Monday 06 July 2026 12:30:39 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

WIKICROOK

System recovery inhibition

Tactics intended to slow or block restoration, such as deleting backups or shadow copies.

System recovery inhibition is a set of attacker actions designed to make restoration harder after a cyberattack. Common examples include deleting backups, removing shadow copies or snapshots, disabling backup agents, encrypting recovery repositories, or corrupting recovery settings. The goal is not only to damage systems, but to reduce the victim’s ability to quickly restore data and resume operations.

This matters because recovery speed changes the impact of an incident. If backups are intact, defenders can often rebuild systems without paying ransom or losing much data. If attackers have inhibited recovery, cleanup takes longer, costs more, and may require rebuilding from older copies. Security teams defend against this by isolating backup infrastructure, using immutable or offline backups, protecting admin credentials, monitoring for destructive commands, and regularly testing restores. In MITRE ATT&CK, these tactics are part of the broader effort to deny recovery and increase pressure on the target.

← WIKICROOK index