I know how we can fix ransomware. Let's put a pretty wrapper on a windows feature that is the first thing ransomware deletes and disables
Conversation
Notices
-
Embed this notice
da_667 (da_667@infosec.exchange)'s status on Friday, 10-Jan-2025 23:04:35 JST 
da_667
-
Embed this notice
da_667 (da_667@infosec.exchange)'s status on Friday, 10-Jan-2025 23:09:56 JST
da_667
@GossiTheDog They way they phrase it makes it seem like they're running their own shadow copy. I would be absolutely enraged if I discovered they were just piggybacking on shadow copies.
-
Embed this notice
Ján Trenčanský (j91321@infosec.exchange)'s status on Friday, 10-Jan-2025 23:16:25 JST 
Ján Trenčanský
@da_667 @GossiTheDog S1 agent blocks deletion of these Volume Shadows. Not sure how it's implemented, but my suspicion is that they either use the VSS AMSI provider to reject the deletion request or they just hook some shit.
-
Embed this notice
Interpipes 💙 (interpipes@thx.gg)'s status on Saturday, 11-Jan-2025 00:01:29 JST 
Interpipes 💙
@GossiTheDog don't all malwares delete all shadow copies or do they actually manage to prevent the malware deleting all the snapshots first?
-
Embed this notice
Jason Haar :laserkiwi: (jhaar@mastodon.nz)'s status on Saturday, 11-Jan-2025 03:50:00 JST 
Jason Haar :laserkiwi:
@GossiTheDog @da_667 most EDR products have the ability to block anything (including root/admin) from killing their processes. I'm sure there's always workarounds (that don't involve single user mode) but it'll stop things like simple kill commands. Crowdstrike has had this feature for years. And it's needed: we used to see hackers breaking in and the first thing they did was kill/remove Crowdstrike. No more...
-
Embed this notice
sigi714 (sigi714@ruhr.social)'s status on Sunday, 12-Jan-2025 04:11:17 JST 
sigi714
@GossiTheDog @interpipes They sad in 2004 "flatten and rebuild" and never said anything different, afaik.
-
Embed this notice
All GNU social JP content and data are available under the