JPCERT shares Windows Event Log tips for detecting ransomware attacks

The Japanese Computer Emergency Response Center (JPCERT/CC) has shared tips on how to detect attacks from various ransomware gangs using entries in Windows event logs, enabling timely detection of ongoing attacks before they spread too far into a network.

According to JPCERT/CC, the technique can be valuable in responding to ransomware attacks and identifying the attack vector among various possibilities is crucial for timely defense.

Finding traces of ransomware in event logs

The investigation strategy proposed by JPCERT/CC includes four types of Windows event logs: application, security, system, and setup logs.

These logs often contain traces left by ransomware attacks that could reveal the entry points used by the attackers and their “digital identity.”

Here are some examples of ransomware traces highlighted in the agency’s report:

• Conti: Identified by many logs related to Windows Restart Manager (Event IDs: 10000, 10001).

  

  Similar events are generated by Akira, Lockbit3.0, HelloKitty, Abysslocker, Avaddon, Bablock and other malware created from the leaked Lockbit and Conti encryption program.

• Phobos: Leaves traces when deleting system backups (Event IDs: 612, 524, 753). Similar protocols are generated by 8base and Elbie.
• Midas: Modifies network settings to spread the infection, leaving event ID 7040 in the logs.
• BadRabbit: Records event ID 7045 when an encryption component is installed.
• Muskware: Logs the start (1040) and end (1042) of a Windows Installer transaction.

JPCERT/CC also notes that seemingly unrelated ransomware variants such as Shade, GandCrab, AKO, AvosLocker, BLACKBASTA and Vice Society leave very similar traces (Event IDs: 13, 10016).

Both errors are caused by lack of permissions to access COM applications to delete volume shadow copies, which ransomware typically deletes to prevent easy recovery of encrypted files.

It is important to note that no detection method should be considered a guarantee of adequate protection against ransomware. However, monitoring specific protocols can prove to be a game-changer when combined with other measures to detect attacks before they spread too far into a network.

JPCERT/CC notes that older ransomware strains such as WannaCry and Petya did not leave traces in Windows logs, but the situation with modern malware has changed and the technique is now considered effective.

In 2022, SANS also released a guide on detecting different ransomware families using Windows event logs.