Ransomware Pre-Encryption Stage — Shadow Copy and Recovery Inhibition

Detects execution of commands targeting Volume Shadow Copies and Windows recovery mechanisms, a universal pre-encryption step across virtually all ransomware families. Covers vssadmin delete shadows, wmic shadowcopy delete, bcdedit recoveryenabled no, wbadmin delete catalog, and cipher wipe. Early detection of this stage enables response before file encryption begins.