Description
This article describes how to use custom Rules and Reports to detect REvil Ransomware that targets Kaseya VSA vulnerability.
For more information on the threat, see the FortiGuard Lab Threat Signal Report:
Global ransomware and supply-chain attack on Kaseya VSA affecting multiple organizations
What is included in Fortinet_FortiSIEM_SOC-REvil-Detection-v2.zip?
1. REvil_Report_v2.xml
2. REvil-Rules_v2.xml
The Rules will detect indicators associated with REvil in real time.
Scope
The custom Rules and Reports can be loaded into FortiSIEM 6.x versions.
Solution
All screen shots provided below for illustration purposes are taken from FortiSIEM 6.x
3. Use REvil_Report_v2.xml as the file to import the Reports
a. Navigate to Resource / Reports
b. It is recommended that a new group under Resource / Reports / Security is created called “REvil Attack” and reports are imported to this group.
d. Select the Import option under "More"
e. Select REvil_Report_v2.xml and import.
4. Use REvil_Rule_v2.xml as the file to import the Rules
a. Navigate to Resource / rules
b. It is recommended that a new group under Resource / Rules / Security / Threat Hunting is created called “REvil Attack” and rules are imported to this group.
d. Click the Import
e. Select REvil_Rules_v2.xml and import.
f. Filter the rules on REvil and ensure that they are Enabled.
This article describes how to use custom Rules and Reports to detect REvil Ransomware that targets Kaseya VSA vulnerability.
For more information on the threat, see the FortiGuard Lab Threat Signal Report:
Global ransomware and supply-chain attack on Kaseya VSA affecting multiple organizations
What is included in Fortinet_FortiSIEM_SOC-REvil-Detection-v2.zip?
1. REvil_Report_v2.xml
The reports can be ran on historical data looking for indicators associated with REvil.
The Rules will detect indicators associated with REvil in real time.
See the Solution section for instruction on how to load these into a FortiSIEM
Scope
The custom Rules and Reports can be loaded into FortiSIEM 6.x versions.
Solution
All screen shots provided below for illustration purposes are taken from FortiSIEM 6.x
1. Download the Fortinet_FortiSIEM_SOC-REvil-Detection-v2.zip file (contains 2 file)
2. Unzip Fortinet_FortiSIEM_SOC-REvil-Detection-v2.zip
a. Navigate to Resource / Reports
b. It is recommended that a new group under Resource / Reports / Security is created called “REvil Attack” and reports are imported to this group.
d. Select the Import option under "More"
e. Select REvil_Report_v2.xml and import.
4. Use REvil_Rule_v2.xml as the file to import the Rules
a. Navigate to Resource / rules
b. It is recommended that a new group under Resource / Rules / Security / Threat Hunting is created called “REvil Attack” and rules are imported to this group.
d. Click the Import
e. Select REvil_Rules_v2.xml and import.
f. Filter the rules on REvil and ensure that they are Enabled.
Imported and enabled Rules
Imported Reports
