Analysing A Ransomware Attack

March 10, 2023

Ransomware attacks have become a common threat in today’s digital age, and they can cause significant damage to individuals and organisations. In a ransomware attack, the attacker gains unauthorised access to a computer system, encrypts the data, and demands payment in exchange for the decryption key. Analysing a ransomware attack is a complex task that requires a deep understanding of the attack’s technical details.

In this blog post, we will discuss how log analysis can be done to analyse a ransomware attack.

Identifying The Infected Machine

The first step in analysing a ransomware attack is to identify the infected machine. In most cases, the victim will report the attack to the IT department, which will help in identifying the infected machine. However, if the victim fails to report the attack, the IT department may use various tools such as intrusion detection systems (IDS), firewall logs, network traffic analysis tools, endpoint detection and response (EDR) solutions, security information and event management (SIEM) solutions, threat intelligence platforms, or deception technology to identify the infected machine.

Collecting Logs

After identifying the infected machine, the next step is to collect the relevant logs to understand the technical details of the ransomware attack. Here are some log locations and event IDs to look for:

Windows - The following logs are useful in analysing ransomware attacks on Windows machines

  • Application Log: system32\winevt\Logs\Application.evtx (Event IDs: 1000, 1001, 1002, 1005, 1007) - System Log: system32\winevt\Logs\System.evtx (Event IDs: 41, 1102, 4624, 4625, 7045, 8004) - Security Log: system32\winevt\Logs\Security.evtx (Event IDs: 4624, 4648, 4670, 4688, 4697, 4698, 4702, 4703, 4720, 4722, 4723, 4724, 4725, 4726, 4735, 4737, 4740, 4741, 4742, 4743, 4756, 4767, 4768, 4776, 4798, 4799, 4985, 5152, 5154, 5155)
  • Registry: Ransomware often modifies the registry to persist on the system. Look for changes in the following registry keys:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • Network Logs: Check firewall logs and network traffic analysis tools to identify suspicious network traffic to and from the infected machine.

Linux - The following logs are useful in analysing ransomware attacks on Linux machines

  • /var/log/auth.log contains information about authentication attempts and system authorization mechanisms.
  • /var/log/syslog contains general system logs, including kernel messages, system daemons, and user-level applications.
  • /var/log/apache2/access.log and /var/log/apache2/error.log contain Apache web server logs, which can be helpful in determining if the ransomware is spreading through web-based attacks
  • /var/log/mysql/error.log contains MySQL database server logs, which can be helpful in determining if the ransomware is exploiting database vulnerabilities

It’s important to collect as much logs as possible, to understand the scope of the ransomware attack. These logs can be used to determine the entry point of the ransomware, the lateral movement of the malware, and the extent of data loss. Once the logs have been collected, they can be analyzed to understand the technical details of the ransomware attack.

Analysing the Logs

After collecting the logs, the next step is to analyse them to understand the attack’s technical details. The analysis should start with the system logs, which will help in identifying the type of ransomware and the files that were encrypted. The analysis should then move to the application logs, which will help in identifying the applications that were running at the time of the attack. The security logs should be analysed to identify the attacker’s IP address, the method used to gain unauthorised access to the machine, and any attempts to cover their tracks. The network logs should be analysed to identify any unusual network traffic, such as connections to known command and control servers used by the attacker.

Remediation

After analysing the logs, the final step is to remediate the attack. Remediation includes removing the ransomware from the infected machine, restoring the encrypted files from backups, and implementing security measures to prevent future attacks.

Now, let’s do some actual work ...

While conducting log analysis, sometimes the amount of log data can be overwhelming, making it difficult to manually review each entry. To address this challenge, focus on identifying any data exfiltration attempts by leveraging several log analysis techniques. One approach is to search for all IP addresses present in the log files. Use the following bash command to search for IP addresses across all log files.


grep -Ehri -o "([0-9]{1,3}\.){3}[0-9]{1,3}"| sort -u

In addition, search for any keyword that appeared to be suspicious or out of the ordinary. This helps to further narrow down potential sources of a ransomware attack or data exfiltration attempt. As ransomware attacks are often not targeted, identifying suspicious activity associated with an IP address can help to pinpoint potential sources of a security threat. To achieve this, you can use the abuseipdb platform. and check for any reported abuse associated with the identified IP addresses.

