⚠️ Overview

SDelete is not a malware family but a legitimate command-line utility developed by Microsoft as part of the Sysinternals suite, first released in 1999 by Mark Russinovich. It is designed to securely overwrite deleted files so that they cannot be recovered. However, threat actors have weaponized SDelete in post-exploitation activities to cover their tracks and hinder forensic analysis, particularly in ransomware and data wiper attacks. The tool is categorized as a living-off-the-land binary (LOLBin) rather than a standalone malware family, as it is often deployed by adversaries after gaining initial access using other malware such as TrickBot, Emotet, or Ryuk (MITRE ATT&CK ID T1070.004 - Indicator Removal: File Deletion via SDelete).

🔧 Technical Capabilities

SDelete implements the U.S. Department of Defense (DoD) 5220.22-M standard for secure data deletion by overwriting file data multiple times (three passes by default: all zeros, all 0xFF, then random data) before deleting the file. Malicious actors execute SDelete from a command line or via script to erase ransomware encryption logs, temporary files, lateral movement artifacts, or volume shadow copies, impairing incident response. It can also securely wipe entire directory trees using the -r (recursive) and -s (subdirectories) flags. Attack vectors include runningsdelete.exe from a mapped drive or after dropping it via PowerShell or batch scripts. Persistence is not a goal; instead, SDelete is used as an on-demand cleanup tool. Evasion is achieved because SDelete is a signed Microsoft binary, so it may evade detection by security software that whitelists Sysinternals tools. Notably, the Ryuk ransomware operators have been observed using SDelete to delete evidence of lateral movement and to wipe system restore points before executing the ransomware payload (source: CISA alert AA20-302A).

📜 History & Notable Incidents

First publicly documented malicious use of SDelete occurred in early 2020 during Ryuk ransomware campaigns, as reported by the Cybersecurity and Infrastructure Security Agency (CISA). In August 2020, the Ryuk group used SDelete to delete files on a public-sector victim’s network after deployment, as noted in the DFIR report from CrowdStrike. In a 2021 incident involving the Conti ransomware, attackers employed SDelete to wipe evidence of Cobalt Strike beacon logs. No CVEs are associated with SDelete itself, as it is a legitimate tool. Law enforcement actions have not specifically targeted SDelete, but the broader infrastructure of ransomware groups using it has been disrupted (e.g., 2021 Colonial Pipeline attack response).

🔍 Detection Indicators

Behavioral indicators include execution of sdelete.exe or sdelete64.exe from non-standard paths (e.g., %TEMP%, %APPDATA%) or with command-line arguments like -p 3 -r -s C:WindowsTemp. Network IOCs are not typical, as SDelete operates locally. Registry keys and mutex names are not associated with SDelete. Known hashes for legitimate Sysinternals SDelete v2.03 (MD5: 7a2b8a0c9d1e4f5b2c3d6e7f8a9b0c1d — example, must verify) but attackers may rename the binary to evade hash-based detection. The MITRE ATT&CK technique T1070.004 provides detection guidance: monitor for file deletion commands referencing "-p" or "sysinternals".

☠️ Risk & Impact

The primary damage from SDelete abuse is the destruction of forensic evidence, impeding attribution and recovery efforts. In ransomware incidents, SDelete prevents victims from restoring encrypted files via shadow copies, increasing the likelihood of paying the ransom. Affected sectors include healthcare, government, education, and critical infrastructure — notably, the Ryuk attacks on U.S. hospitals in 2020 used SDelete to wipe shadow copies before encryption, causing extended downtime.

🛡️ Mitigation

Defenses include blocking execution of Sysinternals tools from untrusted directories using application whitelisting (e.g., Windows Defender Application Control), logging process creation events for sdelete.exe via Sysmon (Event ID 1), and enabling behavioral detection rules that flag mass file deletion with specific command-line patterns. Organizations should also implement network segmentation to limit lateral movement and maintain offline backups unaffected by SDelete.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.