Recent investigations by cybersecurity experts have shed light on the detection of human-operated ransomware attacks through the analysis of Windows Event Logs. This advancement promises to enhance organizations’ capabilities in identifying and responding to these increasingly sophisticated threats.
JPCERT/CC, a leading cybersecurity coordination center, has confirmed that specific ransomware variants leave identifiable traces within Windows Event Logs. This revelation is particularly significant, as traditional methods of recognizing attack groups—often reliant on encrypted file extensions or ransom notes—have proven to be less effective in the current landscape.
Utilizing the Application Log, Security Log, System Log, and Setup Log, JPCERT/CC was able to pinpoint ransomware based on these distinctive characteristics.
Leveraging AI for enhanced security => Free Webinar
Specific Ransomware Signatures
The research has identified several ransomware families, each with unique signatures in event logs:
- Conti and Related Variants: First identified in 2020, Conti ransomware exploits the Windows Restart Manager during file encryption, generating a high volume of event logs with IDs 10000 and 10001 in rapid succession. Similar patterns have been noted in variants such as Akira, Lockbit3.0, and HelloKitty.
- Phobos: Active since 2019, Phobos leaves traces when it deletes volume shadow copies and system backup catalogs, with key event IDs including 612, 524, and 753.
- Midas: Discovered in 2021, Midas is characterized by changes to network settings, which are recorded in Event ID 7040, affecting services like Function Discovery Resource Publication and SSDP Discovery.
- BadRabbit: First seen in 2017, BadRabbit installs a component known as cscc.dat, which is documented in Event ID 7045.
- Bisamware: Identified in 2022, Bisamware’s execution is marked by Windows Installer transaction logs, specifically Event IDs 1040 and 1042.
While event logs alone cannot prevent attacks, they play a crucial role in damage investigations and attribution. In instances where extensive data has been deleted or encrypted, these logs can provide valuable insights into the attack vector and methodology.
Security expert Kyosuke Nakamura emphasizes the importance of investigating event logs in the context of human-operated ransomware attacks, stating, “Investigating event logs when dealing with human-operated ransomware attacks can provide good insights, especially in situations where a lot of information is deleted or encrypted.”
Organizations are encouraged to centralize their Event ID 7045 logs and develop automated detection systems for malicious service installations. Microsoft’s Windows Event Forwarding presents a cost-effective solution for centralizing these logs.
X-Force IR recommends the implementation of PowerShell scripts to monitor system logs and generate alerts upon detecting suspicious service installations. These scripts can be tailored to align with characteristics observed in known ransomware operations.
To bolster ransomware detection capabilities, organizations should consider the following strategies:
- Implement comprehensive log collection and analysis systems.
- Develop a catalog of advanced hunting queries for common ransomware attack methods.
- Create custom detection rules based on known ransomware behaviors.
- Regularly update and refine detection strategies as new threats emerge.
As human-operated ransomware continues to evolve, the utilization of Windows Event Logs for detection becomes an integral aspect of a robust cybersecurity strategy. By adopting these techniques, organizations can significantly enhance their ability to identify and respond to ransomware threats before they inflict widespread damage.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar
