We all know that recent ransomware delete shadow copies (even of the mapped folder).
It seems that the commands are:
- vssadmin.exe Delete Shadows /All /Quiet
or
- WMIC shadowcopy delete /nointeractive
As a workaround, I was thinking to keep a synced copy of server data folders on another disk (not mapped to the users) and enable on that disk frequent shadow copies.
I wonder if the above malware commands (executed on the client) will be able to delete also the shadow copies on the secondary disk on the server.
Any help or thoughts ?
Thanks,