VMware Threat Analysis Unit (TAU) researchers have recently observed a new technique for the deletion of volume shadow copies seen in newer malware. In a recent ransomware sample it was discovered that the technique, which could still be in development, uses Windows COM (Component Object Model) libraries like a legitimate backup solution to delete all volume shadow copies resulting in the inability to restore from backup or recover previous versions of files. The Volume Shadow Copy service is a built-in Windows feature that allows for the creation of backup snapshots of computer files or whole disks and often facilitates other commercial backup solutions.
Like many software companies that operate in a continuous development cycle, organized crime groups that deploy or resell ransomware are unremittingly working toward more effective tools to increase payouts. Legitimate or not, software development is a high paced competitive environment, and in the case of ransomware development, its developers must contend with an industry of defenders constantly working to nullify their operations. The unfortunate result is ever evolving crimeware products that are increasingly stealthy, dangerous, and complex.
This technique was discovered in what appears to be a new sample of HelloXD ransomware. This ransomware family is known for double-extortion attacks where they steal victim data before encrypting devices. In early June 2022, Unit42 exposed HelloXD ransomware as likely being developed by a Russian-speaking threat actor using the alias x4k. The sample TAU has observed appears consistent with known HelloXD versions with a few differences to include the absence of exfil and a MicroBackdoor.
Figure 1: Code representing a new technique for deleting VSCs
There is no replacement for quality backups and skilled professionals who can orchestrate their restoration in the event of ransomware. As much as possible, backups should be kept offline and completely inaccessible to ransomware. Products from VMware can help with backups and Carbon Black can play a key role in the detection and prevention of malicious behavior.
We’d like to acknowledge the research by Paul L (am0nsec) in discovering and initially publishing this technique. Proof of concept code is available on VX-Undeground’s Github repo, and we believe this is one of the first malware samples in the wild that have started implementing this technique.
For more technical details on this and other techniques for Volume Shadow Copy Deletion see our recently release threat report, “Illuminating Volume Shadow Deletion.”
Indicators of Compromise
Name | SHA256 | Relationship |
xd.exe | ffebda7512c78ba73ffa40dd02b59fd22cfa8e1bf48cd86e7b2d54e19c061134 | Origin File (Hello Ransomware) |
di.dll | 5cd61b2f5f3f2d8af51b3635ba85f708e58a0961e4496e1cc37fdce58b3c04fb | Dropped by xd.exe (Drops vs.exe) |
vs.exe | cff04aa0a317d6b7c498faccdfbe7353b2676ea97acb1bee1bda650f29a8e423 | Dropped by di.dll (Deletes VSCs) |