We demonstrated ransomware recovery by recovering files using the Windows Shadow Volume Copy feature. This was part of TryHackMe Advent of Cyber 2

The mayhem at Best Festival Company continues. McEager receives numerous emails and phone calls about a possible ransomware attack affecting all the endpoints in the network. McEager knows that the endpoints which are infected with the malware don’t have any backup copies but luckily on his workstation he has backups enabled.

Ransomware is a real threat that enterprise defenders and casual computer users need to defend & prepare against. According to Wikipedia, ransomware is a type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. It can be a frightening experience to log into a machine only to realize that malware has encrypted all of your important documents.

There are numerous security products that can be implemented in the security stack to catch this type of malware. If ransomware infects an endpoint, depending on the actual malware, there might be a decryptor made available by a security vendor. If not then you must rely on backups in order to restore your machines to the last working state, along with its files. Windows has a built-in feature that can assist with that.

The Volume Shadow Copy Service (VSS) coordinates the actions that are required to create a consistent shadow copy (also known as a snapshot or a point-in-time copy) of the data that is to be backed up.  (official definition)

Malware writers know of this Windows feature and write code in their malware to look for these files and delete them. Doing so makes it impossible to recover from a ransomware attack unless you have an offline/off-site backup. Not all malware deletes the volume shadow copies though.

Before diving into VSS on the endpoint let’s talk briefly regarding the Task Scheduler.

The Task Scheduler enables you to automatically perform routine tasks on a chosen computer. Task Scheduler does this by monitoring whatever criteria you choose (referred to as triggers) and then executing the tasks when those criteria are met. (official definition)

Malware writers might have the malware create a scheduled task in order for the malware to run at a specific desired day/time or trigger.

Room Answers

Decrypt the fake ‘bitcoin address’ within the ransom note. What is the plain text value?

At times ransomware changes the file extensions of the encrypted files. What is the file extension for each of the encrypted files?

What is the name of the suspicious scheduled task?

Inspect the properties of the scheduled task. What is the location of the executable that is run at login?

There is another scheduled task that is related to VSS. What is the ShadowCopyVolume ID?

Assign the hidden partition a letter. What is the name of the hidden folder?

Right-click and inspect the properties for the hidden folder. Use the ‘Previous Versions’ tab to restore the encrypted file that is within this hidden folder to the previous version. What is the password within the file?

Video Walk-Through


About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles