DeleteShadowCopies: Deleting Shadow Copies In Pure C++
After Looking at some of the leaked ransomware code, i noticed that (at least for the samples i’ve seen), that the ransomware is using wmic or vssadmin via command line to delete shadow copies, so out of curiosity i had to look for something else, and thus this repo (so im not helping ransomware authers) …
Example:
- conti: wmic shadowcopy where "ID='{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}'" delete
- babuk: vssadmin delete shadows /all /quiet