Recent investigations by cybersecurity experts have uncovered valuable insights into detecting human-operated ransomware attacks through Windows Event Logs.
This breakthrough could significantly improve organizations’ ability to identify and respond to these increasingly sophisticated threats.
JPCERT/CC, a prominent cybersecurity coordination center, has confirmed that certain ransomware variants leave distinct traces in Windows Event Logs, potentially allowing for their identification.
This discovery is crucial as traditional methods of identifying attack groups based on encrypted file extensions or ransom notes have become less reliable.
JPCERT/CC used the Application Log, Security Log, System Log & Setup Log to identify the ransomware based on these characteristics.
Leveraging AI for enhanced security => Free Webinar
Specific Ransomware Signatures
The research identified several ransomware families with unique event log signatures:
Conti and Related Variants
Conti ransomware, first identified in 2020, exploits Windows Restart Manager during file encryption. This activity generates a high volume of event logs with IDs 10000 and 10001 in a short period. Similar patterns were observed in variants like Akira, Lockbit3.0, and HelloKitty.
Phobos
Active since 2019, Phobos leaves traces when deleting volume shadow copies and system backup catalogs. Key event IDs include 612, 524, and 753.
Midas
This ransomware, discovered in 2021, is characterized by changes to network settings recorded in Event ID 7040. These changes affect services like Function Discovery Resource Publication and SSDP Discovery.
BadRabbit
BadRabbit, first seen in 2017, installs a component called cscc.dat, which is recorded in Event ID 7045.
Bisamware
Identified in 2022, Bisamware’s execution is marked by Windows Installer transaction logs (Event IDs 1040 and 1042).
While event logs alone cannot prevent attacks, they support damage investigations and attribution.
In scenarios where extensive data has been deleted or encrypted, these logs may offer valuable insights into the attack vector and methodology.
Security expert Kyosuke Nakamura emphasizes, “Investigating event logs when dealing with human-operated ransomware attacks can provide good insights, especially in situations where a lot of information is deleted or encrypted.”
Organizations are advised to centralize their Event ID 7045 logs and build automated detections for malicious service installations. Microsoft’s Windows Event Forwarding offers a cost-effective solution for centralizing these logs.
X-Force IR recommends implementing PowerShell scripts to monitor system logs and generate alerts when suspicious service installations are detected. These scripts can be customized to match characteristics observed in known ransomware operations.
To enhance ransomware detection capabilities, organizations should:
- Implement comprehensive log collection and analysis systems
- Develop a catalog of advanced hunting queries for common ransomware attack methods
- Create custom detection rules based on known ransomware behaviors
- Regularly update and refine detection strategies as new threats emerge
As human-operated ransomware continues to evolve, leveraging Windows Event Logs for detection becomes an essential component of a robust cybersecurity strategy.
By implementing these techniques, organizations can significantly improve their ability to identify and respond to ransomware threats before they cause widespread damage.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar