Inhibit System Recovery, Technique T1490 - Enterprise (original) (raw)

C0063

2025 Poland Wiper Attacks

During the 2025 Poland Wiper Attacks, the adversaries deleted Windows Volume Shadow Copies using vssadmin delete shadows.[10]

S1129

Akira

Akira will delete system volume shadow copies via PowerShell commands.[11][12]

S0640

Avaddon

Avaddon deletes backups and shadow copies using native system tools.[13][14]

S0638

Babuk

Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet.[15][16]

S1136

BFG Agonizer

BFG Agonizer wipes the boot sector of infected machines to inhibit system recovery.[17]

S0570

BitPaymer

BitPaymer attempts to remove the backup shadow files from the host using vssadmin.exe Delete Shadows /All /Quiet.[18]

S1070

Black Basta

Black Basta can delete shadow copies using vssadmin.exe.[19][20][21][22][23][24][25][26][26][27]

G1043

BlackByte

BlackByte resized and deleted volume shadow copy files to prevent system recovery after encryption.[28][29]

S1181

BlackByte 2.0 Ransomware

BlackByte 2.0 Ransomware modifies volume shadow copies during execution in a way that destroys them on the victim machine.[30]

S1180

BlackByte Ransomware

BlackByte Ransomware deletes all volume shadow copies and restore points among other actions to inhibit system recovery following ransomware deployment.[31]

S1068

BlackCat

BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.[32]

S0611

Clop

Clop can delete the shadow volumes with vssadmin Delete Shadows /all /quiet and can use bcdedit to disable recovery options.[33]

S0608

Conficker

Conficker resets system restore points and deletes backup files.[34]

S0575

Conti

Conti can delete Windows Volume Shadow Copies using vssadmin.[35]

S1111

DarkGate

DarkGate can delete system restore points through the command cmd.exe /c vssadmin delete shadows /for=c: /all /quiet".[36]

S0673

DarkWatchman

DarkWatchman can delete shadow volumes using vssadmin.exe.[37]

S0616

DEATHRANSOM

DEATHRANSOM can delete volume shadow copies on compromised hosts.[38]

S0659

Diavol

Diavol can delete shadow copies using the IVssBackupComponents COM object to call the DeleteSnapshots method.[39]

S0605

EKANS

EKANS removes backups of Volume Shadow Copies to disable any restoration capabilities.[40][41]

S1247

Embargo

Embargo has cleared files from the recycle bin by invoking SHEmptyRecycleBinW() and disabled Windows recovery through C:\Windows\System32\cmd.exe /q /c bcdedit /set {default} recoveryenabled no.[42]

S0618

FIVEHANDS

FIVEHANDS has the ability to delete volume shadow copies on compromised hosts.[38][43]

S0132

H1N1

H1N1 disable recovery options and deletes shadow copies from the victim.[44]

S0617

HELLOKITTY

HELLOKITTY can delete volume shadow copies on compromised hosts.[38]

S0697

HermeticWiper

HermeticWiper can disable the VSS service on a compromised host using the service control manager.[45][46][47]

S1139

INC Ransomware

INC Ransomware can delete volume shadow copy backups from victim machines.[48]

S0260

InvisiMole

InvisiMole can can remove all system restore points.[49]

S0389

JCry

JCry has been observed deleting shadow copies to ensure that data cannot be restored easily.[50]

S1199

LockBit 2.0

LockBit 2.0 has the ability to delete volume shadow copies on targeted hosts.[51][52]

S1202

LockBit 3.0

LockBit 3.0 can delete volume shadow copies.[53][54][55]

S0449

Maze

Maze has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process.[56][57]

G1051

Medusa Group

Medusa Group has deleted recovery files such as shadow copies using vssadmin.exe.[58][59][60][61]

S1244

Medusa Ransomware

Medusa Ransomware has deleted recovery files such as shadow copies using vssadmin.exe.[58][59][60][61]

S0576

MegaCortex

MegaCortex has deleted volume shadow copies using vssadmin.exe.[62]

S0688

Meteor

Meteor can use bcdedit to delete different boot identifiers on a compromised host; it can also use vssadmin.exe delete shadows /all /quiet and C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete.[63]

S1135

MultiLayer Wiper

MultiLayer Wiper wipes the boot sector of infected systems to inhibit system recovery.[17]

S0457

Netwalker

Netwalker can delete the infected system's Shadow Volumes to prevent recovery.[64][65]

S0365

Olympic Destroyer

Olympic Destroyer uses the native Windows utilities vssadmin, wbadmin, and bcdedit to delete and disable operating system recovery features such as the Windows backup catalog and Windows Automatic Repair.[1]

S1162

Playcrypt

Playcrypt can use AlphaVSS to delete shadow copies.[66]

S1058

Prestige

Prestige can delete the backup catalog from the target system using: c:\Windows\System32\wbadmin.exe delete catalog -quiet and can also delete volume shadow copies using: \Windows\System32\vssadmin.exe delete shadows /all /quiet.[67]

S0654

ProLock

ProLock can use vssadmin.exe to remove volume shadow copies.[68]

S0583

Pysa

Pysa has the functionality to delete shadow copies.[69]

S1242

Qilin

Qilin can execute vssadmin.exe delete shadows /all /quiet to remove volume shadow copies and can disable High Availability (HA) and Distributed Resource Scheduler (DRS) in vCenter clusters.[70][71][72][73]

S0481

Ragnar Locker

Ragnar Locker can delete volume shadow copies using vssadmin delete shadows /all /quiet.[74]

S1212

RansomHub

RansomHub has used vssadmin.exe to delete volume shadow copies.[75][76]

S0496

REvil

REvil can use vssadmin to delete volume shadow copies and bcdedit to disable recovery features.[77][78][79][80][81][82][83][84][85]

S1150

ROADSWEEP

ROADSWEEP has the ability to disable SystemRestore and Volume Shadow Copies.[86][87]

S0400

RobbinHood

RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily.[88]

S1073

Royal

Royal can delete shadow copy backups with vssadmin.exe using the command delete shadows /all /quiet.[89][90][91]

S0446

Ryuk

Ryuk has used vssadmin Delete Shadows /all /quiet to to delete volume shadow copies and vssadmin resize shadowstorage to force deletion of shadow copies created by third-party applications.[92]

G0034

Sandworm Team

Sandworm Team uses Prestige to delete the backup catalog from the target system using: C:\Windows\System32\wbadmin.exe delete catalog -quiet and to delete volume shadow copies using: C:\Windows\System32\vssadmin.exe delete shadows /all /quiet. [67]

G1015

Scattered Spider

Scattered Spider has stopped the Volume Shadow Copy service on compromised hosts.[93]

G1053

Storm-0501

Storm-0501 has deleted snapshots, restore points, storage accounts, and backup services to prevent remediation and restoration.[94] Storm-0501 has also impacted Azure resources through the targeting of Microsoft.Compute/snapshots/delete,
Microsoft.Compute/restorePointCollections/delete,
Microsoft.Storage/storageAccounts/delete, and
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/delete.[94]

G1055

VOID MANTICORE

VOID MANTICORE has deleted virtual machines directly from the virtualization platform.[95]

S0366

WannaCry

WannaCry uses vssadmin, wbadmin, bcdedit, and wmic to delete and disable operating system recovery features.[96][2][97]

S0612

WastedLocker

WastedLocker can delete shadow volumes.[98][99][100]

G0102

Wizard Spider

Wizard Spider has used WMIC and vssadmin to manually delete volume shadow copies. Wizard Spider has also used Conti ransomware to delete volume shadow copies automatically with the use of vssadmin.[101]