CyberSecurityBoard
Sponsor Register Login

Use Windows event logs for ransomware investigations, JPCERT/CC advises - Help Net Security

The JPCERT Coordination Center – the first Computer Security Incident Response Team established in Japan – has compiled a list of entries in Windows event logs that could help enterprise defenders respond to human-operated ransomware attacks and potentially limit the malware’s damage. When dealing with a ransomware attack, identifying the ransomware used as soon as possible is of critical importance, as knowledge of the tactics, techniques and behavioral patterns used by the attackers can help with the investigation of and response to the intrusion, and possibly help responders prevent the ransomware from being deployed on a greater number of systems (e.g., the ransomware may have failed to execute or is inactive until triggered by attackers). Detecting specific entries in Windows event logs – Application, Security, System, Setup – may reveal the identity of the attackers and the ransomware used (when it’s not obvious). “JPCERT/CC’s investigation confirmed that some ransomware leaves traces in the Windows event log, and that it is sometimes possible to identify the ransomware based on these characteristics,” malware analyst Kyosuke Nakamura noted. Conti ransomware and related ransomware such as Akira or Lockbit3.0, for example, often trigger a large number of logs (event IDs: 10000, 10001) in a short period of time, because they indicate the automatic closing of running applications when Windows OS is restarted or shut down. Phobos ransomware and related ransomware such as 8base, on the other hand, trigger event IDs 612, 524 and 753, which are related to canceling scheduled backups, deleting the system catalog, and starting the backup system. “The difficult part of the initial response to a human-operated ransomware attack is identifying the attack vector,” the organization pointed out. “Event logs can only support damage investigations and attribution, but in situations where a lot of information is deleted or encrypted, investigating everything that could be useful may provide some good insights,” Nakamura concluded. The compiled document also details logs associated with Midas, BadRabbit, Bisamware, shade, GandCrab, AKO, avoslocker, BlackBasta, and Vice Society ransomware.

This Cyber News was published on www.helpnetsecurity.com. Publication date: Tue, 01 Oct 2024 11:13:07 +0000


Cyber News related to Use Windows event logs for ransomware investigations, JPCERT/CC advises - Help Net Security

10 Best Ransomware Protection Tools - 2025 - It protects devices from ransomware and other cyber threats using advanced threat intelligence, behavioral analysis, and cloud-based technology. It monitors and prevents ransomware assaults on personal files and automatically restores encrypted ...
7 months ago Cybersecuritynews.com
Use Windows event logs for ransomware investigations, JPCERT/CC advises - Help Net Security - The JPCERT Coordination Center – the first Computer Security Incident Response Team established in Japan – has compiled a list of entries in Windows event logs that could help enterprise defenders respond to human-operated ransomware ...
1 year ago Helpnetsecurity.com 8base LockBit Akira
10 Best Ransomware File Decryptor Tools in 2025 - Kaspersky Rakhni Decryptor contains different decryption tools based on various versions of Rakhni ransomware and helps you decrypt encrypted files on your system. PyLocky Ransomware Decryption Tool is a free and open source developed and released by ...
6 months ago Cybersecuritynews.com
JPCERT shares Windows Event Log tips to detect ransomware attacks - Japan's Computer Emergency Response Center (JPCERT/CC) has shared tips on detecting different ransomware gang's attacks based on entries in Windows Event Logs, providing timely detection of ongoing attacks before they spread too far into a network. ...
1 year ago Bleepingcomputer.com
CVE-2023-53109 - In the Linux kernel, the following vulnerability has been resolved: ...
5 months ago
CVE-2024-26633 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago
CVE-2025-21707 - In the Linux kernel, the following vulnerability has been resolved: ...
7 months ago
CVE-2024-36886 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago
CVE-2024-26857 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago
CVE-2024-35893 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago
CVE-2024-47685 - In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending garbage on the four reserved tcp bits (th->res1) Use ...
11 months ago Tenable.com
CVE-2024-58071 - In the Linux kernel, the following vulnerability has been resolved: ...
7 months ago
25 Best Managed Security Service Providers (MSSP) - 2025 - Pros & Cons: ProsConsStrong threat intelligence & expert SOCs.High pricing for SMBs.24/7 monitoring & rapid incident response.Complex UI and steep learning curve.Flexible, scalable, hybrid deployments.Limited visibility into endpoint ...
3 months ago Cybersecuritynews.com
CVE-2024-42106 - In the Linux kernel, the following vulnerability has been resolved: ...
9 months ago
CVE-2025-37961 - In the Linux kernel, the following vulnerability has been resolved: ...
4 months ago
CVE-2025-21959 - In the Linux kernel, the following vulnerability has been resolved: ...
6 months ago
CVE-2025-38491 - In the Linux kernel, the following vulnerability has been resolved: ...
2 months ago
CVE-2024-50083 - In the Linux kernel, the following vulnerability has been resolved: tcp: fix mptcp DSS corruption due to large pmtu xmit Syzkaller was able to trigger a DSS corruption: TCP: request_sock_subflow_v4: Possible SYN flooding on port [::]:20002. Sending ...
11 months ago Tenable.com
CVE-2024-26781 - In the Linux kernel, the following vulnerability has been resolved: mptcp: fix possible deadlock in subflow diag Syzbot and Eric reported a lockdep splat in the subflow diag: WARNING: possible circular locking dependency detected ...
1 year ago Tenable.com
CVE-2023-52784 - In the Linux kernel, the following vulnerability has been resolved: bonding: stop the device in bond_setup_by_slave() Commit 9eed321cde22 ("net: lapbether: only support ethernet devices") has been able to keep syzbot away from net/lapb, until today. ...
1 year ago Tenable.com
CVE-2025-21858 - In the Linux kernel, the following vulnerability has been resolved: ...
6 months ago
Is that It? Finding the Unknown: Correlations Between Honeypot Logs & PCAPs - Simply parsing through the logs may not always give you a complete picture either. This blog post will walk through the steps I have taken to build a bigger picture to make an attack observation, briefly going over various attacks such as malicious ...
1 year ago Isc.sans.edu
CVE-2024-57802 - In the Linux kernel, the following vulnerability has been resolved: netrom: check buffer length before accessing it Syzkaller reports an uninit value read from ax25cmp when sending raw message through ieee802154 implementation. ...
8 months ago Tenable.com
CVE-2022-48956 - In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid use-after-free in ip6_fragment() Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers. It seems to not be always true, at least for UDP stack. syzbot ...
11 months ago Tenable.com
CVE-2025-38476 - In the Linux kernel, the following vulnerability has been resolved: ...
2 months ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)