The event log is a basic tool integrated into the Windows 10 and 11 operating systems. As its name indicates, it records and allows you to review processes and activities that the system or a program is carrying out.
Although people who are not computer experts probably will not understand much of what they are seeing on the screen if they open the event log, knowing a little about what each entry refers to can help to get an idea of how the computer is working and if there are any some program misusing resources, for example.
But not only that. Taking a look at the registry can also be used to hunt down a cyber attack if we are the target of one, as the Japan Computer Emergency Response Center (JPCERT/CC) recently recalled.
This Japanese institution has shared a list of tricks to catch malware red-handed while trying to enter our system without permission. These tricks are simply entries or codes in the registry that we can learn so that, if we recognize them in our registry, we realize that something is wrong.
As indicated by the Center, some old viruses such as WannaCry or Petya were capable of going unnoticed by the registry, so this technique was not effective. However, nowadays it is very rare not to find a trace in the registry, so reviewing it does become a more useful behavior in terms of cybersecurity.
Thus, the study shared by JPCERT analyzes four types of Windows event logs: application logs, security logs, system logs, and configuration logs. These logs often contain traces left by ransomware attacks, which could reveal the entry points used by attackers and their “digital identity.”
Modern viruses or malware such as Kkira, Lockbit3.0, HelloKitty, Abysslocker, Avaddon or Bablock leave traces in the Windows registry, similar to those we discuss below.
breadcrumbs
The traces in the registry (or breadcrumbs that fall from the hands of cybercriminals with their viruses) that the JPCERT report highlights are the following, highlighting in bold the name of each ransomware:
- Conti: When Conti is run, a large number of relevant logs (event ID: 10000, 10001) are recorded in a short period of time.
- Phobos: leaves traces when deleting system backups (event ID: 612, 524, 753). 8base and Elbie generate similar logs.
- Midas: changes network settings to spread the virus, leaving event ID 7040 in the logs.
- BadRabbit: logs event ID 7045 when installing an encryption component.
- Bisamware: records the start (1040) and end (1042) of a Windows Installer transaction.
- Shade, GandCrab, AKO, AvosLocker, BLACKBASTA and Vice Society leave very similar traces (event ID: 13, 10016), as can be seen in the following image.
To make it clearer to you exactly what each of these entries in the registry looks like, you can enter the post from JPCERT, titled “The event log speaks volumes: how to identify human-operated ransomware through Windows event logs”, where each of these ransomwares is accompanied by images, being something similar to what you would see in your log of being affected by one of these malicious software.
Remember that the mere fact of identifying them will not free you from their effects; Therefore, make sure you have a powerful antivirus tool running.
