Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WMIC.exe shadowcopy delete /nointeractive


  • Please log in to reply
9 replies to this topic

#1 foxman751

foxman751

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 09 February 2017 - 06:33 PM

Should disable or should rename WMIC.exe for prevent ransom delete shadow copy

Serpent ransomware will also clear the Windows Volume Shadow Copies so that they cannot be used to recover files. The command executed to clear the shadow copies is:

WMIC.exe shadowcopy delete /nointeractive


Edited by hamluis, 09 February 2017 - 07:34 PM.
Moved from Win 7 to Ransomware - Hamluis.


BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:03:04 PM

Posted 09 February 2017 - 08:08 PM

WMIC is used by many applications as a scripting interface. By disabling it you will likely break your OS.

 

Unfortunately it's not like before when vssadmin.exe was being abused.



#3 Guest_AES-NI_*

Guest_AES-NI_*

  • Guests
  • OFFLINE
  •  

Posted 10 February 2017 - 04:29 AM

kernel hook to check vssadmin


Edited by AES-NI, 10 February 2017 - 04:30 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA

Posted 10 February 2017 - 08:32 AM

Most crypto malware will typically delete (though not always) all shadow copy snapshots (created if System Restore was enabled) so that you cannot restore your files from before they had been encrypted using native Windows Previous Versions or a program like Shadow Explorer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 IDNeon

IDNeon

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 10 February 2017 - 04:19 PM

Shadowcopy is not Backup.  Now you learn the hard way, try a backup solution to defeat ransomware.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:04 PM

Posted 10 February 2017 - 04:29 PM

The best defensive strategy to protect yourself from malware and ransomware (crypto malware) infections is a comprehensive approach and your best defense is back up, back up, and more back up on a regular basis.Important Fact: Security is all about layers not depending on any one solution, technology or approach to protect yourself from cyber-criminals. The most important layer is you...the first and last line of defense. No amount of security software is going to defend against today's sophisticated malware writers for those who do not practice safe computing and stay informed.

Unfortunately, it has been proven time and again that the user is a more substantial factor (weakest link) in security than the architecture of the operating system or installed protection software. Cyber-criminals succeed because they take advantage of human weaknesses...relying heavily on social engineering to exploit the the weakest link in the security chain.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:04 AM

Posted 10 February 2017 - 05:52 PM

Some important things I'd like to mention about backups...

 

I have been dismayed (but somehow not surprised) to hear that a lot of people and companies get hit by ransomware, then go to implement their backups and find they don't work because either;

  • the backups are also encrypted
  • they did not backup correctly
  • or they cannot be restored.

For backup solutions to be effective they need to be:

  • Isolated from the host system. Literally unplugged when not being used is the most effective way. Another way is to use extension-less encrypted archives.
  • Verified on each backup. The system regularly needs to be checked either manually or automatically to verify that backups are being stored correctly.
  • Tested. Some software and solutions don't play well with some systems. Restore systems need to be tested and working. The first time one runs the restore routine should not be in an emergency situation.

These things may seem simple but large companies and home users alike have overlooked them and it has cost them dearly.



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:04 PM

Posted 10 February 2017 - 06:18 PM

:thumbup2:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:04 AM

Posted 14 February 2017 - 05:26 PM

You can see here on how to rename wmic.exe.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#10 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:04 AM

Posted 14 February 2017 - 06:03 PM

Is that not just renaming vssadmin.exe though? The wmic command would still work? (I know I could test this, but it'd be easier right now to get an answer)

 

Or is the wmic command just an interface command for the vssadmin utility?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users