After Looking at some of the leaked ransomware code, i noticed that (at least for the samples i've seen), that the ransomware is using wmic or vssadmin via command line to delete shadow copies, so out of curiosity i had to look for something else, and thus this repo (so im not helping ransomware authers) ...
Example:
- conti: wmic shadowcopy where "ID='{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}'" delete
- babuk: vssadmin delete shadows /all /quiet
