Skip to content

Hide Navigation Hide TOC

Inhibit System Recovery (d207c03b-fbe7-420e-a053-339f4650c043)

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.[Talos Olympic Destroyer 2018][FireEye WannaCry 2017] This may deny access to available backups and recovery options.

Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.[Talos Olympic Destroyer 2018][FireEye WannaCry 2017] Furthermore, adversaries may disable recovery notifications, then corrupt backups.[disable_notif_synology_ransom]

A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:

  • vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
  • Windows Management Instrumentation can be used to delete volume shadow copies - wmic shadowcopy delete
  • wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
  • bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  • REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
  • diskshadow.exe can be used to delete all volume shadow copies on a system - diskshadow delete shadows all [Diskshadow] [Crytox Ransomware]

On network devices, adversaries may leverage Disk Wipe to delete backup firmware images and reformat the file system, then System Shutdown/Reboot to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.

On ESXi servers, adversaries may delete or encrypt snapshots of virtual machines to support Data Encrypted for Impact, preventing them from being leveraged as backups (e.g., via vim-cmd vmsvc/snapshot.removeall).[Cybereason]

Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.[ZDNet Ransomware Backups 2020] In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.[Dark Reading Code Spaces Cyber Attack][Rhino Security Labs AWS S3 Ransomware]

Cluster A Galaxy A Cluster B Galaxy B Level
Inhibit System Recovery (d207c03b-fbe7-420e-a053-339f4650c043) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 1
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (d693ca8a-dacf-439e-a16b-5f6b3406a21d) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (2109de05-5b45-4519-94a2-6c04f7d88286) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (3ec6bb34-4134-40c3-8b67-c0aeceae4471) Unknown 2
Disk Wipe (ea2b3980-05fd-41a3-8ab9-3106e833c821) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (66cf4803-aec1-4396-afc1-28bc27dd8b2c) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (26db57d5-ce6f-4487-a8a8-b4af1c4b6406) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (03619027-8a54-4cb2-8f1d-38d476edbdd8) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (546a3318-0e03-4b22-95f5-c02ff69a4ebf) Unknown 2
System Shutdown/Reboot (24787dca-6afd-4ab3-ab6c-32e9486ec418) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (70365fab-8531-4a0e-b147-7cabdfdef243) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (761fa7fa-d7e1-4796-85b3-5cd37d55dffa) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (4a4a4fc9-88bc-500e-ae0e-db0d5f1f5503) Unknown 2
Email Bombing (bda97b6f-6465-5f17-81a9-8641d08ff1c0) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (7683b3ab-64c0-539a-8c37-d5fa4cb6b2a8) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (99360c91-8f86-544f-8689-494ad62c1890) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (1471c62a-d480-5234-801d-ac228fd7a31c) Unknown 2
Endpoint Denial of Service (8b0caea0-602e-4117-8322-b125150f5c2a) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (c7e3f0b5-f25e-5a99-9831-f8fd21ee3d22) Unknown 2
Resource Hijacking (d10c4a15-aeaa-4630-a7a3-3373c89a584f) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Data Destruction (e5016c2b-85fe-4e6b-917d-0dd5b441cc34) Tidal Technique 2
Service Stop (e27c5756-f43e-424f-af62-b21e8b304e5d) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 2
Data Encrypted for Impact (f0c36d24-263c-4811-8784-f716c77ec6b3) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Network Denial of Service (e6c14a7b-1fb8-4557-83e7-7f5b89717311) Tidal Technique 2
Account Access Removal (847fcc8a-e74d-41e2-9f05-8d79d990cc04) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 2
Financial Theft (b9c9fd13-c10c-5e78-aeeb-ac18dc0605f9) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 2
Data Manipulation (b77f03e8-f7d0-4d0f-8b79-4642d0fe2709) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 2
Firmware Corruption (559c647a-7759-4943-856d-dc717b5a443e) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (14a944d3-ab95-40d8-b069-ccc4824ef46d) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (66657af9-83f7-4a54-b41b-301bfcdae866) Unknown 2
Defacement (9a21c7c7-cf8e-4f05-b196-86ec39653e3b) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (b05b5092-60f8-4324-aee3-7522753439ac) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (49ef3482-7b75-4097-b9a6-6c9cb99d865c) Unknown 2