Skip to content

Hide Navigation Hide TOC

Inhibit System Recovery (d207c03b-fbe7-420e-a053-339f4650c043)

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.[Talos Olympic Destroyer 2018][FireEye WannaCry 2017] This may deny access to available backups and recovery options.

Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.[Talos Olympic Destroyer 2018][FireEye WannaCry 2017] Furthermore, adversaries may disable recovery notifications, then corrupt backups.[disable_notif_synology_ransom]

A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:

  • vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
  • Windows Management Instrumentation can be used to delete volume shadow copies - wmic shadowcopy delete
  • wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
  • bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  • REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
  • diskshadow.exe can be used to delete all volume shadow copies on a system - diskshadow delete shadows all [Diskshadow] [Crytox Ransomware]

On network devices, adversaries may leverage Disk Wipe to delete backup firmware images and reformat the file system, then System Shutdown/Reboot to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.

Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.[ZDNet Ransomware Backups 2020] In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.[Dark Reading Code Spaces Cyber Attack][Rhino Security Labs AWS S3 Ransomware]

Cluster A Galaxy A Cluster B Galaxy B Level
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Inhibit System Recovery (d207c03b-fbe7-420e-a053-339f4650c043) Tidal Technique 1
Service Stop (e27c5756-f43e-424f-af62-b21e8b304e5d) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (14a944d3-ab95-40d8-b069-ccc4824ef46d) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Network Denial of Service (e6c14a7b-1fb8-4557-83e7-7f5b89717311) Tidal Technique 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (66657af9-83f7-4a54-b41b-301bfcdae866) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (26db57d5-ce6f-4487-a8a8-b4af1c4b6406) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (b05b5092-60f8-4324-aee3-7522753439ac) Unknown 2
Data Destruction (e5016c2b-85fe-4e6b-917d-0dd5b441cc34) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (49ef3482-7b75-4097-b9a6-6c9cb99d865c) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (d693ca8a-dacf-439e-a16b-5f6b3406a21d) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Data Encrypted for Impact (f0c36d24-263c-4811-8784-f716c77ec6b3) Tidal Technique 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (2109de05-5b45-4519-94a2-6c04f7d88286) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (3ec6bb34-4134-40c3-8b67-c0aeceae4471) Unknown 2
Account Access Removal (847fcc8a-e74d-41e2-9f05-8d79d990cc04) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (66cf4803-aec1-4396-afc1-28bc27dd8b2c) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Financial Theft (b9c9fd13-c10c-5e78-aeeb-ac18dc0605f9) Tidal Technique 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (03619027-8a54-4cb2-8f1d-38d476edbdd8) Unknown 2
Firmware Corruption (559c647a-7759-4943-856d-dc717b5a443e) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (546a3318-0e03-4b22-95f5-c02ff69a4ebf) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (70365fab-8531-4a0e-b147-7cabdfdef243) Unknown 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Private Cluster (761fa7fa-d7e1-4796-85b3-5cd37d55dffa) Unknown 2
Data Manipulation (b77f03e8-f7d0-4d0f-8b79-4642d0fe2709) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 2
Defacement (9a21c7c7-cf8e-4f05-b196-86ec39653e3b) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic System Shutdown/Reboot (24787dca-6afd-4ab3-ab6c-32e9486ec418) Tidal Technique 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Disk Wipe (ea2b3980-05fd-41a3-8ab9-3106e833c821) Tidal Technique 2
Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic Resource Hijacking (d10c4a15-aeaa-4630-a7a3-3373c89a584f) Tidal Technique 2
Endpoint Denial of Service (8b0caea0-602e-4117-8322-b125150f5c2a) Tidal Technique Impact (52c0edbc-ce4d-429a-b1d5-720403e0172f) Tidal Tactic 2