The majority of today’s most active ransomware groups—including Conti, LockBit, BlackMatter, and REvil—embed these functions into the PE. On the other hand, both the Pysa and Grief ransomware PEs don’t have built-in functionality to delete shadow copies, instead relying on the affiliates to carry it out with scripts.