Japan Computer Emergency Response Team (JPCERT/CC) has published guidance on early identification of ransomware attacks in the system using Windows Event Logs. Probably by reviewing these logs, firms would identify some signs or clues of an existing ransomware attack and find themselves in a position to forestall this threat from spreading across the network.
JPCERT/CC stresses that the discovery of ransomware as early in the attack as possible is extremely important. Many ransomware variants leave apparent traces in Windows Event Logs, and that particular knowledge might be useful for cybersecurity teams to discover and finally stop attacks before they spread further. It's a strategy especially valuable in identifying the type of attack and tracing how ransomware might have entered the system.
Types of Event Logs to Monitor
The agency recommends checking four main types of Windows Event Logs, namely: Application, Security, System, and Setup logs. These types can carry some very important clues left by ransomware along with how it came into the environment and what systems are under attack.
Identifiable Ransomware Signatures in Event Logs
This JPCERT/CC report includes several specific log entries associated with certain ransomware families, which indicate that this was an active attack.
- Conti Ransomware: This malware typically generates a broad set of logs associated with the Windows Restart Manager, observable through their event IDs 10000 and 10001. The variants such as Akira, Lockbit3.0, HelloKitty, and Bablock all generate almost identical logs because they share code from Lockbit and Conti.
Others, such as 8base and Elbie, also create similar patterns along with traces related to this malware.
- Midas: This malware changes network configurations to spread across machines. It creates logs having an event ID of 7040.
- BadRabbit- BadRabbit mostly creates logs with an event ID of 7045 when it instals the encryption modules, further suggesting an attack in progress.
- Bisamware Generates entries at both ends of Windows Installer transactions. The event IDs are 1040 and 1042.
Other older ransomware families, like Shade, GandCrab, and Vice Society, similarly display the same event patterns. They especially generate errors with event IDs 13 and 10016, linked to the failed access attempts to COM applications. The reason behind it is ransomware tries to remove Volume Shadow Copies so the victims won't be able to recover encrypted files.
Event Log Monitoring: Not a Silver Bullet But a Mighty Defence
Monitoring these specific Windows Event Logs can certainly prove extremely useful in identifying ransomware, though JPCERT/CC believes such should only be part of the total security strategy. This would truly be transformational were early detection to be combined with other control measures against spreading the attack.
Surprisingly, this method is much more potent for newer ransomware variants rather than those already in the wild, like WannaCry and Petya, which left very minor traces in Windows logs. As ransomware continues to progress, the patterns they leave behind in logs are becoming very obvious, and log monitoring will be more of a good ear for today's cybersecurity infrastructure.
In 2022, another well-known cybersecurity group also published a SANS ransomware detection guide from Windows Event Logs. Both sources point out how ransomware detection has evolved with time, helping organisations better prepare for such threats.