Man
Professional
- Messages
- 3,085
- Reaction score
- 623
- Points
- 113
Windows event logs know a lot more than you might think.
Experts from JPCERT conducted a study that allows you to identify ransomware attacks based on the analysis of Windows event logs. As a rule, one of the most difficult tasks in detecting such attacks is to identify the vector of penetration of attackers.
Usually, analyzing possible vulnerabilities such as VPN devices can take a long time, especially when there are multiple potential pathways of penetration. Therefore, effective attack detection begins with identifying the group of attackers by the encrypted files and ransom notes left on the infected device.
However, according to experts, it is not always possible to identify an attack based on such artifacts. In this regard, they decided to investigate whether it is possible to use information from Windows event logs to determine the type of ransomware.
The study confirmed that some ransomware leaves characteristic traces in Windows event logs that allow them to be identified. Four main Windows event logs were analyzed: Application Log, Security Log, System Log, and Setup Log, as well as a number of ransomware families.
Conti
One of the first ransomware to be found in the logs was Conti. This ransomware was first spotted in 2020, and in 2022 its source code was leaked, leading to many modifications. When encrypting files, Conti uses the Restart Manager function, which results in the recording of a large number of events (ID: 10000, 10001) in a short period of time.
In addition, similar events are recorded in system logs and other programs related to Conti, including Akira, Lockbit3.0, HelloKitty, Abysslocker, avaddon, bablock.
Phobos
Phobos is a ransomware threat that was first identified in 2019. It is capable of deleting shadow volume copies and system backup directories on infected devices, leaving the following characteristic traces:
Similar signs in the logs can be found in other programs associated with Phobos, such as 8base and Elbie.
Midas
Midas is another ransomware threat that was first identified in 2021. Its peculiarity is that it leaves traces of changes in the settings of network services in the logs, which may indicate attempts to spread the infection.
BadRabbit
The study also found characteristic traces in the logs associated with BadRabbit. BadRabbit's status as ransomware was first confirmed in 2017. Its peculiarity lies in the fact that it leaves records (ID: 7045) about the implementation of the cscc.dat component for data encryption.
Bisamware
Bisamware is a ransomware threat that was identified in 2022. It targets Windows users and spreads through vulnerabilities in Microsoft tools. On startup, it captures the start (ID 1040) and end (ID 1042) of the Windows Installer transaction.
Common features in logs
Ransomware types such as Shade, GandCrab, AKO, avoslocker, BLACKBASTA, VICE SOCIETY deserve special attention. They have common features in the event logs (ID: 13, 10016), indicating problems with access to the COM server related to the Volume Shadow Copy Service.
For a number of older ransomware threats, such as WannaCry, Petya, and Ryuk, researchers have unfortunately not been able to identify clear signs in the event logs. However, the mere fact that such patterns are detected in the future can significantly speed up the detection of malware infections.
Analyzing Windows event logs opens up new opportunities in the fight against cybercrime, demonstrating that even the most sophisticated attackers leave digital footprints. This approach not only speeds up the process of identifying threats, but also emphasizes the importance of continuous monitoring and analysis of system logs as an integral part of the cybersecurity strategy.
Source
Experts from JPCERT conducted a study that allows you to identify ransomware attacks based on the analysis of Windows event logs. As a rule, one of the most difficult tasks in detecting such attacks is to identify the vector of penetration of attackers.
Usually, analyzing possible vulnerabilities such as VPN devices can take a long time, especially when there are multiple potential pathways of penetration. Therefore, effective attack detection begins with identifying the group of attackers by the encrypted files and ransom notes left on the infected device.
However, according to experts, it is not always possible to identify an attack based on such artifacts. In this regard, they decided to investigate whether it is possible to use information from Windows event logs to determine the type of ransomware.
The study confirmed that some ransomware leaves characteristic traces in Windows event logs that allow them to be identified. Four main Windows event logs were analyzed: Application Log, Security Log, System Log, and Setup Log, as well as a number of ransomware families.
Conti
One of the first ransomware to be found in the logs was Conti. This ransomware was first spotted in 2020, and in 2022 its source code was leaked, leading to many modifications. When encrypting files, Conti uses the Restart Manager function, which results in the recording of a large number of events (ID: 10000, 10001) in a short period of time.
In addition, similar events are recorded in system logs and other programs related to Conti, including Akira, Lockbit3.0, HelloKitty, Abysslocker, avaddon, bablock.
Phobos
Phobos is a ransomware threat that was first identified in 2019. It is capable of deleting shadow volume copies and system backup directories on infected devices, leaving the following characteristic traces:
- ID 612: Automatic backup has been canceled.
- ID 524: The system directory has been deleted.
- ID 753: The backup system has been successfully launched.
Similar signs in the logs can be found in other programs associated with Phobos, such as 8base and Elbie.
Midas
Midas is another ransomware threat that was first identified in 2021. Its peculiarity is that it leaves traces of changes in the settings of network services in the logs, which may indicate attempts to spread the infection.
BadRabbit
The study also found characteristic traces in the logs associated with BadRabbit. BadRabbit's status as ransomware was first confirmed in 2017. Its peculiarity lies in the fact that it leaves records (ID: 7045) about the implementation of the cscc.dat component for data encryption.
Bisamware
Bisamware is a ransomware threat that was identified in 2022. It targets Windows users and spreads through vulnerabilities in Microsoft tools. On startup, it captures the start (ID 1040) and end (ID 1042) of the Windows Installer transaction.
Common features in logs
Ransomware types such as Shade, GandCrab, AKO, avoslocker, BLACKBASTA, VICE SOCIETY deserve special attention. They have common features in the event logs (ID: 13, 10016), indicating problems with access to the COM server related to the Volume Shadow Copy Service.
For a number of older ransomware threats, such as WannaCry, Petya, and Ryuk, researchers have unfortunately not been able to identify clear signs in the event logs. However, the mere fact that such patterns are detected in the future can significantly speed up the detection of malware infections.
Analyzing Windows event logs opens up new opportunities in the fight against cybercrime, demonstrating that even the most sophisticated attackers leave digital footprints. This approach not only speeds up the process of identifying threats, but also emphasizes the importance of continuous monitoring and analysis of system logs as an integral part of the cybersecurity strategy.
Source
