What's New in Graylog 6.0? | WED, MAY 22, 11am ET | Webinar >> ​

Detecting & Preventing Ransomware Through Log Management

This blog post is part of Graylog’s 2020 Must Reads series. 

As companies responded to the COVID-19 pandemic with remote work, cybercriminals increased their social engineering and ransomware attack methodologies. Ransomware, malicious code that automatically downloads to a user’s device and locks it from further use has been rampant since the beginning of March 2020. According to a 2020 report by Bitdefender, ransomware attacks increased seven times when compared year-over-year to 2019. Cybercriminals take advantage of end-users’ fears over the coronavirus pandemic to trick them into clicking on malicious links or downloads, ultimately leaving corporate networks vulnerable to ransomware. Detection of ransomware through log management offers you one way to protect your systems, networks, devices, and applications for continued data security.


While ransomware has been around for almost as long as the internet, organizations remain vulnerable because cybercriminals employ two strategies as part of a ransomware attack.


Cybercriminals flood companies with phishing emails and hope that at least one person will click on the malicious link or download it. With people’s nerves on edge during a pandemic, the number of successful attacks should not be surprising. Emails that hint at new vaccines or new upticks in local COVID cases prey on people’s emotions. In fact, according to one article, IBM saw a 6,000% increase in spam attacks that leveraged COVID-19, many targeting healthcare facilities.


Once an end-user clicks on the malicious link or downloads, the ransomware automatically executes on the device. Since ransomware automatically downloads and installs without the need to go through the “wizard” style setup associated with enterprise software, users rarely realize that they have compromised their devices.


Once an end-user clicks the link or downloads the malicious file, the ransomware installs on the device. Many times, the ransomware code uses “safe” software installers to execute. If you accidentally download the ransomware code then install a new web browser on your device, the ransomware code will use the “legitimate” installer to execute.


If you’ve installed a new browser on a laptop, you might remember seeing the notification: “this software was downloaded from the internet.” The goal of this notification is to prevent you from auto-installing potentially malicious code, such as ransomware. 

Once installed, the ransomware embeds itself into the device’s registry, hiding where a user may not know to look.


Ransomware may download into a device’s registry or library as an application but not show up on the list of known applications, which means that the user has no idea the ransomware is active. 

Once running, the ransomware sends information to a Command and Control (C&C) server. Cybercriminals control the C&C server, using it to give the infected device directions or encrypt its data.

Most ransomware uses both asymmetric and symmetric encryption. With symmetric encryption, the same encryption key that “locks” the data also “unlocks” it. Meanwhile, with asymmetric encryption, the encryption key that “locks” the data is different from the one that “unlocks” it. In other words, symmetric encryption is similar to having a key that locks your front door from the inside and outside. Asymmetric encryption uses one key to lock the door from the outside and uses a different key to lock the door from the inside.

The device sends information, such as operating system details or IP address, to the C&C server. Now that the C&C server knows the device location and operating system, it can send the encryption keys necessary for completing the attack. Once the device receives the encryption key, the end-user cannot decrypt the information without the appropriate encryption key.


Because the infected device needs to connect to the C&C server, you can detect a potential ransomware attack by monitoring network traffic. C&C servers need to connect to the device to carry out their attacks. As the device and C&C server “talk” to one another, they increase your network traffic.


If you’re looking to enhance your ransomware detection with log management, you want to think about:

  • Web proxy logs: if your organization uses a web traffic filtering proxy, you may be able to detect traffic related to the C&C to device communication
  • Email logs: some C&C communications occur via email, so looking at email metadata can help detect ransomware
  • Firewall logs: although firewalls generally block malicious traffic, monitoring these logs can give visibility into the infected device’s attempt to connect to the C&C server
  • Netflow records: these provide information about how a network device sends data, including packet loss and traffic congestion, that can highlight internal points being used to reach out to the C&C server
  • Intrusion Detection System (IDS): these can detect anomalous network traffic and compare it to a known threat database
  • Intrusion Prevention System (IPS): these provide visibility into potentially dangerous packets and deny access to the network if the packets are those known to be linked to a security threat


Although none of these logs individually will give you the whole picture, a holistic approach to log management can help detect a ransomware attack or provide the necessary forensic evidence.


When looking to leverage log management as a ransomware detection strategy, you need to aggregate all logs in a centralized location to correlate data. Since the logs use different data sources, you need to standardize the information gathered, including file type and data formatting.

Additionally, managing log events can become overwhelming at the enterprise level, particularly as employees increasingly connect their personal devices to corporate resources. Collecting log data and aggregating it into a security information and event management (SIEM) system can help streamline the detection process.


With Graylog, companies can aggregate logs in a centralized location. Our platform provides the customers with the ability to set internal “teams,” reducing noise by providing only the logs necessary for that group to complete its job function.


For example, organizations can set a “Security” team with visibility into firewalls, endpoint security, web proxies/gateways, DNS, and server logs. Our platform also helps correlate data from different log events, creating a single location for storing all documentation necessary to detect a ransomware attack. With Graylog, you no longer have to decide what logs to collect. Since some log messages are more critical than others, especially when it comes to a ransomware attack, Graylog’s correlation engine can correlate these logs into defined categories, which are called an event, and are usually a small percentage of your total log volume. These correlated events contain all of the critical logs and message types that should be part of your security alerting scheme and should have extended retention periods for compliance, long term auditing, and threat research.

It can sometimes take many different events in a particular order or timeframe to require an analyst’s attention. That is what the correlation engine is doing. Graylog monitors all the logs as they enter the system, and based on the defined event and alert rules, will take the logs of interest and move them from the noise into their own Elasticsearch index. With the high-value logs in their own index, you can run queries on those events to see if there is a pattern of activity or lack of activity. This can significantly reduce the amount of time required to detect a ransomware attack.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.