Cyberdudebivash

“Beast” RaaS Is Now Hacking Businesses. It Kills Your Windows Backups (VSS) First.

, , , ,
CYBERDUDEBIVASH

Author: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related:cyberbivash.blogspot.com

 RANSOMWARE DEEP DIVE • THREAT ANALYSIS

“Beast” RaaS Is Now Hacking Businesses. It Kills Your Windows Backups (VSS) First.  

By CyberDudeBivash • October 29, 2025 • 

 cyberdudebivash.com |   cyberbivash.blogspot.com 

Share on XShare on LinkedIn

Disclosure: This is a malware analysis report for security professionals. It contains affiliate links to relevant enterprise security solutions and training. Your support helps fund our independent research.

TL;DR: CISO’s Action Plan

A new Ransomware-as-a-Service (RaaS) group, “Beast,” is actively targeting enterprises. Its signature TTP is **anti-recovery**. The *first* action the malware takes upon execution is to **delete all Volume Shadow Copies (VSS)** using legitimate, signed Windows tools like `vssadmin.exe`.

  • The Impact: This TTP renders all local, VSS-based backups and system restore points instantly useless, destroying your fastest recovery path and dramatically increasing the pressure to pay the ransom.
  • **The Defense:** This is a behavioral threat. You cannot block `vssadmin.exe`. Your defense *must* be an **EDR/XDR** platform that can detect the anomalous *context* of the execution (e.g., a non-admin process spawning `vssadmin delete`).
  • **The Mandate:** Your primary, non-technical defense is **immutable, off-site backups**. VSS is a convenience, not a backup. You must have air-gapped or immutable cloud backups that the ransomware cannot touch.

FREE DOWNLOAD: The Ransomware “Anti-Recovery” IR Playbook (PDF)

Get the definitive, ready-to-use CISO’s playbook for defending against and responding to modern ransomware that actively destroys backups. This guide includes the full SOC Hunt Kit, containment steps, and a BCDR framework.Get the Playbook (Email required)

 Definitive Guide: Table of Contents 

  1. Part 1: The Executive Briefing — The New Mandate: Defend Your Backups
  2. Part 2: Technical Deep Dive — The “Living Off the Land” VSS Kill Chain
  3. Part 3: The Defender’s Playbook — A Masterclass in Hardening, Hunting, and Recovery
  4. Part 4: The Strategic Takeaway — The New Mandate for Cyber Resilience

Part 1: The Executive Briefing — The New Mandate: Defend Your Backups

A new, highly effective Ransomware-as-a-Service (RaaS) group, which we are tracking as **”Beast,”** has emerged and is actively targeting enterprise networks. While its encryption is standard, its methodology is ruthlessly efficient. Its signature TTP (Tactic, Technique, and Procedure) is to *immediately* seek out and destroy all local Windows backups before any encryption begins.

For CISOs, this represents a critical evolution in the ransomware playbook. Attackers are no longer just encrypting your data; they are waging a scorched-earth campaign against your ability to recover. By deleting Volume Shadow Copies (VSS) as their first step, they remove your fastest, cheapest, and most common recovery option, dramatically increasing the likelihood of a ransom payment. This is a direct, calculated assault on your **Business Continuity and Disaster Recovery (BCDR)** plan. Your traditional, signature-based defenses are completely blind to this, as the attack uses legitimate Windows tools to do its dirty work.

Part 2: Technical Deep Dive — The “Living Off the Land” VSS Kill Chain

To defeat “Beast,” you must understand that it is a **“Living Off the Land” (LotL)** attacker. It weaponizes the very tools your own administrators use, making it invisible to legacy antivirus.

What is VSS (Volume Shadow Copy Service)?

VSS is a Windows service that creates point-in-time snapshots of your files. This is what powers the “Previous Versions” tab and System Restore. While a critical feature for quick recovery from a single file deletion, it is *not* a true backup. It is a local, on-disk convenience, and for attackers, it is merely the first domino to fall.

The “Beast” Anti-Recovery Script:

As soon as the malware gains execution on an endpoint (often via a phishing email or unpatched vulnerability), it runs a batch script with a series of commands designed to cripple the system’s defenses and recovery options. These commands are executed with the full force of the compromised user’s privileges.


