The Japan Computer Emergency Response Center (JPCERT/CC) has issued an advisory detailing methods to detect ransomware attacks early through entries in Windows Event Logs (Application, Security, System, and Setup logs).
JPCERT/CC provides detailed examples of how various ransomware groups leave identifiable footprints in Windows Event Logs. Below are several notable ransomware strains and their associated log entries:
Conti: Ransomware from the Conti family, along with similar strains like Akira, Lockbit3.0, HelloKitty, and Abysslocker, can be identified through numerous logs related to the Windows Restart Manager. These entries often reveal the shutdown and startup of applications during an attack.
Phobos: Known for deleting system backups, Phobos leaves specific traces. The similar behavior is also observed in ransomware variants such as 8base and Elbie, which follow similar attack patterns.
Midas: The malware often alters network settings to facilitate its spread. Detecting a particular log entry (event ID 7040, it is recorded when there is a change in the service settings) can alert teams to potential lateral movement within the network.
BadRabbit: When BadRabbit installs its encryption component, it records event ID 7045 (installing the component cscc.dat used for encryption). This can provide early warning of encryption activity.
Bisamware: Logs associated with Windows Installer transactions can signal Bisamware activity, offering another point of detection.
JPCERT/CC notes that older ransomware variants, such as WannaCry and Petya, were stealthier and left fewer traces in Windows logs. However, modern ransomware tends to leave behind clearer footprints, making this log analysis technique increasingly effective in identifying threats early.
The agency also points out that seemingly unrelated ransomware families, such as Shade, GandCrab, AKO, AvosLocker, BLACKBASTA, and Vice Society, often leave behind very similar event IDs. These logs typically stem from attempts to delete Volume Shadow Copies, a common tactic used by ransomware to prevent victims from easily restoring their systems using backups.
Errors generated during this process, usually due to a lack of necessary permissions to access COM applications, can be valuable clues that ransomware is in the process of encrypting data.