By 
A new ransomware vaccine program has been developed that terminates processes that use Microsoft’s vssadmin.exe application to strive to remove volume shadow copies.
Windows can make copies of your system and data files every day and save them in snapshots of Shadow volume copy.
If they are mistakenly changed or removed, these snapshots help to recover files.
Since ransomware infections wouldn’t want victims to use this feature to restore files for free, the first thing they do when implemented is to delete all Shadow Volume copies on the computer,
One way to remove Shadow Volumes is to use the following vssadmin.exe command:
Security researcher, Florian Roth has released the ‘Raccine’ ransomware vaccine, which uses the vssadmin.exe command to track the elimination of shadow volume copies.
“We see ransomware delete all shadow copies using vssadmin pretty often. What if we could just intercept that request and kill the invoking process? Let’s try to create a simple vaccine,” Raccine’s GitHub page explains.
Raccine operates by registering the raccine.exe executable with the Windows registry key, Image File Execution Options as a debugger for vssadmin.exe.
After raccine.exe is registered as a debugger, it will activate Raccine every time vssadmin.exe is executed, and will check to see whether vssadmin is attempting to delete shadow copies.
If it detects that a process uses ‘vssadmin delete,’ the process will stop automatically, which is usually done before ransomware starts to encrypt data on a system.
Since a large amount of ransomware will prevent encryption by this process, certain modern ransomware families, as listed below, delete shadow volumes using other commands.
For such ransomware variants, as they do not use vssadmin.exe, Raccine would not currently block the ransomware.
Support for these commands will be added in the future.
It must also be noted that, as part of their backup routines, Raccine can terminate legitimate software that uses vssadmin.exe.
Roth plans to add the option that allows Raccine to be bypassed by such systems in the future so that they are not terminated erroneously.
In order to uninstall shadow volume copies, Raccine is now registered as a debugger for the vssadmin.exe command monitors.
You will disable it by running the raccine-reg-patch-uninstall.reg registry file and deleting C:\windows\raccine.exe if you find that Raccine is terminating the legitimate programmes that you are using.
Once you uninstall Raccine, procedures that attempt to delete shadow volume copies using vssadmin.exe may no longer terminate.
