Malicious — high-confidence attack behavior
Attack signal: Ransomware / Impact.
cmd.exe /c vssadmin delete shadows /all /quiet & wbadmin delete catalog -quiet & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wmic shadowcopy deleteUses the Windows Command Prompt to silently execute an inline Windows command, then uses the Windows Backup utility to delete the Windows Backup catalog, then uses the boot configuration editor to suppress boot-failure prompts.
The command leverages Cmd.exe, Bitsadmin.exe, wbadmin.exe, and Wmic.exe, a Windows set of binaries catalogued in LOLBAS as commonly abused for living-off-the-land attacks — known abuse categories: Dump, Execute, and Download.
The combination of high-confidence threat behavior, known-abused binary usage, and payload obfuscation strongly suggests this is an active attack payload. Treat this command as malicious and initiate containment procedures.
The command-line interpreter in Windows
Windows Backup Administration utility
Boot Configuration Data store editor (Windows built-in)
Ransomware sets 'recoveryenabled No' and 'bootstatuspolicy ignoreallfailures' to prevent Windows Recovery Environment from launching after encryption.
Russian GRU Unit 74455 group responsible for NotPetya, attacks on Ukrainian power grid, and Olympic Destroyer. Focuses on destructive operations.
North Korean state-sponsored group linked to the $81M Bangladesh Bank heist, WannaCry ransomware, and Sony Pictures breach. The most prolific nation-state financial threat actor.
Iranian group targeting aerospace, energy, and petrochemical industries. Associated with destructive Shamoon malware variants and password spraying campaigns.
Russia-based cybercriminal group operating TrickBot, Ryuk, Conti, and BazarLoader. One of the most prolific ransomware operators targeting hospitals and critical infrastructure.
Attribution based on MITRE ATT&CK technique overlap. Confidence reflects TTP match depth — not a definitive attribution.