Recent investigations by cybersecurity experts have yielded valuable insights into the detection of human-operated ransomware attacks using Windows Event Logs. This advancement has the potential to enhance organizations’ capabilities in identifying and responding to these increasingly sophisticated threats.
JPCERT/CC, a leading cybersecurity coordination center, has confirmed that certain ransomware variants leave identifiable traces within Windows Event Logs, which could aid in their detection. This finding is particularly important as traditional methods for identifying attack groups—relying on encrypted file extensions or ransom notes—have proven less effective.
JPCERT/CC utilized various logs, including the Application Log, Security Log, System Log, and Setup Log, to pinpoint ransomware activity based on these distinctive characteristics.
Specific Ransomware Signatures
The research identified several ransomware families, each associated with unique event log signatures:
- Conti and Related Variants: First discovered in 2020, Conti ransomware exploits Windows Restart Manager during the file encryption process, resulting in a surge of event logs with IDs 10000 and 10001. Similar behaviors were noted in variants such as Akira, Lockbit3.0, and HelloKitty.
- Phobos: Active since 2019, Phobos leaves traces when it deletes volume shadow copies and system backup catalogs, with key event IDs including 612, 524, and 753.
- Midas: This ransomware, identified in 2021, is marked by modifications to network settings recorded under Event ID 7040, impacting services such as Function Discovery Resource Publication and SSDP Discovery.
- BadRabbit: First seen in 2017, BadRabbit installs a component named cscc.dat, which is noted in Event ID 7045.
- Bisamware: Identified in 2022, Bisamware’s execution is recorded in Windows Installer transaction logs with Event IDs 1040 and 1042.
While event logs alone cannot prevent attacks, they can assist in damage assessments and attribution. In cases where substantial data has been deleted or encrypted, these logs may provide crucial insights into the attack vector and methods used.
Security expert Kyosuke Nakamura highlights the importance of investigating event logs in human-operated ransomware cases, especially when significant information has been compromised.
Organizations are encouraged to centralize their Event ID 7045 logs and develop automated detection systems for malicious service installations. Microsoft’s Windows Event Forwarding is a cost-effective solution for centralizing these logs.
X-Force IR suggests utilizing PowerShell scripts to monitor system logs and generate alerts for suspicious service installations, customizing these scripts to reflect patterns seen in known ransomware activities.
To bolster ransomware detection capabilities, organizations should:
- Implement comprehensive log collection and analysis systems
- Develop a catalog of advanced hunting queries for common ransomware tactics
- Create custom detection rules based on known ransomware behaviors
- Regularly update and refine detection strategies in response to emerging threats
As human-operated ransomware evolves, leveraging Windows Event Logs for detection becomes a vital part of a robust cybersecurity framework. By adopting these strategies, organizations can significantly enhance their ability to identify and mitigate ransomware threats before they result in extensive damage.