Recovering Encrypted Files from VSS Snapshot after

Recovering Encrypted Files from VSS Snapshot after Ransomware Infection

We go on with the series of articles concerning the countermeasures against ransomware. Last time we considered a simple way of protection against encryption ransomware.on Windows file servers using FSRM. Today we’ll talk about how to easily recover your files if the ransomware has already penetrated on the computer and user documents are encrypted.

The easiest way to get back the original files after getting infected with a encrypting ransomware is to recover them from a backup. You can organize a centralized backup on your file servers, but it’s more difficult to backup data on user computers. Fortunately, Windows has an integrated backup mechanism — shadow copies created by Volume Shadow Copy Service (VSS).

To make it possible to recover previous versions of files from VSS snapshots, the following requirements have to be met:

• VSS has to be enabled for the protected volumes
• There should be enough of free space on your disk to store snapshots (at least 10-20%)
• A user shouldn’t have Local Administrator privileges on computer (most modern encryption malware when running elevated deletes all available VSS snapshots), and User Account Control (UAC) has to be enabled

Let’s consider a mechanism that allow to centrally manage the policy of creating snapshots in Active Directory domain environment and easily restore original files after the encryption ransomware attack.

Contents:

• How to Enable VSS on Domain Computers Using GPO
• How to Copy Vshadow.exe to User Computers Using GPO
• PowerShell Script to Create Shadow Copies of All Volumes
• Scheduled Task to Create VSS Snapshots
• How to Recover Original Files from a VSS Snapshot
• Conclusion

How to Enable VSS on Domain Computers Using GPO

First of all, create a group policy to enable Volume Shadow Copy (VSS) Service on domain computers. To do it, in GPMC.msc console create a new GPO object with the name VSSPolicy and assign it to the OU containing user computers.

Now edit your GPO. In the list of services in Computer Configuration->Windows Settings->Security Settings->System Service find Volume Shadow Copy and set the Automatic start type.

How to Copy Vshadow.exe to User Computers Using GPO

To create and manage shadow copies on user computers, we need a tool vshadow.exe from Windows SDK. In this example, we’ll use vshadow from the SDK for Windows 7 x64 (in my case it worked correctly both in Windows 7 and in Windows 10 x64). Copy vshadow.exe to %windir%system32 on all computers using GPP.

Tip. You can download vshadow.exe using following this link: vshadow_exe_win7x64.zip

Then in Computer Configuration –> Preferences –> Windows Settings -> Files create a new policy that copies vshadow.exe from \domain.locSYSVOLdomain.locscriptsvshadow.exe (file must be copied here previously) to %windir%system32vshadow.exe. This policy can be configured so that it will work only once (Apply once and do not reapply).

PowerShell Script to Create Shadow Copies of All Volumes

Next, we need a script to detect the list of drives in the system, enable shadowing and create a new VSS snapshot. I have got the following script:

$HDDs = GET-WMIOBJECT –query "SELECT * from win32_logicaldisk where DriveType = 3"
foreach ($HDD in $HDDs) {
$Drive = $HDD.DeviceID
$vssadminEnable ="vssadmin.exe Resize ShadowStorage /For=$Drive /On=$Drive /MaxSize=10%"
$vsscreatess = "vshadow.exe -p $Drive"
cmd /c  $vssadminEnable
cmd /c  $vsscreatess
}

The first string allows to find all drives in the system, and then vshadow enables shadow for each disk and creates a new copy. The copies should occupy less than 10% of space.

Save this script to a file vss-script.ps1 and copy it to user computers using GPP as well.

Scheduled Task to Create VSS Snapshots

The last thing you have to do is to create a Scheduled Task on all computers to regularly run vss-script.ps1 and create a new  snapshot for all drives . It’s easier to create this task using GPP. To do it, in the GPO section Computer Configuration -> Preferences -> Scheduled Tasks create a new Scheduled Task (New-> Scheduled Task (at least Windows 7)) with the name create vssnapshot, which must be run elevated as NT AUTHORITYSystem.

Suppose, the task has to be run every day at 1.20 PM (here you’ll have to think how often you would like the snapshots to be created).

The script to be run: %windir%System32WindowsPowerShellv1.0powershell.exe

with the argument %windir%system32vss-script.ps1

Tip. Also, you have to provide a weekly Scheduled Task to remove earlier VSS snapshots. To do it, create a new Scheduled Task running a similar script containing the following code:

$vssadminDeleteOld = “vshadow.exe -do=%$Drive”
cmd /c  $vssadminDeleteOld

How to Recover Original Files from a VSS Snapshot

If user’s computer has been infected by ransomware, the administrator or tech support team staff can recover encrypted documents from the snapshot.

The list of all available snapshots can be displayed using this command:

vssadmin.exe list shadows

In our example, the latest snapshot was created on 10/6/2016 1:33:35 AM and has Shadow Copy ID = {6db666ac-4d42-4734-8fbb-fad64825c66c}.

Mount this snapshot in read only mode as a separate system drive by its ID:

vshadow -el={6db666ac-4d42-4734-8fbb-fad64825c66c},Z:

Now, using File Explorer or any other file manager, copy the original files from disk Z:.

To unmount the disk with the snapshot:

mountvol Z: /D

Conclusion

Of course, VSS are not a means of protection against encryption ransomware and do not cancel a comprehensive approach to computer security (antivirus software, SRP / AppLocker policies, reputation filters, SmartScreen, etc.). However, in my opinion, the simplicity and availability of volume shadow copying is a great advantage of this way to recover encrypted data, which is likely to be useful in case of penetration of malware on the user’s computer