Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
On network devices, adversaries may leverage Disk Wipe to delete backup firmware images and reformat the file system, then System Shutdown/Reboot to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Disable controls | Disable or interfere with security controls | related-to | T1490 | Inhibit System Recovery | |
| action.malware.variety.Ransomware | Ransomware (encrypt or seize stored data) | related-to | T1490 | Inhibit System Recovery | |
| attribute.availability.variety.Loss | Loss | related-to | T1490 | Inhibit System Recovery | |
| aws_cloudendure_disaster_recovery | AWS CloudEndure Disaster Recovery | technique_scores | T1490 | Inhibit System Recovery |
Comments
AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are modified to disrupt recovery, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.
References
|
| aws_rds | AWS RDS | technique_scores | T1490 | Inhibit System Recovery |
Comments
AWS RDS generates events for database instances and includes the following event that may indicate that an adversary has attempted to inhibit system recovery.
RDS-EVENT-0028: Automatic backups for this DB instance have been disabled
This mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized disabling of automatic backups.
References
|
| aws_rds | AWS RDS | technique_scores | T1490 | Inhibit System Recovery |
Comments
AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised and modified to disrupt recovery, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.
References
|