Stop Using VSS as a Backup Before Ransomware Deletes Your Shadow Copies
Ransomware deletes shadow copies using your own built-in Windows tools against you — and if VSS was your backup plan, you just found out the hard way that it wasn't. In this episode, W. Curtis Preston (Mr. Backup), Prasanna Malaiyandi, and Dr. Mike Saylor break down exactly what shadow copies are, why they don't qualify as a real backup, and how attackers are weaponizing vssadmin to wipe your recovery options before you even know you're under attack.
If you've got Windows systems and you've been thinking "eh, we've got shadow copies," this episode is for you. We cover the history of VSS — what it was actually designed for, why it became a crutch, and why using it as your primary backup strategy is a bad idea on multiple levels. Performance, the 3-2-1 rule, and the fact that one attacker with admin rights can delete every single copy in seconds. We also get into the living off the land angle: how attackers do recon on your shadow copies, how they use them to scope out valuable data before going full ransomware, and what you can actually do to detect and respond to this behavior using EDR tools.
The bottom line: VSS is a great tool. It was just never meant to be your backup. Get a real one.
Chapters:
0:00 — Intro
1:39 — Welcome & Book Talk
3:26 — What Are Shadow Copies and Why Do People Use Them as Backups?
9:14 — Performance Problems with VSS as a Backup
10:19 — Living Off the Land: How Ransomware Uses VSS Against You
12:36 — Can You Monitor or Lock Down VSS Admin?
14:26 — Why Shadow Copies Fail the 3-2-1 Rule (They're Not a Backup)
18:01 — How to Protect Yourself: Configuring Your EDR
21:31 — The Local Admin Problem and Security Culture
27:00 — Virtualization, Snapshots, and Shadow Copies
29:00 — Final Thoughts: Just Don't Do That
