Keypoints
- Five reliable IOCs for ransomware “inhibit recovery” phase: vssadmin, WMI/wmic, wbadmin, bcdedit, and PowerShell shadow-copy deletion.
- These techniques remain in active use across many modern ransomware families (e.g., Hive, LockBit, BlackCat, LokiLocker, MedusaLocker).
- Example malicious commands include “vssadmin delete shadows /all /quiet”, “wmic shadowcopy delete”, “wbadmin delete catalog -quiet”, and “bcdedit /set {default} recoveryenabled No”.
- Best detections come from host-based command-line logging (Sysmon event ID 1, Windows 4688) and PowerShell script/module logging (Event IDs 4104/4103).
- Detections in the inhibit-recovery phase are high-value because they are noisy, consistent across variants, and can enable containment before wide encryption.
- Securonix supplies specific queries and detection policies (Spotter queries, EDR/PSH rules) to detect these patterns and loader-related activity early.
MITRE Techniques
- [T1490] Inhibit System Recovery – Ransomware modifies system recovery settings or deletes backups to prevent restoration (‘During this stage, the ransomware will attempt to make key system configuration changes which will prevent a system administrator from being able to recover files.’)
- [T1485] Data Destruction – Ransomware deletes originals or shadow copies as part of destroying recoverable data (‘the data destruction phase… encrypting them, and deleting the originals.’)
- [T1486] Data Encrypted for Impact – Ransomware encrypts files to deny access and extort victims (‘the data destruction phase, or encryption phase encompasses the time in which the ransomware process is looping through files on the filesystem, encrypting them…’)
- [T1047] Windows Management Instrumentation – Attackers use wmic/wmi to enumerate and delete shadow copies (‘we observe ransomware authors attempting to delete Windows shadow copies… using the Windows administration tool wmic.exe.’)
- [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell cmdlets are used to enumerate and remove shadow copies (‘attackers can also use PowerShell commands to delete system shadow copies using the cmdlet “Get-WmiObject” or “Get-CimInstance”.’)
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Built-in Windows CLIs (vssadmin, wbadmin, bcdedit) are executed to delete/disable recovery artifacts (‘vssadmin delete shadows /all /quiet’, ‘wbadmin delete catalog -quiet’, ‘bcdedit.exe /set {default} recoveryenabled No’)
Indicators of Compromise
- [Process / File Name] command-line tools used to inhibit recovery – vssadmin.exe, wbadmin.exe (common instrumented binaries invoked by ransomware)
- [Commands / Command Arguments] explicit malicious commands – “vssadmin delete shadows /all /quiet”, “wbadmin delete catalog -quiet”, and “bcdedit /set {default} recoveryenabled No” (flags like “/all /quiet” indicate concealment)
- [PowerShell Commands] PowerShell shadow-copy removal – Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}, Get-CimInstance Win32_ShadowCopy | Remove-CimInstance
- [WMI] WMI-based shadow deletion – “wmic shadowcopy delete” and related WMI queries used to remove shadow copies
- [Loaders / Malware Names] initial loaders delivering ransomware – Emotet, Qakbot, Trickbot, Bumblebee (monitor for these as early IOCs)
- [Delivery Artifacts] common delivery vectors – OneNote code execution, archived attachments (.zip/.iso), .lnk shortcut execution (monitor for these file types/behaviors)
Securonix Threat Labs recommends prioritizing detection of the “inhibit recovery” stage because ransomware repeatedly uses built-in Windows tools and specific command arguments to remove or disable recovery artifacts. Focus on monitoring process creation events for vssadmin.exe, wmic.exe, wbadmin.exe, bcdedit.exe, and powershell.exe with suspicious arguments (e.g., “/all /quiet”, “delete catalog -quiet”, “Win32_ShadowCopy | Remove-CimInstance”). Flags and specific cmdlet usage are strong signals (for example, use of “/quiet” or PowerShell’s Get-WmiObject/Get-CimInstance combined with Remove/Delete operations); these tend to have low false-positive rates and are consistent across many ransomware families.
Implement host-based command-line auditing (enable Sysmon Process Create / Event ID 1 and Windows 4688) and PowerShell script/module logging (Event IDs 4104 and 4103) to capture the full command lines and scriptblocks for analysis. Correlate those events with known loader detection and delivery vectors (Emotet, Qakbot, Trickbot, Bumblebee; OneNote/ZIP/.lnk attachments) to gain earlier warnings. Securonix provides example Spotter queries and detection policies that search for combinations of process names and keywords (e.g., resourcecustomfield contains “vssadmin” + “delete” + “shadow”) — mirror these logic patterns in your SIEM/EDR rules to trigger timely containment actions.
Respond immediately to confirmed inhibit-recovery activity: isolate the host, block executed binaries or command patterns, and scan neighboring systems for similar process commands to prevent lateral spread. Because multiple methods may be used together (some ransomware runs several of these commands), design detections to alert on any single high-confidence pattern and to escalate when multiple indicators appear in short succession. Read more: https://www.securonix.com/blog/threat-research-knowledge-sharing-series-new-ransomware-old-tricks/