T1490 Inhibit System Recovery

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.

Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)

A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:

  • <code>vssadmin.exe</code> can be used to delete all volume shadow copies on a system - <code>vssadmin.exe delete shadows /all /quiet</code>
  • Windows Management Instrumentation can be used to delete volume shadow copies - <code>wmic shadowcopy delete</code>
  • <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
  • <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>
  • <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
  • <code>diskshadow.exe</code> can be used to delete all volume shadow copies on a system - <code>diskshadow delete shadows all</code> (Citation: Diskshadow) (Citation: Crytox Ransomware)

On network devices, adversaries may leverage Disk Wipe to delete backup firmware images and reformat the file system, then System Shutdown/Reboot to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.

Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1490 Inhibit System Recovery
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.02 Least functionality Mitigates T1490 Inhibit System Recovery
    Comments
    This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
    References
      PR.IR-03.01 Alternative resilience mechanisms Mitigates T1490 Inhibit System Recovery
      Comments
      This diagnostic statement protects against Inhibit System Recovery through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
      References
        PR.DS-11.01 Data backup and replication Mitigates T1490 Inhibit System Recovery
        Comments
        This diagnostic statement provides protection from adversaries that try to remove built in data and/or turn off services that are used to help with the recovery of corrupted systems. Ensuring backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery is a way to deny adversaries access to available backup and recovery options
        References
          PR.PS-01.03 Configuration deviation Mitigates T1490 Inhibit System Recovery
          Comments
          This diagnostic statement provides protection from Inhibit System Recovery through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
          References
            ID.IM-02.06 Accurate data recovery Mitigates T1490 Inhibit System Recovery
            Comments
            This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries may attempt to hinder the recovery of a compromised system.
            References
              PR.AA-01.01 Identity and credential management Mitigates T1490 Inhibit System Recovery
              Comments
              This diagnostic statement protects against Inhibit System Recovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
              References

                Known Exploited Vulnerabilities Mappings

                Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                CVE-2025-21391 Microsoft Windows Storage Link Following Vulnerability primary_impact T1490 Inhibit System Recovery
                Comments
                Exploiting this link-following vulnerability can lead to privilege escalation, with the primary result being deletion of system data. As a consequence of this, deletion of certain files could also make the recovery process more difficult.
                References
                CVE-2023-36884 Microsoft Windows Search Remote Code Execution Vulnerability secondary_impact T1490 Inhibit System Recovery
                Comments
                This remote code execution vulnerability in Microsoft Office has been exploited by adversarial groups to distribute ransomware. Attackers use specially crafted Microsoft Office documents to bypass security features, enabling remote code execution without user prompts. These documents are typically delivered through phishing techniques, enticing victims to open them. Once opened, the ransomware encrypts files and demands a ransom for decryption, while also removing system backups and leaving a ransom note threatening data loss if recovery is attempted without the provided decryptor key. The ransomware further erases system logs and may publish stolen data on leak websites, leading to unauthorized access to sensitive information and potential installation of backdoors for further exploitation. Microsoft addressed this vulnerability in their security updates by introducing measures to make file paths unpredictable, thereby mitigating the exploit chain. Despite these updates, additional vulnerabilities in Microsoft Office and Windows were identified. Security solutions offer protection against these exploits, and findings are shared with cybersecurity alliances to enhance collective defense efforts. This vulnerability has been exploited by the Russian group Storm-0978, also known as RomCom, who craft specially designed Microsoft Office documents related to the Ukrainian World Congress. These documents bypass Microsoft's Mark-of-the-Web (MotW) security feature, enabling remote code execution without security prompts. The adversary used phishing techniques to deliver these documents, enticing victims to open them. Once opened, the ransomware, known as Underground, executes, encrypting files and demanding a ransom for decryption. The ransomware further removes shadow copies, terminates MS SQL Server services, and leaves a ransom note threatening data loss if recovery is attempted without their decryptor key. It also erases Windows Event logs and publishes stolen victim data on a data leak website, causing unauthorized access to sensitive information and potential installation of backdoors for further exploitation.
                References

                VERIS Mappings

                Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                action.malware.variety.Disable controls Disable or interfere with security controls related-to T1490 Inhibit System Recovery
                action.malware.variety.Ransomware Ransomware (encrypt or seize stored data) related-to T1490 Inhibit System Recovery
                attribute.availability.variety.Loss Loss related-to T1490 Inhibit System Recovery

                Azure Mappings

                Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                microsoft_sentinel Microsoft Sentinel technique_scores T1490 Inhibit System Recovery
                Comments
                The Microsoft Sentinel Analytics "Sensitive Azure Key Vault Operations" query can identify potential attacker activity intended to interfere with backups.
                References

                GCP Mappings

                Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                backup_and_dr_actifiogo Backup and DR-Actifio GO technique_scores T1490 Inhibit System Recovery
                Comments
                Backup and DR-Actifio GO is a copy data management plaform that virtualizes application data to improve an organizations resiliency and cloud mobility. This capability allows an organization to take regular backups and provides several methods of restoring applications and/or VM data to a previous state. This provides significant ability to respond to an adversary deleting or removing built-in operating system data and services since an organization could restore system and services back to the latest backup.
                References

                AWS Mappings

                Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery technique_scores T1490 Inhibit System Recovery
                Comments
                AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are modified to disrupt recovery, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.
                References
                aws_rds AWS RDS technique_scores T1490 Inhibit System Recovery
                Comments
                AWS RDS generates events for database instances and includes the following event that may indicate that an adversary has attempted to inhibit system recovery. RDS-EVENT-0028: Automatic backups for this DB instance have been disabled This mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized disabling of automatic backups.
                References
                aws_rds AWS RDS technique_scores T1490 Inhibit System Recovery
                Comments
                AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised and modified to disrupt recovery, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.
                References