Deletes shadow copies

Ransomware often targets backup files to inhibit system recovery.

Modifies boot configuration data using bcdedit

Blocklisted process makes network request

Deletes System State backups

Uses wbadmin.exe to inhibit system recovery.

Deletes backup catalog

Uses wbadmin.exe to inhibit system recovery.

Modifies extensions of user files

Ransomware generally changes the extension on encrypted files.