We go on with the series of articles concerning the countermeasures against ransomware. Last time we considered a simple way of protection against encryption ransomware.on Windows file servers using FSRM. Today we’ll talk about how to easily recover your files if the ransomware has already penetrated on the computer and user documents are encrypted.
The easiest way to get back the original files after getting infected with a encrypting ransomware is to recover them from a backup. You can organize a centralized backup on your file servers, but it’s more difficult to backup data on user computers. Fortunately, Windows has an integrated backup mechanism — shadow copies created by Volume Shadow Copy Service (VSS).
To make it possible to recover previous versions of files from VSS snapshots, the following requirements have to be met:
- VSS has to be enabled for the protected volumes
- There should be enough of free space on your disk to store snapshots (at least 10-20%)
- A user shouldn’t have Local Administrator privileges on computer (most modern encryption malware when running elevated deletes all available VSS snapshots), and User Account Control (UAC) has to be enabled
Let’s consider a mechanism that allow to centrally manage the policy of creating snapshots in Active Directory domain environment and easily restore original files after the encryption ransomware attack.
How to Enable VSS on Domain Computers Using GPO
First of all, create a group policy to enable Volume Shadow Copy (VSS) Service on domain computers. To do it, in GPMC.msc console create a new GPO object with the name VSSPolicy and assign it to the OU containing user computers.
Now edit your GPO. In the list of services in Computer Configuration->Windows Settings->Security Settings->System Service find Volume Shadow Copy and set the Automatic start type.
How to Copy Vshadow.exe to User Computers Using GPO
To create and manage shadow copies on user computers, we need a tool vshadow.exe from Windows SDK. In this example, we’ll use vshadow from the SDK for Windows 7 x64 (in my case it worked correctly both in Windows 7 and in Windows 10 x64). Copy vshadow.exe to %windir%\system32 on all computers using GPP.
Then in Computer Configuration –> Preferences –> Windows Settings -> Files create a new policy that copies vshadow.exe from \\domain.loc\SYSVOL\domain.loc\scripts\vshadow.exe (file must be copied here previously) to %windir%\system32\vshadow.exe. This policy can be configured so that it will work only once (Apply once and do not reapply).
PowerShell Script to Create Shadow Copies of All Volumes
Next, we need a script to detect the list of drives in the system, enable shadowing and create a new VSS snapshot. I have got the following script:
$HDDs = GET-WMIOBJECT –query "SELECT * from win32_logicaldisk where DriveType = 3"
foreach ($HDD in $HDDs) {
$Drive = $HDD.DeviceID
$vssadminEnable ="vssadmin.exe Resize ShadowStorage /For=$Drive /On=$Drive /MaxSize=10%"
$vsscreatess = "vshadow.exe -p $Drive"
cmd /c $vssadminEnable
cmd /c $vsscreatess
}
The first string allows to find all drives in the system, and then vshadow enables shadow for each disk and creates a new copy. The copies should occupy less than 10% of space.
Save this script to a file vss-script.ps1 and copy it to user computers using GPP as well.
Scheduled Task to Create VSS Snapshots
The last thing you have to do is to create a Scheduled Task on all computers to regularly run vss-script.ps1 and create a new snapshot for all drives . It’s easier to create this task using GPP. To do it, in the GPO section Computer Configuration -> Preferences -> Scheduled Tasks create a new Scheduled Task (New-> Scheduled Task (at least Windows 7)) with the name create vssnapshot, which must be run elevated as NT AUTHORITY\System.
Suppose, the task has to be run every day at 1.20 PM (here you’ll have to think how often you would like the snapshots to be created).
The script to be run: %windir%\System32\WindowsPowerShell\v1.0\powershell.exe
with the argument %windir%\system32\vss-script.ps1
$vssadminDeleteOld = “vshadow.exe -do=%$Drive”
cmd /c $vssadminDeleteOld
How to Recover Original Files from a VSS Snapshot
If user’s computer has been infected by ransomware, the administrator or tech support team staff can recover encrypted documents from the snapshot.
The list of all available snapshots can be displayed using this command:
vssadmin.exe list shadows
In our example, the latest snapshot was created on 10/6/2016 1:33:35 AM and has Shadow Copy ID = {6db666ac-4d42-4734-8fbb-fad64825c66c}.
Mount this snapshot in read only mode as a separate system drive by its ID:
vshadow -el={6db666ac-4d42-4734-8fbb-fad64825c66c},Z:
Now, using File Explorer or any other file manager, copy the original files from disk Z:.
To unmount the disk with the snapshot:
mountvol Z:\ /D
Conclusion
Of course, VSS are not a means of protection against encryption ransomware and do not cancel a comprehensive approach to computer security (antivirus software, SRP / AppLocker policies, reputation filters, SmartScreen, etc.). However, in my opinion, the simplicity and availability of volume shadow copying is a great advantage of this way to recover encrypted data, which is likely to be useful in case of penetration of malware on the user’s computer