Raccine
Author: Stefan Waldvogel
Raccine a simple ransomware protection software
Overview:
Raccine is a small program and protects your shadow copies. Most ransomware delete shadow copies with the help of vssadmin because if you have shadow copies, you can restore your computer.
A regular user does not use vssadmin, Racinne looks for unusual activities with this program.
Download: github.com/Neo23x0/Raccine
Idea: EMERGENCY WEBCAST: OK, let's talk about ransomware... w/ John Strand
Installation: Open the download link and click the newest release.
Raccine is a small program and protects your shadow copies. Most ransomware delete shadow copies with the help of vssadmin because if you have shadow copies, you can restore your computer.
A regular user does not use vssadmin, Racinne looks for unusual activities with this program.
Download: github.com/Neo23x0/Raccine
Idea: EMERGENCY WEBCAST: OK, let's talk about ransomware... w/ John Strand
Installation: Open the download link and click the newest release.
Download the Raccine.zip and extract it to a wanted folder. (e.g. c:\tools)
|
|
Open a command prompt and run the command: install-raccine.bat and allow admin access.
|
|
To test the tool, we can use option 2 (two). Did it work? Open the Event viewer and see some entries.
The simulation mode does not stop deleting shadow files, it is just a test.
The simulation mode does not stop deleting shadow files, it is just a test.
The next step is, we have to check if this program works or not. We delete our shadow copies (use a test system).
The command is:
vssadmin.exe delete shadows /all /quiet
The command is:
vssadmin.exe delete shadows /all /quiet
|
|
Raccine detected this behavior but didn't stop it.
If you want to protect your machine, you need to run Raccine in a different mode.
Raccine is powerful and offers an additional option. You can harden your machine with a simple click.
Do not run this script in your production environment, unless you know what you are doing. (The log file is under C:\ProgramData\Raccine\Raccine_log.txt)
If you want to protect your machine, you need to run Raccine in a different mode.
Raccine is powerful and offers an additional option. You can harden your machine with a simple click.
Do not run this script in your production environment, unless you know what you are doing. (The log file is under C:\ProgramData\Raccine\Raccine_log.txt)
Conclusion
This small program will not stop all kind of ransomware attacks but some of them. If you have the volume shadow files, you can restore your computer without paying ransom. Other forms of ransomware steal your data and publish if you are not willing to pay the price. Raccine's hardening script might give you an extra layer.
Additional free ideas to protect your machine/environment:
- You can use doc documents with a Canarytoken. You might name it: password.doc and move it to share and wait until someone opens this document.
- You might set up honeypot admin accounts and other honeypot accounts. These accounts are active, have very long passwords but login is usually not permitted, but you log the activity. If someone does a password spray against these accounts with a single try, you know something is wrong and you can investigate this behavior very quickly.
Most hackers do a password spray for lateral movement, but very slow and therefore EDRs and expensive solutions might not detect this attack. This version is cheap (you need some time to set it up) but you will catch every single try.
- Install RITA on a machine connected to a SPAN port. RITA looks for beacons and this tool is free. A C2 has to talk back and must use the network on a more or less regular base.
This small program will not stop all kind of ransomware attacks but some of them. If you have the volume shadow files, you can restore your computer without paying ransom. Other forms of ransomware steal your data and publish if you are not willing to pay the price. Raccine's hardening script might give you an extra layer.
Additional free ideas to protect your machine/environment:
- You can use doc documents with a Canarytoken. You might name it: password.doc and move it to share and wait until someone opens this document.
- You might set up honeypot admin accounts and other honeypot accounts. These accounts are active, have very long passwords but login is usually not permitted, but you log the activity. If someone does a password spray against these accounts with a single try, you know something is wrong and you can investigate this behavior very quickly.
Most hackers do a password spray for lateral movement, but very slow and therefore EDRs and expensive solutions might not detect this attack. This version is cheap (you need some time to set it up) but you will catch every single try.
- Install RITA on a machine connected to a SPAN port. RITA looks for beacons and this tool is free. A C2 has to talk back and must use the network on a more or less regular base.
© 2021. This work is licensed under a CC BY-SA 4.0 license