Posted on November 22, 2016 · Posted in Group Policies, Windows 10, Windows 7

Recovering Encrypted Files from VSS Snapshot after Ransomware Infection

We go on with the series of articles concerning the countermeasures against ransomware. Last time we considered a simple way of protection against encryption ransomware.on Windows file servers using FSRM. Today we’ll talk about how to easily recover your files if the ransomware has already penetrated on the computer and user documents are encrypted.

The easiest way to get back the original files after getting infected with a encrypting ransomware is to recover them from a backup. You can organize a centralized backup on your file servers, but it’s more difficult to backup data on user computers. Fortunately, Windows has an integrated backup mechanism — shadow copies created by Volume Shadow Copy Service (VSS).

To make it possible to recover previous versions of files from VSS snapshots, the following requirements have to be met:

  • VSS has to be enabled for the protected volumes
  • There should be enough of free space on your disk to store snapshots (at least 10-20%)
  • A user shouldn’t have Local Administrator privileges on computer (most modern encryption malware when running elevated deletes all available VSS snapshots), and User Account Control (UAC) has to be enabled

Let’s consider a mechanism that allow to centrally manage the policy of creating snapshots in Active Directory domain environment and easily restore original files after the encryption ransomware attack.

How to Enable VSS on Domain Computers Using GPO

First of all, create a group policy to enable Volume Shadow Copy (VSS) Service on domain computers. To do it, in GPMC.msc console create a new GPO object with the name VSSPolicy and assign it to the OU containing user computers.

Now edit your GPO. In the list of services in Computer Configuration->Windows Settings->Security Settings->System Service find Volume Shadow Copy and set the Automatic start type.

Volume Shadow Copy service

How to Copy Vshadow.exe to User Computers Using GPO

To create and manage shadow copies on user computers, we need a tool vshadow.exe from Windows SDK. In this example, we’ll use vshadow from the SDK for Windows 7 x64 (in my case it worked correctly both in Windows 7 and in Windows 10 x64). Copy vshadow.exe to %windir%\system32 on all computers using GPP.

Tip. You can download vshadow.exe using following this link: vshadow_exe_win7x64.zip

Then in Computer Configuration –> Preferences –> Windows Settings -> Files create a new policy that copies vshadow.exe from \\domain.loc\SYSVOL\domain.loc\scripts\vshadow.exe (file must be copied here previously) to %windir%\system32\vshadow.exe. This policy can be configured so that it will work only once (Apply once and do not reapply).

copy vshadow.exe using GPO

PowerShell Script to Create Shadow Copies of All Volumes

Next, we need a script to detect the list of drives in the system, enable shadowing and create a new VSS snapshot. I have got the following script:

$HDDs = GET-WMIOBJECT –query "SELECT * from win32_logicaldisk where DriveType = 3"
foreach ($HDD in $HDDs) {
$Drive = $HDD.DeviceID
$vssadminEnable ="vssadmin.exe Resize ShadowStorage /For=$Drive /On=$Drive /MaxSize=10%"
$vsscreatess = "vshadow.exe -p $Drive"
cmd /c  $vssadminEnable
cmd /c  $vsscreatess
}

posh script to create shadow copy of volumes

The first string allows to find all drives in the system, and then vshadow enables shadow for each disk and creates a new copy. The copies should occupy less than 10% of space.

Save this script to a file vss-script.ps1 and copy it to user computers using GPP as well.

copy ps1 file via gpo

Scheduled Task to Create VSS Snapshots

The last thing you have to do is to create a Scheduled Task on all computers to regularly run vss-script.ps1 and create a new  snapshot for all drives . It’s easier to create this task using GPP. To do it, in the GPO section Computer Configuration -> Preferences -> Scheduled Tasks create a new Scheduled Task (New-> Scheduled Task (at least Windows 7)) with the name create vssnapshot, which must be run elevated as NT AUTHORITY\System.

sheduled task creating vss snapshot

Suppose, the task has to be run every day at 1.20 PM (here you’ll have to think how often you would like the snapshots to be created).

trigger time

The script to be run: %windir%\System32\WindowsPowerShell\v1.0\powershell.exe

with the argument %windir%\system32\vss-script.ps1

task to run powershell script

Tip. Also, you have to provide a weekly Scheduled Task to remove earlier VSS snapshots. To do it, create a new Scheduled Task running a similar script containing the following code:

$vssadminDeleteOld = “vshadow.exe -do=%$Drive”
cmd /c  $vssadminDeleteOld

How to Recover Original Files from a VSS Snapshot

If user’s computer has been infected by ransomware, the administrator or tech support team staff can recover encrypted documents from the snapshot.

The list of all available snapshots can be displayed using this command:

vssadmin.exe list shadows

vssadmin.exe list shadows

In our example, the latest snapshot was created on 10/6/2016 1:33:35 AM and has Shadow Copy ID = {6db666ac-4d42-4734-8fbb-fad64825c66c}.

Mount this snapshot in read only mode as a separate system drive by its ID:

vshadow -el={6db666ac-4d42-4734-8fbb-fad64825c66c},Z:

mount shadow copy using vshadow.exe

Now, using File Explorer or any other file manager, copy the original files from disk Z:.

To unmount the disk with the snapshot:

mountvol Z:\ /D

Conclusion

Of course, VSS are not a means of protection against encryption ransomware and do not cancel a comprehensive approach to computer security (antivirus software, SRP / AppLocker policies, reputation filters, SmartScreen, etc.). However, in my opinion, the simplicity and availability of volume shadow copying is a great advantage of this way to recover encrypted data, which is likely to be useful in case of penetration of malware on the user’s computer

Previous:
Next:
Related Articles