As you might have a lot of IP addresses to investigate, manually checking each IP through the website is not feasible. Instead, you can use the abuseipdb API to quickly and efficiently retrieve information for each IP address.

By cross-referencing the IP addresses identified through my log analysis with reported abuse incidents on abuseipdb, you will be able to gain a deeper understanding of any potential security threats associated with the IP addresses. This helps to inform further investigation and response efforts.

AbuseIPDB API Check


curl -G https://api.abuseipdb.com/api/v2/check \
  --data-urlencode "ipAddress=118.25.6.39" \
  -d maxAgeInDays=90 \
  -d verbose \
  -H "Key: YOUR_OWN_API_KEY" \
  -H "Accept: application/json"

To automate the process of retrieving abuse reports for the identified IP addresses, here is a simple Bash script that leverages a for loop to read each IP address from a text file and pass it to the abuseipdb API for analysis.


for x in $(cat ip.txt); do for x in $(cat ip.txt); do curl -s -G 'https://api.abuseipdb.com/api/v2/check' --data-urlencode 'ipAddress=118.25.6.39' -H "Key: $ABUSEIP_KEY" -H 'Accept: application/json' | jq; done; done

Note: As a best practice, export the ABUSEIPDB key as a variable named “$ABUSEIP_KEY”. This allows to easily reference the key throughout the analysis, without the need to repeatedly type it out or hard code it into my scripts.

To further improve the efficiency of log analysis, we have created a tool that simplifies the abuse IP lookup process using the ABUSEIPDB API request method. This tool streamlines the process of analyzing large volumes of logs, making it easier to identify potential security threats quickly and efficiently.

If you’re interested in learning more about this tool or would like to use it to improve your own log analysis process, you can access it from the following repo:

https://github.com/enciphers/abuseiplookup

To further streamline the abuse report retrieval process and ensure that only the most relevant information is analysed, use the jq command to filter the output of the abuseipdb API requests. By specifying a filter to only show IP addresses with a 100% abuse confidence rating. The script was able to quickly and efficiently identify any IP addresses that were most likely to be associated with security threats. This helped to reduce the amount of time and effort required to manually review each IP address, while also ensuring that the most critical information was prioritised.


jq '.data | select(.abuseConfidenceScore == 100) | {ipAddress: .ipAddress, abuseConfidenceScore: .abuseConfidenceScore, domain: .domain, hostnames: .hostnames, countryCode: .countryCode, usageType: .usageType}'

Once we had identified IP addresses with a 100% abuse confidence rating, the next step is to investigate all activity associated with those IP addresses across the entire log data set. To do this, use the grep command to search for every file containing the specified IP address. By doing so, you will be able to quickly identify any log entries that were associated with the identified IP addresses, providing greater insight into potential security threats.

As the screenshot shows, utilising the grep command to search for log entries associated with identified IP addresses allowed us to quickly identify all attempts made by the IP to brute force SSH. This same approach can be applied to other keywords, services, and port numbers, enabling an even more comprehensive analysis of log data. By leveraging grep and other powerful command-line tools, log analysis can be performed quickly and efficiently.

Beauty of Grep

One important observation to note while using the grep command is that the output includes the filename with line number and the searched keyword. This information helps in locating the specific log file and the line number where the suspicious activity occurred. It is an essential part of log analysis as it allows the investigator to pinpoint the exact location of the attack and gather relevant data for further analysis.

  1. FileName
  2. Line Number
  3. Grep Keyword.

Conclusion

In conclusion, analysing a ransomware attack requires a comprehensive understanding of the technical details of the attack, and log analysis plays a crucial role in this process. By following the steps outlined in this post, organisations can identify the infected machine, collect relevant logs, and analyse them to gain a better understanding of the attack. The use of powerful command-line tools like grep, sed, and awk can significantly simplify the log analysis process, allowing security professionals to quickly and efficiently identify suspicious activity and potential security threats.