Use Windows event logs for ransomware investigations, JPCERT/CC advises
The JPCERT Coordination Center – the first Computer Security Incident Response Team established in Japan – has compiled a list of entries in Windows event logs that could help enterprise defenders respond to human-operated ransomware attacks and potentially limit the malware’s damage.
“The difficult part of the initial response to a human-operated ransomware attack is identifying the attack vector,” the organization pointed out.
Detecting specific entries in Windows event logs – Application, Security, System, Setup – may reveal the identity of the attackers and the ransomware used (when it’s not obvious).
Based on documented and shared information from previous attacks perpetrated by the same group or with the same malware, incident responders may more easily and quickly identify how the attackers managed to get into the organization’s network and systems.
Ransomware recognition through Windows event logs
When dealing with a ransomware attack, identifying the ransomware used as soon as possible is of critical importance, as knowledge of the tactics, techniques and behavioral patterns used by the attackers can help with the investigation of and response to the intrusion, and possibly help responders prevent the ransomware from being deployed on a greater number of systems (e.g., the ransomware may have failed to execute or is inactive until triggered by attackers).
“JPCERT/CC’s investigation confirmed that some ransomware leaves traces in the Windows event log, and that it is sometimes possible to identify the ransomware based on these characteristics,” malware analyst Kyosuke Nakamura noted.
Conti ransomware and related ransomware such as Akira or Lockbit3.0, for example, often trigger a large number of logs (event IDs: 10000, 10001) in a short period of time, because they indicate the automatic closing of running applications when Windows OS is restarted or shut down.
Event logs during Conti execution (Source: JPCERT/CC)/p>
Phobos ransomware and related ransomware such as 8base, on the other hand, trigger event IDs 612, 524 and 753, which are related to canceling scheduled backups, deleting the system catalog, and starting the backup system.
The compiled document also details logs associated with Midas, BadRabbit, Bisamware, shade, GandCrab, AKO, avoslocker, BlackBasta, and Vice Society ransomware.
“Event logs can only support damage investigations and attribution, but in situations where a lot of information is deleted or encrypted, investigating everything that could be useful may provide some good insights,” Nakamura concluded.