ACSIA Help Center

What is a “shadow copy delete”?

Permanently deleted user
Permanently deleted user
  • Updated


This article will explain the ACSIA alert called "shadow copy delete".

Explaining the shadow copy delete

"Shadow copy delete" refers to the act of an attacker attempting to remove or delete the shadow copies (also known as Volume Shadow Copies or VSS) on a computer or network. Shadow copies are backups or snapshots of the system's data at different points in time, and they can be used to restore files in case of data loss or system issues. Deleting shadow copies can prevent users from recovering previous versions of their files and can be used by attackers to cover their tracks after compromising a system or perpetrating a ransomware attack.

Example of a "shadow copy delete" attack:

Let's imagine a small business with multiple computers connected to a local network. The business stores valuable financial data and sensitive customer information on a central server. The server has a feature called Volume Shadow Copy enabled, which creates backup copies of files at regular intervals throughout the day.

An attacker manages to gain unauthorized access to the business's network by exploiting a vulnerability in one of the computers. Once inside the network, the attacker wants to cover their tracks and make it harder for the business to recover any data or undo the damage they may cause.

To achieve this, the attacker executes a "shadow copy delete" attack. They use their unauthorized access to the central server and start deleting the existing shadow copies. By removing these backup snapshots, the attacker ensures that even if they delete or encrypt critical files, the business won't be able to restore previous versions from the shadow copies.

After successfully deleting the shadow copies, the attacker proceeds to launch a ransomware attack on the central server. The ransomware encrypts all the business's critical data, making it inaccessible to the employees.

When the business discovers the ransomware attack, they may decide to pay the ransom to the attacker to regain access to their data. However, due to the "shadow copy delete" attack, the business no longer has the option to restore its files from previous backups, increasing the urgency and pressure to pay the ransom.

In this example, the "shadow copy delete" attack showcases how an attacker can use their initial unauthorized access to sabotage data recovery options and increase the impact of a ransomware attack.

ACSIA alerts you when there is an attempt to delete the shadow copies on your infrastructure.

Related to