Threat Analysis Unit

Threat Research: New Method of Volume Shadow Backup Deletion Seen in Recent Ransomware

VMware Threat Analysis Unit (TAU) researchers have recently observed a new technique for the deletion of volume shadow copies seen in newer malware. In a recent ransomware sample it was discovered that the technique, which could still be in development, uses Windows COM (Component Object Model) libraries like a legitimate backup solution to delete all volume shadow copies resulting in the inability to restore from backup or recover previous versions of files. The Volume Shadow Copy service is a built-in Windows feature that allows for the creation of backup snapshots of computer files or whole disks and often facilitates other commercial backup solutions. 

Like many software companies that operate in a continuous development cycle, organized crime groups that deploy or resell ransomware are unremittingly working toward more effective tools to increase payouts. Legitimate or not, software development is a high paced competitive environment, and in the case of ransomware development, its developers must contend with an industry of defenders constantly working to nullify their operations. The unfortunate result is ever evolving crimeware products that are increasingly stealthy, dangerous, and complex. 

This technique was discovered in what appears to be a new sample of HelloXD ransomware. This ransomware family is known for double-extortion attacks where they steal victim data before encrypting devices. In early June 2022, Unit42 exposed HelloXD ransomware as likely being developed by a Russian-speaking threat actor using the alias x4k. The sample TAU has observed appears consistent with known HelloXD versions with a few differences to include the absence of exfil and a MicroBackdoor. 

Figure 1: Code representing a new technique for deleting VSCs

There is no replacement for quality backups and skilled professionals who can orchestrate their restoration in the event of ransomware. As much as possible, backups should be kept offline and completely inaccessible to ransomware. Products from VMware can help with backups and Carbon Black can play a key role in the detection and prevention of malicious behavior.

We’d like to acknowledge the research by Paul L (am0nsec) in discovering and initially publishing this technique. Proof of concept code is available on VX-Undeground’s Github repo, and we believe this is one of the first malware samples in the wild that have started implementing this technique.

For more technical details on this and other techniques for Volume Shadow Copy Deletion see our recently release threat report, “Illuminating Volume Shadow Deletion.”  

Indicators of Compromise

Name  SHA256  Relationship 
xd.exe  ffebda7512c78ba73ffa40dd02b59fd22cfa8e1bf48cd86e7b2d54e19c061134  Origin File
(Hello Ransomware) 
di.dll  5cd61b2f5f3f2d8af51b3635ba85f708e58a0961e4496e1cc37fdce58b3c04fb  Dropped by xd.exe
(Drops vs.exe) 
vs.exe  cff04aa0a317d6b7c498faccdfbe7353b2676ea97acb1bee1bda650f29a8e423  Dropped by di.dll
(Deletes VSCs)