{
	"id": "5dfabd74-2dd0-46c1-99aa-bacb69684454",
	"created_at": "2026-04-06T00:16:50.78696Z",
	"updated_at": "2026-04-10T03:21:00.891145Z",
	"deleted_at": null,
	"sha1_hash": "705e53f3aa3a24f007dbc716f7d7ae8b6f479cc5",
	"title": "How CrowdStrike Prevents Volume Shadow Tampering by LockBit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1042409,
	"plain_text": "How CrowdStrike Prevents Volume Shadow Tampering by\r\nLockBit\r\nBy Thomas Moses - Sarang Sonawane - Liviu Arsene\r\nArchived: 2026-04-05 17:07:24 UTC\r\nECrime activities dominate the threat landscape, with ransomware as the main driver\r\nRansomware operators constantly refine their code and the efficacy of their operations\r\nCrowdStrike uses improved behavior-based detections to prevent ransomware from tampering with Volume\r\nShadow Copies\r\nVolume Shadow Copy Service (VSS) backup protection nullifies attackers' deletion attempts, retaining\r\nsnapshots in a recoverable state\r\nRansomware is dominating the eCrime landscape and is a significant concern for organizations, as it can cause\r\nmajor disruptions. ECrime accounted for over 75% of interactive intrusion activity from July 2020 to June 2021,\r\naccording to the recent CrowdStrike 2021 Threat Hunting Report. The continually evolving big game hunting\r\n(BGH) business model has widespread adoption with access brokers facilitating access, with a major driver being\r\ndedicated leak sites to apply pressure for victim compliance. Ransomware continues to evolve, with threat actors\r\nimplementing components and features that make it more difficult for victims to recover their data.\r\nLockbit 2.0 Going for the Popularity Vote\r\nThe LockBit ransomware family has constantly been adding new capabilities, including tampering with Microsoft\r\nServer Volume Shadow Copy Service (VSS) by interacting with the legitimate vssadmin.exe Windows tool.\r\nCapabilities such as lateral movement or destruction of shadow copies are some of the most effective and\r\npervasive tactics ransomware uses.\r\nFigure 1. LockBit 2.0 ransom note (Click to enlarge)\r\nThe LockBit 2.0 ransomware has similar capabilities to other ransomware families, including the ability to bypass\r\nUAC (User Account Control), self-terminate or check the victim’s system language before encryption to ensure\r\nhttps://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/\r\nPage 1 of 7\n\nthat it’s not in a Russian-speaking country.\r\nFor example, LockBit 2.0 checks the default language of the system and the current user by using the Windows\r\nAPI calls GetSystemDefaultUILanguage and GetUserDefaultUILanguage . If the language code identifier\r\nmatches the one specified, the program will exit. Figure 2 shows how the language validation is performed\r\n(function call 49B1C0 ).\r\nFigure 2. LockBit 2.0 performing system language validation\r\nLockBit can even perform a silent UAC bypass without triggering any alerts or the UAC popup, enabling it to\r\nencrypt silently. It first begins by checking if it’s running under Admin privileges. It does that by using specific\r\nAPI functions to get the process token ( NTOpenProcessToken ), create a SID identifier to check the permission\r\nlevel ( CreateWellKnownSid ), and then check whether the current process has sufficient admin privileges\r\n( CheckTokenMembership and ZwQueryInformationToken functions).\r\nhttps://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/\r\nPage 2 of 7\n\nFigure 3. Group SID permissions for running process\r\nIf the process is not running under Admin, it will attempt to do so by initializing a COM object with elevation of\r\nthe COM interface by using the elevation moniker COM initialization method with guid:\r\nElevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} . A similar elevation trick has been\r\nused by DarkSide and REvil ransomware families in the past. LockBit 2.0 also has lateral movement capabilities\r\nand can scan for other hosts to spread to other network machines. For example, it calls the GetLogicalDrives\r\nfunction to retrieve a bitmask of currently available drives to list all available drives on the system. If the found\r\ndrive is a network share, it tries to identify the name of the resource and connect to it using API functions, such as\r\nWNetGetConnectionW , PathRemoveBackslashW , OpenThreadToken and DuplicateToken . In essence, it’s no\r\nlonger about targeting and compromising individual machines but entire networks. REvil and LockBit are just\r\nsome of the recent ransomware families that feature this capability, while others such as Ryuk and WastedLocker\r\nhttps://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/\r\nPage 3 of 7\n\nshare the same functionality. The CrowdStrike Falcon® OverWatch™ team found that in 36% of intrusions,\r\nadversaries can move laterally to additional hosts in less than 30 minutes, according to the CrowdStrike 2021\r\nThreat Hunting Report. Another interesting feature of LockBit 2.0 is that it prints out the ransom note message on\r\nall connected printers found in the network, adding public shaming to its encryption and data exfiltration\r\ncapabilities.\r\nVSS Tampering: An Established Ransomware Tactic\r\nThe tampering and deletion of VSS shadow copies is a common tactic to prevent data recovery. Adversaries will\r\noften abuse legitimate Microsoft administrator tools to disable and remove VSS shadow copies. Common tools\r\ninclude Windows Management Instrumentation (WMI), BCDEdit (a command-line tool for managing Boot\r\nConfiguration Data) and vssadmin.exe. LockBit 2.0 utilizes the following WMI command line for deleting\r\nshadow copies:\r\nC:\\Windows\\System32\\cmd.exe /c vssadmin delete shadows /all /quiet \u0026 wmic shadowcopy delete \u0026 bcdedit /set {def\r\nThe use of preinstalled operating system tools, such as WMI, is not new. Still, adversaries have started abusing\r\nthem as part of the initial access tactic to perform tasks without requiring a malicious executable file to be run or\r\nwritten to the disk on the compromised system. Adversaries have moved beyond malware by using increasingly\r\nsophisticated and stealthy techniques tailor-made to evade autonomous detections, as revealed by CrowdStrike\r\nThreat Graph®, which showed that 68% of detections indexed in April-June 2021 were malware-free.