Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
On network devices, adversaries may leverage Disk Wipe to delete backup firmware images and reformat the file system, then System Shutdown/Reboot to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1490 | Inhibit System Recovery |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1490 | Inhibit System Recovery |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1490 | Inhibit System Recovery |
Comments
This diagnostic statement protects against Inhibit System Recovery through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
|
| PR.DS-11.01 | Data backup and replication | Mitigates | T1490 | Inhibit System Recovery |
Comments
This diagnostic statement provides protection from adversaries that try to remove built in data and/or turn off services that are used to help with the recovery of corrupted systems. Ensuring backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery is a way to deny adversaries access to available backup and recovery options
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1490 | Inhibit System Recovery |
Comments
This diagnostic statement provides protection from Inhibit System Recovery through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
References
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1490 | Inhibit System Recovery |
Comments
This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries may attempt to hinder the recovery of a compromised system.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1490 | Inhibit System Recovery |
Comments
This diagnostic statement protects against Inhibit System Recovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1490 | Inhibit System Recovery | |
| CP-07 | Alternate Processing Site | mitigates | T1490 | Inhibit System Recovery | |
| CP-10 | System Recovery and Reconstitution | mitigates | T1490 | Inhibit System Recovery | |
| CP-02 | Contingency Plan | mitigates | T1490 | Inhibit System Recovery | |
| CP-09 | System Backup | mitigates | T1490 | Inhibit System Recovery | |
| SI-03 | Malicious Code Protection | mitigates | T1490 | Inhibit System Recovery | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1490 | Inhibit System Recovery | |
| CM-02 | Baseline Configuration | mitigates | T1490 | Inhibit System Recovery | |
| CM-07 | Least Functionality | mitigates | T1490 | Inhibit System Recovery | |
| SI-04 | System Monitoring | mitigates | T1490 | Inhibit System Recovery | |
| AC-02 | Account Management | mitigates | T1490 | Inhibit System Recovery | |
| AC-03 | Access Enforcement | mitigates | T1490 | Inhibit System Recovery | |
| AC-06 | Least Privilege | mitigates | T1490 | Inhibit System Recovery |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2025-21391 | Microsoft Windows Storage Link Following Vulnerability | primary_impact | T1490 | Inhibit System Recovery |
Comments
Exploiting this link-following vulnerability can lead to privilege escalation, with the primary result being deletion of system data. As a consequence of this, deletion of certain files could also make the recovery process more difficult.
References
|
| CVE-2023-36884 | Microsoft Windows Search Remote Code Execution Vulnerability | secondary_impact | T1490 | Inhibit System Recovery |
Comments
This remote code execution vulnerability in Microsoft Office has been exploited by adversarial groups to distribute ransomware. Attackers use specially crafted Microsoft Office documents to bypass security features, enabling remote code execution without user prompts. These documents are typically delivered through phishing techniques, enticing victims to open them. Once opened, the ransomware encrypts files and demands a ransom for decryption, while also removing system backups and leaving a ransom note threatening data loss if recovery is attempted without the provided decryptor key.
The ransomware further erases system logs and may publish stolen data on leak websites, leading to unauthorized access to sensitive information and potential installation of backdoors for further exploitation. Microsoft addressed this vulnerability in their security updates by introducing measures to make file paths unpredictable, thereby mitigating the exploit chain. Despite these updates, additional vulnerabilities in Microsoft Office and Windows were identified. Security solutions offer protection against these exploits, and findings are shared with cybersecurity alliances to enhance collective defense efforts.
This vulnerability has been exploited by the Russian group Storm-0978, also known as RomCom, who craft specially designed Microsoft Office documents related to the Ukrainian World Congress. These documents bypass Microsoft's Mark-of-the-Web (MotW) security feature, enabling remote code execution without security prompts. The adversary used phishing techniques to deliver these documents, enticing victims to open them. Once opened, the ransomware, known as Underground, executes, encrypting files and demanding a ransom for decryption.
The ransomware further removes shadow copies, terminates MS SQL Server services, and leaves a ransom note threatening data loss if recovery is attempted without their decryptor key. It also erases Windows Event logs and publishes stolen victim data on a data leak website, causing unauthorized access to sensitive information and potential installation of backdoors for further exploitation.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Disable controls | Disable or interfere with security controls | related-to | T1490 | Inhibit System Recovery | |
| action.malware.variety.Ransomware | Ransomware (encrypt or seize stored data) | related-to | T1490 | Inhibit System Recovery | |
| attribute.availability.variety.Loss | Loss | related-to | T1490 | Inhibit System Recovery |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_sentinel | Microsoft Sentinel | technique_scores | T1490 | Inhibit System Recovery |
Comments
The Microsoft Sentinel Analytics "Sensitive Azure Key Vault Operations" query can identify potential attacker activity intended to interfere with backups.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| backup_and_dr_actifiogo | Backup and DR-Actifio GO | technique_scores | T1490 | Inhibit System Recovery |
Comments
Backup and DR-Actifio GO is a copy data management plaform that virtualizes application data to improve an organizations resiliency and cloud mobility. This capability allows an organization to take regular backups and provides several methods of restoring applications and/or VM data to a previous state. This provides significant ability to respond to an adversary deleting or removing built-in operating system data and services since an organization could restore system and services back to the latest backup.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_cloudendure_disaster_recovery | AWS CloudEndure Disaster Recovery | technique_scores | T1490 | Inhibit System Recovery |
Comments
AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are modified to disrupt recovery, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.
References
|
| aws_rds | AWS RDS | technique_scores | T1490 | Inhibit System Recovery |
Comments
AWS RDS generates events for database instances and includes the following event that may indicate that an adversary has attempted to inhibit system recovery.
RDS-EVENT-0028: Automatic backups for this DB instance have been disabled
This mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized disabling of automatic backups.
References
|
| aws_rds | AWS RDS | technique_scores | T1490 | Inhibit System Recovery |
Comments
AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised and modified to disrupt recovery, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.
References
|