Introduction
In September 2024, JPCERT/CC released a detailed blog post uncovering how Windows Event Logs can be a powerful tool for identifying human-operated ransomware campaigns. The research focuses on notable ransomware families like Conti, Phobos, Midas, and BadRabbit. Each ransomware group leaves unique traces within specific Windows event logs, and monitoring these logs can aid security teams in early detection and response to ransomware activity.
Original post by JPCERT/CC can be found here.
This report outlines key event IDs linked to various phases of ransomware attacks, enabling defenders to identify malicious actions even before traditional indicators like ransom notes or file encryption are found.
Understanding Human-Operated Ransomware
Human-operated ransomware is distinct from automated ransomware because it is actively controlled by adversaries who break into systems, escalate privileges, and disable defences before initiating encryption. By analysing Windows Event Logs, defenders can identify anomalies such as privilege escalations, remote code executions, and suspicious services or software installations that signal an active attack.
Key Ransomware Families and their Event Log Traces
1. Conti
Conti ransomware, known for its swift lateral movement and extensive use of the Windows Restart Manager to close applications before encryption, leaves behind traces in Event Logs that can be crucial for investigation:
- Event ID 10000, 10001: These events are linked to the Windows Restart Manager, showing that ransomware is closing programs or restarting them as part of its encryption process. This often happens when ransomware attempts to lock files held by active processes.
2. Phobos
Phobos, which targets SMBs by exploiting unprotected RDP ports, is known for disabling backup mechanisms during its execution. Key event logs include:
- Event ID 524 (Backup start failure): Phobos disables Volume Shadow Copy Service (VSS) to prevent recovery from backups.
- Event ID 612 (Backup stop failure): This ID flags attempts to stop backups.
3. Midas
Midas is an evolution of REvil, focusing on altering network services to disable monitoring and security mechanisms:
- Event ID 7040: The alteration of critical services such as disabling antivirus or monitoring software is logged under this ID. This can indicate ransomware attempting to circumvent detection tools.
4. BadRabbit
BadRabbit, closely linked to the infamous NotPetya, leaves a distinct footprint in Windows Event Logs by installing additional malicious components during its attack lifecycle:
- Event ID 7045: This ID is triggered when a new service is installed. BadRabbit uses this to introduce its own malicious services, further solidifying its foothold in the infected environment.
Detecting and Defending with Event Logs
Identifying malicious activity through Windows Event Logs involves correlating the logs with known ransomware TTPs (Tactics, Techniques, and Procedures). By closely monitoring these event IDs, defenders can detect ransomware during its pre-encryption phase, providing valuable time to stop the attack or mitigate damage.
Security teams can set up alerting systems based on specific event IDs or groupings of suspicious events. For instance, repeated Event ID 7040 alterations to services or a surge in Event ID 10001 (associated with the Restart Manager) could indicate that ransomware is tampering with system functions to prepare for an encryption attack.
Mitre ATT&CK Techniques Associated with These Attacks:
Here are some relevant MITRE ATT&CK techniques to consider:
- T1078: Valid Accounts
Attackers often gain initial access through valid accounts, especially in RDP-targeted campaigns like Phobos. - T1486: Data Encrypted for Impact
The ultimate goal of ransomware is to encrypt data, and this technique covers the final stage of these campaigns. - T1562: Impair Defenses
Ransomware often disables security features, evident from events like Midas’ alterations to antivirus services.
The use of Windows Event Logs for ransomware detection offers a proactive method of identifying potential threats before they cause catastrophic damage. While traditional indicators like ransom notes and file encryption are easy to spot, they often appear too late to prevent harm. Event logs provide a wealth of information that can enable earlier detection and intervention, especially for human-operated ransomware campaigns that involve more hands-on-keyboard activity.
Further Reading
- Original JPCERT/CC Report on Ransomware Detection
- MITRE ATT&CK Techniques for Detecting Ransomware
- Microsoft: How to Use Windows Event Logs for Security Investigations
- Understanding Human-Operated Ransomware
By monitoring the correct event logs, organisations can stay one step ahead of ransomware and strengthen their overall cybersecurity posture.