We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Behavior:Win32/ShadowCopyDeleteQuiet.A
Aliases: No associated aliases
Summary
Behavior:Win32/ShadowCopyDeleteQuiet.A is a destructive type of malware that targets the Windows Volume Shadow Copy (VSC) subsystem. It was developed to prevent file recovery by deleting VSC from the infected device. Win32/ShadowCopyDelete.A can leverage many delete techniques, including living-off-the-land binaries (LOLBins), which is a process of using Windows native built-in tools to carry out its payload. It manipulates a COM object to delete VSC backups in the background. This opens the device to a vulnerability of failing to recover files in the event of ransomware infection, creating a scenario where the only solution is to pay the ransom.
The goal of ShadowCopyDeleteQuiet is to cause the most disruption by preventing organizations from backing up Windows via VSC. The only alternative is the use of third-party backup solution beyond what is built-in with Windows. It is believed to put more pressure on the victim to cooperate with the extortion demands of ransomware authors if viable backups are not available. Advanced threat actors perform pre-deletion of VSC using malware like ShadowCopyDeleteQuiet happens before a targeted ransomware attack.
- Disconnect all impacted devices from your networks.
- Reimage all affected devices from known good installation media. After they are rebuilt, restore the data and applications from your verified trusted backups.
- Review process execution logs, command histories, and network connections to understand the scope of the attack.
- Initiate a forced password reset of all impacted user and service accounts starting with the domain administrator account(s) and other high privilege credentials.
- Enforce your organization's incident response plan.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
