Summary: Japan’s Computer Emergency Response Center (JPCERT/CC) has provided guidance on detecting ransomware attacks through analysis of Windows Event Logs, emphasizing the importance of early detection to mitigate the spread of attacks. The report details specific event IDs associated with various ransomware groups, aiding in identifying attack vectors.
Threat Actor: Ransomware Gangs | ransomware gangs
Victim: Organizations susceptible to ransomware attacks | organizations susceptible to ransomware attacks
Key Point :
- JPCERT/CC identifies four types of Windows Event Logs that can reveal traces of ransomware attacks: Application, Security, System, and Setup logs.
- Specific event IDs associated with notable ransomware groups, such as Conti and Phobos, can help in identifying the attack vector and mitigating risks.
- Modern ransomware strains leave identifiable traces in logs, unlike older strains like WannaCry, making log monitoring a crucial part of cybersecurity strategies.
- Combining log monitoring with other detection measures enhances the chances of timely intervention against ransomware attacks.
Japan’s Computer Emergency Response Center (JPCERT/CC) has shared tips on detecting different ransomware gang’s attacks based on entries in Windows Event Logs, providing timely detection of ongoing attacks before they spread too far into a network.
JPCERT/CC says the technique can be valuable when responding to ransomware attacks, and identifying the attack vector among various possibilities is crucial for timely mitigation.
Finding ransomware traces in Event Logs
The investigation strategy proposed by JPCERT/CC covers four types of Windows Event Logs: Application, Security, System, and Setup logs.
These logs often contain traces left behind by ransomware attacks that could reveal the entry points used by the attackers and their “digital identity.”
Here are some examples of ransomware traces highlighted in the agency’s report:
- Conti: Identified by many logs related to the Windows Restart Manager (event IDs: 10000, 10001).
Similar events are generated by Akira, Lockbit3.0, HelloKitty, Abysslocker, Avaddon, Bablock, and other malware created from Lockbit’s and Conti’s leaked encryptor.
- Phobos: Leaves traces when deleting system backups (event IDs: 612, 524, 753). Similar logs are generated by 8base and Elbie.
- Midas: Changes network settings to spread infection, leaving event ID 7040 in logs.
- BadRabbit: Records event ID 7045 when installing an encryption component.
- Bisamware: Logs a Windows Installer transaction’s start (1040) and end (1042).
JPCERT/CC also notes that seemingly unrelated ransomware variants such as Shade, GandCrab, AKO, AvosLocker, BLACKBASTA, and Vice Society, leave behind very similar traces (event IDs: 13, 10016).
Both errors are caused by a lack of permissions when accessing COM applications to delete Volume Shadow Copies, which ransomware typically deletes to prevent easy restoration of encrypted files.
It’s important to note that no detection method should be taken as a guarantee for adequate protection against ransomware, but monitoring for specific logs can prove game-changing when combined with other measures to detect attacks before they spread too far into a network.
JPCERT/CC notes that older ransomware strains such as WannaCry and Petya did not leave traces in Windows logs, but the situation has changed on modern malware, so the technique is now considered effective.
In 2022, SANS also shared a guide on detecting different ransomware families using Windows Event Logs.