Check out our companion blog!

Your Shadow Copies Are Not a Backup (And Ransomware Knows It)

Ransomware deletes shadow copies using your own Windows tools against you — and if VSS was your backup plan, you never had one.
W. Curtis Preston (Mr. Backup), Prasanna Malaiyandi, and Dr. Mike Saylor break down the VSS trap that IT teams keep falling into, and what you can do about it.

Here's the thing — shadow copies come with Windows, they're easy to set up, and they look like backups. So people treat them like backups. And then ransomware shows up, runs vssadmin delete shadows with admin rights, and every single one of those "backups" is gone in seconds. That's not a bad day. That's a catastrophe.

We've been saying for years that a real backup has to follow the 3-2-1 rule: three copies, two different media, one offsite. Shadow copies fail every single part of that test. They live on the same system as your data. They're on the same media. And they are absolutely, 100% reachable by anyone with local admin rights — which, as Mike points out, is a lot more people than you'd think.

This episode also gets into the living off the land angle, which is one of my favorite topics to get angry about. Attackers don't just delete your shadow copies. First, they read them. They use vssadmin and WMIC — tools that are already sitting on your Windows box — to do recon, scope out your data, figure out if you're worth ransoming, and then wipe your recovery options before they pull the trigger. It's the Karate Kid sweep-the-leg move, and your "backup system" is Daniel LaRusso standing on one foot.

The good news: if you stop using VSS as a backup, the whole problem gets a lot smaller. No shadow copies to delete means the attacker's leverage disappears. And if you're using EDR tools, Mike walks through exactly how to baseline your environment so that vssadmin running outside its normal schedule sets off every alarm you've got.

VSS is a great tool. It was just never meant to be your backup. Get a real one.

🎙️ Listen to the episode: https://www.backupwrapup.com/stop-using-vss-backup-ransomware-deletes-shadow-copies
📖 Read the blog post: https://www.backupcentral.com
🛡️ Check out what Mike and I are building: https://www.stopransomware.com
📚 Get the book (O'Reilly): https://www.oreilly.com/library/view/learning-ransomware-response/9781098169572/
📚 Get the book (Amazon): https://www.amazon.com/Learning-Ransomware-Response-Recovery-Stopping/dp/1098169581

⏱️ CHAPTERS
0:00 — Intro
1:39 — Welcome & Book Talk
3:26 — What Are Shadow Copies and Why Do People Use Them as Backups?
9:14 — Performance Problems with VSS as a Backup
10:19 — Living Off the Land: How Ransomware Deletes Shadow Copies
12:36 — Can You Monitor or Lock Down VSS Admin?
14:26 — Why Shadow Copies Fail the 3-2-1 Rule
18:01 — Configuring Your EDR to Detect VSS Abuse
21:31 — The Local Admin Problem and Security Culture
27:00 — Virtualization, Snapshots, and Shadow Copies
29:00 — Final Thoughts: Just Don't Do That