Japan's Computer Emergency Response Center (CERT) has published new research detailing how Windows logs can be used to identify the attack vector in an ongoing incident attributed to a ransomware group.
The goal of this technique would not only be to differentiate the specific attacker or malware, but to enable real-time response to ongoing attacks before the ransomware has spread widely across the network.
The researchers note that Conti ransomware and other derivatives of it (Akira, Lockbit3.0, HelloKitty, Abysslocker, Avaddon, Bablock) would leave similar traces in Windows Restart Manager logs, specifically in events 10000 and 10001.
Other ransomware, on the other hand, leave traces when deleting backups at events 612, 524 and 753 (Phobos ransomware) or when installing encryption components at event 7045 (BadRabbit ransomware).
The difficult part of the initial response to a human-operated ransomware attack is identifying the attack vector. You may already know from recent security incident trends that the vulnerabilities of VPN devices are likely to be exploited, but it often takes much time to investigate because multiple penetration routes are often considered when an incident occurs. Therefore, in order to ensure a smooth initial response, it is important to investigate the penetration route after first estimating the attack group based on the encrypted file extensions and ransom notes left on the affected device, and then identifying the entry points that the attack group has used in the past. However, in JPCERT/CC's experience to date, there have been multiple cases where it was not possible to identify the attack group based on the encrypted file extension or ransom note alone. In this article, we will share the results of an investigation into the possibility of using Windows event log information to support the identification of such attack groups. JPCERT/CC's investigation confirmed that some ransomware leaves traces in the Windows event log, and that it is sometimes possible to identify the ransomware based on these characteristics. The following four Windows event logs were used in this investigation.
- Application Log
- Security Log
- System Log
- Setup Log
The following sections introduce the logs recorded in the Windows Event Log when ransomware is executed.
Conti
Conti is ransomware first identified in 2020. In 2022, the source code related to Conti was leaked, and many variants appeared afterwards. Conti exploits Windows Restart Manager when encrypting files. It is a function that automatically closes running applications when Windows OS is restarted or shut down. Although logs may be recorded in the event log during normal operation as well, when Conti is executed, a large number of relevant logs (event IDs: 10000, 10001) are recorded in a short period of time.
Figure 1: Event logs confirmed during Conti execution
We have also confirmed that the following ransomware also records similar event logs. Some of them are suspected to be related to Conti.
- Akira (suspected to be related to Conti based on the status of cryptocurrency transactions, etc.)
- Lockbit3.0 (uses a Conti-based encryption system)
- HelloKitty
- Abysslocker
- avaddon
- bablock
Phobos
Phobos is ransomware identified in 2019. It is said to have appeared after the source code was found to be similar to that of the Dharma ransomware, and after a decryption tool for Dharma became available, many variants were identified. Phobos can delete the volume shadow copies and system backup catalogs of infected devices, and it leaves traces when it is executed. Please note that the above-mentioned content may also occur in normal operation when the system administrator manages disk space or organizes unnecessary data.
Figure 2: Event logs confirmed during Phobos execution
- Event ID 612: A backup scheduled to be performed automatically was canceled somehow
- Event ID 524: The system catalog was deleted
- Event ID 753: The backup system successfully started and is ready to operate
In addition, traces with similar characteristics have been recorded from the following ransomware, which is suspected to be related to the Phobos group.
- 8base
- Elbie
BadRabbit
BadRabbit is ransomware first confirmed in 2017. It is characterized in that traces (Event ID: 7045) of installing the component cscc.dat used for encryption are recorded when it is executed.
Figure 4: Event log confirmed when BadRabbit is executed
Other common event logs recorded by ransomware
Although there was no apparent connection from the publicly available information, there are some types of ransomware with common characteristics in traces in event logs.
- shade
- GandCrab
- AKO
- avoslocker
- BLACKBASTA
- VICE SOCIETY
The traces (Event ID: 13, 10016) of these types of ransomware show that they did not function properly because they lacked permission to access COM server applications related to the Volume Shadow Copy Service at the time of execution.
Figure 6: Event logs confirmed during execution
No comments:
Post a Comment