:: Kills the primary VSS service
vssadmin.exe delete shadows /all /quiet

:: A more forceful method to ensure all copies are gone
wmic.exe shadowcopy delete

:: Disables Windows Automatic Startup Repair
bcdedit.exe /set {default} recoveryenabled No

:: Disables the Windows boot status policy
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

:: Deletes the Windows Server Backup catalog
wbadmin.exe delete catalog -quiet

Because `vssadmin.exe`, `wmic.exe`, and `bcdedit.exe` are legitimate, signed Microsoft binaries, traditional antivirus will not block them. The attack succeeds by abusing trusted, native tools.

Part 3: The Defender’s Playbook — A Masterclass in Hardening, Hunting, and Recovery

Your defense must be multi-layered, assuming the attacker will get in. Your goal is to detect their anti-recovery TTPs *before* encryption begins.

Layer 1: The Strategic Defense (The Only True Fix)

You MUST have **immutable, off-site backups**. VSS is not a backup. A true backup follows the 3-2-1 rule: three copies of your data, on two different media types, with one copy *off-site* and *immutable* (read-only) or air-gapped. This is your only guaranteed recovery from a destructive ransomware attack.

Layer 2: The Technical Defense (EDR/XDR)

This is your “Golden Signal” detection. You must have a modern, behavioral detection platform that can see a trusted tool being used in a malicious context.

SOC HUNT KIT

Sigma Rule: Ransomware Anti-Recovery TTPs


title: Ransomware VSS & Backup Deletion
status: experimental
description: Detects known commands used by ransomware (like 'Beast' RaaS) to delete Volume Shadow Copies and backups.
logsource:
    category: process_creation
    product: windows
detection:
    selection_vssadmin:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    selection_wmic:
        Image|endswith: '\wmic.exe'
        CommandLine|contains: 'shadowcopy delete'
    selection_bcdedit:
        Image|endswith: '\bcdedit.exe'
        CommandLine|contains: 'recoveryenabled No'
    selection_wbadmin:
        Image|endswith: '\wbadmin.exe'
        CommandLine|contains: 'delete catalog'
    condition: 1 of them
level: high
tags:
    - attack.impact
    - attack.t1490
    - attack.t1485

Splunk Query:


(index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1) 
( (Image="*\\vssadmin.exe" CommandLine="*delete shadows*") OR 
  (Image="*\\wmic.exe" CommandLine="*shadowcopy delete*") OR 
  (Image="*\\bcdedit.exe" CommandLine="*recoveryenabled No*") OR 
  (Image="*\\wbadmin.exe" CommandLine="*delete catalog*") )
| table _time, host, ParentImage, Image, CommandLine

Recommended Security Stack for Ransomware Defense

Kaspersky XDR

An XDR platform provides the behavioral analytics to detect a trusted process (like `powershell.exe`) spawning `vssadmin.exe delete`. This is the behavioral detection you need to stop this attack.Deploy Behavioral XDR

Edureka Cybersecurity Training

Train your SOC team to think like an attacker. An Ethical Hacking or CISM certification gives them the skills to hunt for these TTPs proactively.Train Your Team

Part 4: The Strategic Takeaway — The New Mandate for Cyber Resilience

For CISOs, the “Beast” RaaS is a powerful case study in the evolution of ransomware. The attacker’s business model is no longer just about encryption; it’s about **ensuring you cannot recover**. This is a direct assault on your Business Continuity plan.

This reality means your security strategy must pivot from a 100% focus on *prevention* to a more mature strategy of **cyber resilience**. A resilient organization is one that assumes prevention will fail. It invests just as heavily in its ability to **detect** the breach in progress (with XDR) and **recover** from the breach (with immutable backups) as it does in trying to stop it at the firewall.

Explore the CyberDudeBivash Ecosystem

Our Core Services:

  • CISO Advisory (Ransomware Resilience)
  • Penetration Testing & Red Teaming
  • Digital Forensics & Incident Response (DFIR)
  • Advanced Malware & Threat Analysis
  • BCDR & IR Playbook Development

Follow Our Main Blog for Daily Threat IntelRequest a Ransomware Resilience Audit

About the Author

CyberDudeBivash is a cybersecurity strategist with 15+ years in incident response, ransomware defense, and threat hunting, advising CISOs across APAC. [Last Updated: October 29, 2025]

  #CyberDudeBivash #Ransomware #BeastRaaS #VSS #CyberSecurity #InfoSec #ThreatIntel #ThreatHunting #CISO #DFIR

Leave a comment

Design a site like this with WordPress.com
Get started