CommandLine="wmic shadowcopy delete" OR CommandLine="vssadmin resize shadowstorage")) OR (EventCode="5857" ProviderName="MSVSS__PROVIDER") OR (EventCode="5858" Operation="Win32_ShadowCopy")

Analytic 2 - BCDEdit Failure Recovery Modification

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "C:\Windows\System32\bcdedit.exe" AND CommandLine="recoveryenabled"
DS0019 Service Service Metadata

Monitor the status of services involved in system recovery.

Note: For Windows, Event ID 7040 can be used to alert on changes to the start type of a service (e.g., going from enabled at startup to disabled) associated with system recovery.

DS0020 Snapshot Snapshot Deletion

Monitor for unexpected deletion of snapshots (ex: AWS DeleteSnapshot, DeleteDBSnapshot), especially those associated with cloud backups.
DS0024 Windows Registry Windows Registry Key Modification

Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage).

References

  1. Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.
  2. Security Lab. (2020, June 5). Avaddon: From seeking affiliates to in-the-wild in 2 days. Retrieved August 19, 2021.
  3. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  4. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.
  5. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.
  6. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  7. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  8. Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023.
  9. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023.
  10. Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023.
  11. Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.
  12. Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.
  13. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
  14. Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023.
  15. Trend Micro. (2022, September 1). Ransomware Spotlight Black Basta. Retrieved March 8, 2023.
  16. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023.
  17. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
  18. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
  19. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.
  20. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
  21. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  22. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  23. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  24. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
  25. Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.
  26. Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021.
  27. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
  28. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  29. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  30. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  31. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  32. Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
  33. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  34. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
  35. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  36. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
  1. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  2. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  3. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  4. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
  5. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  6. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  7. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
  8. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
  9. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  10. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
  11. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
  12. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  13. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  14. Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.
  15. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  16. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  17. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
  18. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  19. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.
  20. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  21. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  22. Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.
  23. Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.
  24. Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023.
  25. CISA. (2023, March 2). #StopRansomware: Royal Ransomware. Retrieved March 31, 2023.
  26. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  27. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
  28. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
  29. Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
  30. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  31. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  32. Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021.
  33. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  34. Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019.
  35. Jay Chen. (2022, May 16). A Look Into Public Clouds From the Ransomware Actor's Perspective. Retrieved March 21, 2023.
  36. Microsoft, EliotSeattle, et al. (2022, August 18). REAgentC command-line options. Retrieved October 19, 2022.