EN
EN DE
EN
EN DE
Contact Us
Sign Up
Topics
Finance & insurance
Trade
Industry
IT & Consulting
Tourism
Transport
Law
Public

JPCERT shares Windows Event Log tips to detect ransomware attacks

0
Share:

Japan’s Computer Emergency Response Center (JPCERT/CC) has shared tips on detecting different ransomware gang’s attacks based on entries in Windows Event Logs, providing timely detection of ongoing attacks before they spread too far into a network.

JPCERT/CC says the technique can be valuable when responding to ransomware attacks, and identifying the attack vector among various possibilities is crucial for timely mitigation.

Finding ransomware traces in Event Logs

The investigation strategy proposed by JPCERT/CC covers four types of Windows Event Logs: Application, Security, System, and Setup logs.

These logs often contain traces left behind by ransomware attacks that could reveal the entry points used by the attackers and their “digital identity.”

Here are some examples of ransomware traces highlighted in the agency’s report:

  • Conti: Identified by many logs related to the Windows Restart Manager (event IDs: 10000, 10001).
    RestartManage notifications from Conti-based encryptors
    RestartManage notifications from Conti-based encryptors
    Source: JPCERT/CC

    Similar events are generated by Akira, Lockbit3.0, HelloKitty, Abysslocker, Avaddon, Bablock, and other malware created from Lockbit’s and Conti’s leaked encryptor.

  • Phobos: Leaves traces when deleting system backups (event IDs: 612, 524, 753). Similar logs are generated by 8base and Elbie.
  • Midas: Changes network settings to spread infection, leaving event ID 7040 in logs.
  • BadRabbit: Records event ID 7045 when installing an encryption component.
  • Bisamware: Logs a Windows Installer transaction’s start (1040) and end (1042).
Bisamware ransomware logs
Characteristic Bisamware ransomware logs
Source: JPCERT/CC

JPCERT/CC also notes that seemingly unrelated ransomware variants such as Shade, GandCrab, AKO, AvosLocker, BLACKBASTA, and Vice Society, leave behind very similar traces (event IDs: 13, 10016).

Both errors are caused by a lack of permissions when accessing COM applications to delete Volume Shadow Copies, which ransomware typically deletes to prevent easy restoration of encrypted files.

ADVERTISING

It’s important to note that no detection method should be taken as a guarantee for adequate protection against ransomware, but monitoring for specific logs can prove game-changing when combined with other measures to detect attacks before they spread too far into a network.

JPCERT/CC notes that older ransomware strains such as WannaCry and Petya did not leave traces in Windows logs, but the situation has changed on modern malware, so the technique is now considered effective.

In 2022, SANS also shared a guide on detecting different ransomware families using Windows Event Logs.

Bill Toulas

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
1:35 am, Jun 25, 2025
weather icon 18°C
L: 17° | H: 19°
few clouds
Humidity: 83 %
Pressure: 1012 mb
Wind: 11 mph WSW
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 20%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:44 am
Sunset: 9:21 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
17° | 19°°C 0 mm 0% 10 mph 84 % 1013 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
17° | 25°°C 1 mm 100% 15 mph 79 % 1018 mb 0 mm/h
Fri Jun 27 10:00 pm
weather icon
16° | 28°°C 0 mm 0% 14 mph 65 % 1022 mb 0 mm/h
Sat Jun 28 10:00 pm
weather icon
17° | 29°°C 0 mm 0% 11 mph 80 % 1024 mb 0 mm/h
Sun Jun 29 10:00 pm
weather icon
19° | 33°°C 0 mm 0% 7 mph 79 % 1024 mb 0 mm/h
Today 4:00 am
weather icon
17° | 18°°C 0 mm 0% 7 mph 84 % 1012 mb 0 mm/h
Today 7:00 am
weather icon
17° | 17°°C 0 mm 0% 7 mph 82 % 1012 mb 0 mm/h
Today 10:00 am
weather icon
24° | 24°°C 0 mm 0% 6 mph 57 % 1013 mb 0 mm/h
Today 1:00 pm
weather icon
26° | 26°°C 0 mm 0% 6 mph 38 % 1012 mb 0 mm/h
Today 4:00 pm
weather icon
29° | 29°°C 0 mm 0% 10 mph 36 % 1010 mb 0 mm/h
Today 7:00 pm
weather icon
27° | 27°°C 0 mm 0% 8 mph 39 % 1009 mb 0 mm/h
Today 10:00 pm
weather icon
23° | 23°°C 0 mm 0% 4 mph 54 % 1009 mb 0 mm/h
Tomorrow 1:00 am
weather icon
20° | 20°°C 0 mm 0% 6 mph 70 % 1010 mb 0 mm/h
Weather from OpenWeatherMap
Name Price24H (%)
Bitcoin(BTC)
€91,456.50
0.90%
Ethereum(ETH)
€2,111.21
1.88%
Tether(USDT)
€0.86
-0.02%
XRP(XRP)
€1.89
2.00%
Solana(SOL)
€125.73
1.50%
USDC(USDC)
€0.86
0.01%
Dogecoin(DOGE)
€0.142636
1.45%
Shiba Inu(SHIB)
€0.000010
1.08%
Pepe(PEPE)
€0.000009
1.96%
Risikomonitor
Know and monitor IT vulnerabilities with just one click before it is too late.

Utility link

Useful link

Newsletter

Follow Us

Facebook Twitter Youtube Linkedin

© 2025 risikomonitor.com gmbh

Scroll to Top