How do I trace a ransomware attack in Windows event logs?

Walk the five-stage timeline in order. Stage 1 (Initial Access) shows Sysmon Event 1 with Office documents spawning PowerShell or Event 4624 logon Type 10 from unusual source IPs. Stage 2 (Reconnaissance and Credential Access) shows PowerShell Event 4104 with AD enumeration commands or Sysmon Event 1 with lsass.exe accessed by non-Microsoft processes. Stage 3 (Lateral Movement) shows Event 4624 Type 10 across internal systems or Event 7045 with PsExec service paths. Stage 4 (Persistence) shows Event 7045 with non-Microsoft services or Event 4698 with task-scheduler entries pointing to non-Microsoft binaries. Stage 5 (Detonation) shows vssadmin.exe command-line invocations via Sysmon Event 1 and mass Event 11 file-modification events with ransomware-family extensions.

What event ID shows ransomware detonation?

There is no single event ID specific to ransomware detonation. The detonation signature is the combination of multiple events in rapid sequence: Sysmon Event 1 capturing vssadmin.exe delete shadows or wbadmin.exe delete catalog (shadow copy and backup destruction), Sysmon Event 11 showing mass file creation with ransomware extensions (.encrypted .locked or family-specific extensions), Sysmon Event 11 capturing ransom note creation (READ_ME.txt or DECRYPT_INSTRUCTIONS.html appearing across multiple directories) and Event 1102 (audit log cleared) attempted as a final anti-forensic step. The pattern is the signature, not any one event.

Can I find patient zero from event logs?

Yes in most cases. Patient zero is the first malicious execution on the first compromised system. Working backward from a known indicator (an encrypted file timestamp, a malicious binary hash, a ransom note creation event) through process-create events (Sysmon Event 1) identifies the parent process that spawned the malicious chain. When phishing is the vector, patient zero is typically winword.exe or excel.exe spawning a script interpreter. When exposed RDP is the vector, patient zero is the first Event 4624 Type 10 from the attacker IP. The Sherlock Forensics Universal Events Viewer Forensic Edition five-phase analysis guides the investigator through this reconstruction systematically.

Do ransomware operators always delete event logs?

No. Most ransomware operators clear specific logs or run vssadmin.exe to delete shadow copies but full event log clearing (Event 1102) is less common than the press makes it sound. Even when operators run wevtutil.exe cl to clear specific channels, the clear event itself logs to the Security channel and other channels (Sysmon, PowerShell, RDP-Operational) may retain records that pre-date the clear. Forensic recovery of pre-clear data is sometimes possible via Volume Shadow Copy if the operator did not delete shadows first or via file-system forensic carving against the .evtx file structures. Patient zero and the attack timeline can usually be reconstructed even after clearing because few operators clear every relevant channel.

Ransomware Investigation in Windows Event Logs

A ransomware attack leaves more evidence than the attacker realizes. Even when the operator runs sophisticated tooling, encrypts files, drops a ransom note and deletes shadow copies, the Windows event logs almost always retain enough signal to reconstruct the attack timeline. The challenge is reading the logs in the few hours or days after detection when the data is most actionable.

This guide is for the IR responder, MSP security lead or forensic examiner reconstructing a ransomware attack from event logs. It covers what to look for, in what order and how to produce a defensible report for executive leadership, the cyber insurance carrier or law enforcement.

The Ransomware Investigation Timeline

A typical ransomware attack runs through five stages, each leaving distinct event log signatures:

Initial Access, the attacker gains entry to the environment, usually via phishing, exposed RDP or exploited public-facing application
Reconnaissance and Credential Access, the attacker maps the network and harvests credentials
Lateral Movement, the attacker spreads from the initial foothold to high-value targets
Persistence and Privilege Escalation, the attacker secures their access and elevates privileges
Detonation, the attacker executes the ransomware payload, encrypts files, deletes backups, drops the note

The forensic examination walks the timeline in order, identifying the signatures at each stage and tying them to specific event IDs and timestamps.

Stage 1: Initial Access Signatures

Phishing-related execution. Office documents (Word, Excel) spawning PowerShell, cmd.exe or wscript.exe are high-confidence indicators of malicious macro execution. Sysmon Event 1 (process create) shows the parent-child relationship, winword.exe spawning powershell.exe is rarely benign.

Exposed RDP abuse. Successful logon (Event 4624) from an unusual source IP, especially from a country the legitimate user does not access from, is the signature. Logon Type 10 (RemoteInteractive, i.e., RDP) outside normal patterns matters. Failed logon spikes (Event 4625) preceding the success suggest credential stuffing or password guessing.

Exploited public-facing application. Web server or VPN gateway logs typically show the initial exploitation, not Windows event logs. The Windows logs pick up the attacker's behavior after they've established a foothold.

Patient zero identification. The earliest Sysmon Event 1 showing a non-Microsoft process executing on the system is often patient zero. Working backward from a known indicator (encrypted file, malicious binary) through process-create events identifies the first malicious execution.

Stage 2: Reconnaissance and Credential Access Signatures

Active Directory enumeration. PowerShell scripts containing Get-ADUser, Get-ADComputer, Get-ADGroupMember or LDAP query commands. PowerShell Event 4104 (script block logging) captures the exact commands if PowerShell logging is enabled. Modules like BloodHound's collectors leave distinctive patterns.

SMB share enumeration. Event 5145 (network share access detail) shows shares accessed, by whom, with what permissions. Bursts of share access from a single source workstation are notable.

Credential dump tooling. Sysmon Event 1 showing lsass.exe accessed by a non-Microsoft process is high-confidence. Mimikatz family tools leave distinctive command-line signatures even when renamed. Procdump.exe targeting lsass.exe (a known living-off-the-land technique) is well documented in ATT&CK T1003.001.

