Description
Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
Windows Management Instrumentation can be used to delete volume shadow copies - wmic shadowcopy delete
wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
diskshadow.exe can be used to delete all volume shadow copies on a system - diskshadow delete shadows all (Citation: Diskshadow) (Citation: Crytox Ransomware)
On network devices, adversaries may leverage Disk Wipe to delete backup firmware images and reformat the file system, then System Shutdown/Reboot to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
On ESXi servers, adversaries may delete or encrypt snapshots of virtual machines to support Data Encrypted for Impact, preventing them from being leveraged as backups (e.g., via vim-cmd vmsvc/snapshot.removeall).(Citation: Cybereason)
Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
Platforms
Mitigations (4)
Execution PreventionM1038
Consider using application control configured to block execution of utilities such as diskshadow.exe that may not be required for a given system or network to prevent potential misuse by adversaries.
Operating System ConfigurationM1028
Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. Additionally, ensure that WinRE is enabled using the following command: reagentc /enable.(Citation: reagentc_cmd)
User Account ManagementM1018
Limit the user accounts that have access to backups to only those required. In AWS environments, consider using Service Control Policies to restrict API calls to delete backups, snapshots, and images.
Data BackupM1053
Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. In cloud environments, enable versioning on storage objects wher
Threat Groups (7)
| ID | Group | Context |
|---|---|---|
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has deleted recovery files such as shadow copies using `vssadmin.exe`.(Citation: Palo Alto Unit ... |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has deleted snapshots, restore points, storage accounts, and backup services to prevent remediatio... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has deleted virtual machines directly from the virtualization platform.(Citation: Check Point ... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used WMIC and vssadmin to manually delete volume shadow copies. [Wizard Spider](https://att... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) resized and deleted volume shadow copy files to prevent system recovery after encryption.(Citation:... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has stopped the Volume Shadow Copy service on compromised hosts.(Citation: Mandiant UNC3944 ... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) uses [Prestige](https://attack.mitre.org/software/S1058) to delete the backup catalog from the ... |
Associated Software (48)
| ID | Name | Type | Context |
|---|---|---|---|
| S1070 | Black Basta | Malware | [Black Basta](https://attack.mitre.org/software/S1070) can delete shadow copies using vssadmin.exe.(Citation: Minerva Labs Black Basta May 2022)(Citat... |
| S0481 | Ragnar Locker | Malware | [Ragnar Locker](https://attack.mitre.org/software/S0481) can delete volume shadow copies using <code>vssadmin delete shadows /all /quiet</code>.(Citat... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) can can remove all system restore points.(Citation: ESET InvisiMole June 2018) |
| S1162 | Playcrypt | Malware | [Playcrypt](https://attack.mitre.org/software/S1162) can use AlphaVSS to delete shadow copies.(Citation: Trend Micro Ransomware Spotlight Play July 20... |
| S0612 | WastedLocker | Malware | [WastedLocker](https://attack.mitre.org/software/S0612) can delete shadow volumes.(Citation: Symantec WastedLocker June 2020)(Citation: NCC Group Wast... |
| S0132 | H1N1 | Malware | [H1N1](https://attack.mitre.org/software/S0132) disable recovery options and deletes shadow copies from the victim.(Citation: Cisco H1N1 Part 2) |
| S0400 | RobbinHood | Malware | [RobbinHood](https://attack.mitre.org/software/S0400) deletes shadow copies to ensure that all the data cannot be restored easily.(Citation: CarbonBla... |
| S0446 | Ryuk | Malware | [Ryuk](https://attack.mitre.org/software/S0446) has used <code>vssadmin Delete Shadows /all /quiet</code> to to delete volume shadow copies and <code>... |
| S0673 | DarkWatchman | Malware | [DarkWatchman](https://attack.mitre.org/software/S0673) can delete shadow volumes using <code>vssadmin.exe</code>.(Citation: Prevailion DarkWatchman 2... |
| S1244 | Medusa Ransomware | Malware | [Medusa Ransomware](https://attack.mitre.org/software/S1244) has deleted recovery files such as shadow copies using `vssadmin.exe`.(Citation: Palo Alt... |
| S0605 | EKANS | Malware | [EKANS](https://attack.mitre.org/software/S0605) removes backups of Volume Shadow Copies to disable any restoration capabilities.(Citation: Dragos EKA... |
| S1139 | INC Ransomware | Malware | [INC Ransomware](https://attack.mitre.org/software/S1139) can delete volume shadow copy backups from victim machines.(Citation: Cybereason INC Ransomw... |
| S0576 | MegaCortex | Malware | [MegaCortex](https://attack.mitre.org/software/S0576) has deleted volume shadow copies using <code>vssadmin.exe</code>.(Citation: IBM MegaCortex) |
| S0616 | DEATHRANSOM | Malware | [DEATHRANSOM](https://attack.mitre.org/software/S0616) can delete volume shadow copies on compromised hosts.(Citation: FireEye FiveHands April 2021) |
| S1073 | Royal | Malware | [Royal](https://attack.mitre.org/software/S1073) can delete shadow copy backups with vssadmin.exe using the command `delete shadows /all /quiet`.(Cita... |
| S1181 | BlackByte 2.0 Ransomware | Malware | [BlackByte 2.0 Ransomware](https://attack.mitre.org/software/S1181) modifies volume shadow copies during execution in a way that destroys them on the ... |
| S0640 | Avaddon | Malware | [Avaddon](https://attack.mitre.org/software/S0640) deletes backups and shadow copies using native system tools.(Citation: Hornet Security Avaddon June... |
| S1058 | Prestige | Malware | [Prestige](https://attack.mitre.org/software/S1058) can delete the backup catalog from the target system using: `c:\Windows\System32\wbadmin.exe delet... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) can delete system restore points through the command <code>cmd.exe /c vssadmin delete shadows /for... |
| S0697 | HermeticWiper | Malware | [HermeticWiper](https://attack.mitre.org/software/S0697) can disable the VSS service on a compromised host using the service control manager.(Citation... |
References
- Brian Prince. (2014, June 20). Code Hosting Service Shuts Down After Cyber Attack. Retrieved March 21, 2023.
- Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
- Cybereason Nocturnus. (n.d.). Cybereason vs. BlackCat Ransomware. Retrieved March 26, 2025.
- Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
- Microsoft Windows Server. (2023, February 3). Diskshadow. Retrieved November 21, 2023.
- Romain Dumont . (2022, September 21). Technical Analysis of Crytox Ransomware. Retrieved November 22, 2023.
- Spencer Gietzen. (n.d.). AWS Simple Storage Service S3 Ransomware Part 2: Prevention and Defense. Retrieved March 21, 2023.
- Steve Ranger. (2020, February 27). Ransomware victims thought their backups were safe. They were wrong. Retrieved March 21, 2023.
- TheDFIRReport. (2022, March 1). Disabling notifications on Synology servers before ransom. Retrieved September 12, 2024.
Frequently Asked Questions
What is T1490 (Inhibit System Recovery)?
T1490 is a MITRE ATT&CK technique named 'Inhibit System Recovery'. It belongs to the Impact tactic(s). Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEy...
How can T1490 be detected?
Detection of T1490 (Inhibit System Recovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1490?
There are 4 documented mitigations for T1490. Key mitigations include: Execution Prevention, Operating System Configuration, User Account Management, Data Backup.
Which threat groups use T1490?
Known threat groups using T1490 include: Medusa Group, Storm-0501, VOID MANTICORE, Wizard Spider, BlackByte, Scattered Spider, Sandworm Team.