Japan’s Computer Emergency Response Center (JPCERT/CC) has recently provided valuable insights into identifying ransomware attacks through the analysis of Windows Event Logs. This proactive approach allows organizations to detect ongoing attacks early, potentially preventing widespread damage within their networks.
Finding ransomware traces in Event Logs
The investigative framework outlined by JPCERT/CC focuses on four specific types of Windows Event Logs: Application, Security, System, and Setup logs. These logs often harbor clues left by ransomware attacks, which can illuminate the entry points exploited by attackers as well as their digital footprints.
Highlighted below are notable examples of ransomware traces identified in the agency’s report:
- Conti: This notorious ransomware is often detected through multiple logs associated with the Windows Restart Manager, particularly event IDs 10000 and 10001. Similar log entries are generated by other ransomware variants such as Akira, Lockbit3.0, HelloKitty, Abysslocker, Avaddon, and Bablock, which are derived from leaked encryptors of Lockbit and Conti.
- Phobos: This variant is known for leaving traces when it deletes system backups, specifically through event IDs 612, 524, and 753. Other ransomware like 8base and Elbie exhibit similar logging behavior.
- Midas: This ransomware alters network settings to facilitate its spread, leaving behind event ID 7040 in the logs.
- BadRabbit: It records event ID 7045 during the installation of its encryption component.
- Bisamware: This variant logs the start (event ID 1040) and end (event ID 1042) of a Windows Installer transaction.
JPCERT/CC also points out that seemingly unrelated ransomware variants, including Shade, GandCrab, AKO, AvosLocker, BLACKBASTA, and Vice Society, leave behind similar traces, specifically event IDs 13 and 10016. These errors typically arise from permission issues encountered when accessing COM applications to delete Volume Shadow Copies, a common tactic employed by ransomware to hinder the restoration of encrypted files.
While no detection method can guarantee complete protection against ransomware, monitoring specific logs can significantly enhance an organization’s ability to identify attacks early, especially when integrated with other security measures. JPCERT/CC emphasizes that older strains of ransomware, such as WannaCry and Petya, did not leave traces in Windows logs, but the landscape has evolved. Modern malware now exhibits detectable patterns, making this technique increasingly effective.
In 2022, the SANS Institute also contributed to this discourse by publishing a guide on detecting various ransomware families using Windows Event Logs, further underscoring the importance of vigilance in cybersecurity practices.
