SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsRansomware attacks on organizations will disrupt their day-to-day operations causing significant inconvenience, especially if they provide critical services to the people. With the increasing number of ransomware attacks, it is of paramount importance to identify the ransomware characteristics during the preliminary investigation stage. This is critical in a heavily networked infrastructure where if the ransomware has been detected in one system, it could still spread to other systems in the network or continue residing in them. This has to be done in a fast and timely manner to prevent the spread or other similar attacks. Using the newest operating system, Windows 11 with its inbuilt Microsoft Defender Anti-Virus, 37 ransomware variants from the different families were tested. Windows Events logs generated and forwarded to a centralized log server were analyzed for logs generated during detection, removal or successful execution or other characteristics. In summary 28 out of 37 variants were detected by the Microsoft Defender and generated event logs with Event ID 1116 and 1117 containing critical information like signature name, path, detection name, and user. The remaining 9 variants were undetected and generated logs with Event ID 1, 1000 or 1109 where it either crashed (1 variant), could not run due to compatibility issues (4 variants), memory issue (1 variant), or executed and encrypted files successfully (3 variants). This is useful for forensics investigators during the triage period to focus on these event logs to get the necessary information to track down the origin and path of ransomware and also scanning the network where the ransomware could still be residing in other devices that may have failed execution. The info would also aid in the post-investigation phase where the necessary teams like Security Information and Event Management (SIEM) teams to get more information about the ransomware and build different use cases for early detection and prevention by the Security Operations Centers (SOCs).