\r\nVSS Protection with CrowdStrike\r\nCrowdStrike Falcon® takes a layered approach to detecting and preventing ransomware by using behavior-based\r\nindicators of attack (IOAs) and advanced machine learning, among other capabilities. We are committed to\r\ncontinually improving the efficacy of our technologies against known and unknown threats and adversaries.\r\nCrowdStrike’s enhanced IOA detections accurately distinguish malicious behavior from benign, resulting in high-confidence detections. This is especially important when ransomware shares similar capabilities with legitimate\r\nsoftware, like backup solutions. Both can enumerate directories and write files that on the surface may seem\r\ninconsequential, but when correlated with other indicators on the endpoint, can identify a legitimate attack.\r\nCorrelating seemingly ordinary behaviors allows us to identify opportunities for coverage across a wide range of\r\nmalware families. For example, a single IOA can provide coverage for multiple families and previously unseen\r\nones. CrowdStrike’s recent innovation involves protecting shadow copies from being tampered with, adding\r\nanother protection layer to mitigate ransomware attacks. Protecting shadow copies helps potentially compromised\r\nsystems restore encrypted data with much less time and effort. Ultimately, this helps reduce operational costs\r\nassociated with person-hours spent spinning up encrypted systems post-compromise. The Falcon platform can\r\nprevent suspicious processes from tampering with shadow copies and performing actions such as changing file\r\nsize to render the backup useless. For instance, should a LockBit 2.0 ransomware infection occur and attempt to\r\nuse the legitimate Microsoft administrator tool (vssadmin.exe) to manipulate shadow copies, Falcon immediately\r\ndetects this behavior and prevents the ransomware from deleting or tampering with them, as shown in Figure 4.\r\nhttps://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/\r\nPage 4 of 7\n\nFigure 4. Falcon detects and blocks vssadmin.exe manipulation by LockBit 2.0 ransomware (Click to enlarge)\r\nIn essence, while a ransomware infection might be able to encrypt files on a compromised endpoint, Falcon can\r\nprevent ransomware from tampering with shadow copies and potentially expedite data recovery for your\r\norganization.\r\nFigure 5. Falcon alert on detected and blocked ransomware activity for deleting VSS shadow copies (Click to\r\nenlarge)\r\nShown below is Lockbit 2.0 executing on a system without Falcon protections. Here, vssadmin is used to list the\r\nshadow copies. Notice the shadow copy has been deleted after execution.\r\nhttps://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/\r\nPage 5 of 7\n\nBelow is the same Lockbit 2.0 execution, now with Falcon and VSS protection enabled. The shadow copy is not\r\ndeleted even though the ransomware has run successfully. Please note, we specifically allowed the ransomware to\r\nrun during this demonstration.\r\nCrowdStrike prevents the destruction and tampering of shadow copies with volume shadow service backup\r\nprotection, retaining the snapshots in a recoverable state regardless of threat actors using traditional or new novel\r\ntechniques. This allows for instant recovery of live systems post-attack through direct snapshot tools or system\r\nrecovery. VSS shadow copy protection is just one of the new improvements added to CrowdStrike’s layered\r\napproach. We remain committed to our mission to stop breaches, and constantly improving our machine learning\r\nhttps://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/\r\nPage 6 of 7\n\nand behavior-based detection and protection technologies enables the Falcon platform to identify and protect\r\nagainst tactics, techniques and procedures associated with sophisticated adversaries and threats.\r\nCrowdStrike’s Layered Approach Provides Best-in-Class Protection\r\nThe Falcon platform unifies intelligence, technology and expertise to successfully detect and protect against\r\nransomware. Artificial intelligence (AI)-powered machine learning and behavioral IOAs, fueled by a massive data\r\nset of trillions of events per week and threat actor intelligence, can identify and block ransomware. Coupled with\r\nexpert threat hunters that proactively see and stop even the stealthiest of attacks, the Falcon platform uses a\r\nlayered approach to protect the things that matter most to your organization from ransomware and other threats.\r\nCrowdStrike Falcon endpoint protection packages unify the comprehensive technologies, intelligence and\r\nexpertise needed to successfully stop breaches. For fully managed detection and response (MDR), Falcon\r\nComplete™ seasoned security professionals deliver 403% ROI and 100% confidence.\r\nIndicators of Compromise (IOCs)\r\nAdditional Resources\r\nLearn more about ransomware adversaries in the CrowdStrike Adversary Universe.\r\nDownload the CrowdStrike 2021 Global Threat Report for more information about adversaries tracked by\r\nCrowdStrike Intelligence in 2020.\r\nSee how the powerful, cloud-native CrowdStrike Falcon® platform protects customers from the latest\r\nvariants of ransomware in these blogs: DarkSide Goes Dark: How CrowdStrike Falcon® Customers Were\r\nProtected and Under Attack: Protecting Against Conti, DarkSide, REvil and Other Ransomware.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/\r\nhttps://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/"
	],
	"report_names": [
		"how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434610,
	"ts_updated_at": 1775791260,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/705e53f3aa3a24f007dbc716f7d7ae8b6f479cc5.pdf",
		"text": "https://archive.orkl.eu/705e53f3aa3a24f007dbc716f7d7ae8b6f479cc5.txt",
		"img": "https://archive.orkl.eu/705e53f3aa3a24f007dbc716f7d7ae8b6f479cc5.jpg"
	}
}