Pass-the-hash / pass-the-ticket signatures. Event 4624 with Logon Type 9 (NewCredentials) showing an unusual authentication pattern. Kerberos service ticket requests (Event 4769) for unusual service principals.

Stage 3: Lateral Movement Signatures

RDP to internal systems. Event 4624 Logon Type 10 from one internal workstation to another. Working from patient zero outward, each subsequent system shows a 4624 originating from the previous system in the chain.

WMI execution. WMI is heavily abused for lateral movement because it does not require explicit logon. WMI-related Sysmon events and Microsoft-Windows-WMI-Activity logs show the execution pattern.

PsExec and similar tooling. Service installation (Event 7045) with service path containing PSEXESVC or similar markers. Sysmon Event 1 showing the PsExec parent-child relationship.

SMB-based file transfer. Bursts of Event 5145 across multiple systems, paired with Sysmon file-creation events (Event 11) on the destination systems, show the attacker staging tooling across the environment.

Stage 4: Persistence and Privilege Escalation Signatures

New service installation for persistence. Event 7045 with non-Microsoft service paths. Common ransomware operators install services as persistence mechanisms.

Scheduled task creation. Event 4698 with task action paths pointing to non-Microsoft binaries. Task scheduler is the most common persistence mechanism after services.

Registry run key modifications. Sysmon Event 13 (registry value set) targeting HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Less common in enterprise ransomware (operators prefer services) but seen.

Privilege escalation events. Event 4672 (special privileges assigned) outside normal patterns. Event 4732 / 4756 (member added to Administrators, Domain Admins or Backup Operators) outside change-management windows.

Account creation for backdoor access. Event 4720 (account created) where the new account does not appear in the company directory or change-management records. Often created as a hidden administrator for post-incident persistence.

Stage 5: Detonation Signatures

Shadow copy deletion. Event 1102 (audit log cleared) is rare and notable, but more specific is the use of vssadmin.exe delete shadows, wbadmin.exe delete catalog or bcdedit.exe modifications. Sysmon Event 1 captures these command-line invocations. Many ransomware families run these commands as a final pre-encryption step.

Backup destruction. Event 1102 (audit log cleared), plus targeted file deletion events against backup file extensions (.bak, .bkf, .vhd, .vmdk). Sysmon Event 11 (file create) showing ransomware-extension files appearing en masse signals encryption is underway.

Mass file modification. The single highest-confidence late-stage signal is rapid file-modification events (Sysmon Event 11 or other file-system audit events) showing the renaming or creation of files with ransomware-family extensions (.encrypted, .locked, ransomware-specific extensions). This is the literal moment of encryption.

Ransom note creation. A file named READ_ME.txt, DECRYPT_INSTRUCTIONS.html or similar appearing across multiple directories simultaneously is the ransom note. Sysmon Event 11 shows the file creations.

Anti-recovery commands. cipher /w for free space wiping. format commands. Disk encryption (BitLocker) abuse. Each leaves distinctive command-line signatures.

Building the Ransomware Timeline

The five-phase examination produces a timeline that an executive, board, regulator, insurance carrier or court can follow:

Initial access at T+0: patient zero process creation, parent of all subsequent malicious execution.
Reconnaissance at T+1 to T+N hours: credential harvesting, AD enumeration, target identification.
Lateral movement at T+N to T+M: spreading from patient zero to high-value targets via RDP, WMI, PsExec, SMB.
Persistence and privilege escalation at T+M to T+P: services, scheduled tasks, accounts created for ongoing access.
Detonation at T+P: shadow copy deletion, mass encryption, ransom note drop.

For typical ransomware operations, the total dwell time from initial access to detonation runs from several hours (smash-and-grab operators) to several weeks (advanced persistent threat operators conducting reconnaissance and data exfiltration). The timeline length is itself evidentially relevant, short dwell suggests opportunistic operation, long dwell suggests targeted operation with potential data theft alongside encryption.

Why This Matters for the Insurance and Legal Process

Ransomware investigations frequently produce deliverables for the cyber insurance carrier and outside counsel. The carrier needs the timeline and the technical details to assess coverage. Counsel needs the timeline and the chain-of-custody documentation for potential litigation against the operator or for ransomware-payment compliance (OFAC sanctions screening).

A defensible event log examination produces:

Per-event SHA-256 hashes tying each surfaced event back to the source .evtx file
Chain of custody documentation for the .evtx acquisition, examination and report production
Court-ready PDF report with branded cover, source metadata, timeline narrative, examiner attestation
Production-ready exports (CSV for the carrier's analyst, JSON for SIEM ingestion if applicable, Markdown for incident-team documentation)

Sherlock Forensics Universal Events Viewer Forensic Edition produces these in a single workflow. The five-phase analysis structure built into the product guides the examiner through the workflow above systematically.

When Sherlock Is the Right Choice for Ransomware Work

You are an IR responder or MSP handling a live ransomware engagement
You need to produce a defensible report for the cyber insurance carrier within tight timelines (carriers commonly require initial assessment within 24-72 hours)
You need court-ready chain of custody for potential litigation against the operator
You handle multiple ransomware engagements per year and want a per-case workflow that compounds

When Sherlock Is Not the Right Choice

The environment is under continuous SIEM monitoring (Splunk, Elastic, Sentinel) and the ransomware was detected by the SIEM, your existing SIEM produces the timeline, Sherlock is not the marginal addition
The investigation is purely command-line and EvtxECmd / Chainsaw / Hayabusa output is sufficient for the deliverable
The case is at the enterprise procurement tier ($10k+ forensic-tool budget) where Magnet Axiom or Cellebrite provide broader capability surface