Japan's Computer Emergency Response Center (JPCERT/CC) has shared tips on detecting different ransomware gang's attacks based on entries in Windows Event Logs, providing timely detection of ongoing attacks before they spread too far into a network. JPCERT/CC notes that older ransomware strains such as WannaCry and Petya did not leave traces in Windows logs, but the situation has changed on modern malware, so the technique is now considered effective. It's important to note that no detection method should be taken as a guarantee for adequate protection against ransomware, but monitoring for specific logs can prove game-changing when combined with other measures to detect attacks before they spread too far into a network. JPCERT/CC says the technique can be valuable when responding to ransomware attacks, and identifying the attack vector among various possibilities is crucial for timely mitigation. JPCERT/CC also notes that seemingly unrelated ransomware variants such as Shade, GandCrab, AKO, AvosLocker, BLACKBASTA, and Vice Society, leave behind very similar traces (event IDs: 13, 10016). In 2022, SANS also shared a guide on detecting different ransomware families using Windows Event Logs. The investigation strategy proposed by JPCERT/CC covers four types of Windows Event Logs: Application, Security, System, and Setup logs. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 30 Sep 2024 19:25:11 +0000