FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
keithli_FTNT
Staff
Staff
Article Id 195739
Description
FortiClient AV Real-time protection detects and blocks REvil (aka Sodinokibi) Ransomware files from getting installed on the endpoint. The malware is detected as W32/Sodinokibi.EAD4!tr.ransom.

In case your endpoints do not have AV Real-time protection enabled then you can use FortiClient EMS to hunt and quarantine endpoints that may have been compromised with REvil Ransomware that targets Kaseya VSA vulnerability.

For more information on the threat, see the FortiGuard Lab Threat Signal Report:
Global ransomware and supply-chain attack on Kaseya VSA affecting multiple organizations


Solution
On you EMS console, create Zero-Trust Access Control Rules to continuously monitor and automatically block access for compromised endpoints:
  1. Run the attached Script, add_REvil_ZTNA_Rules.txt, to add Kaseya Exploited Endpoint detection rules in your EMS v6.4.2 or above. Open CMD with administrator access and run this command in the same folder where you saved the script: 
    • sqlcmd -E -S .\fcems -d fcm_default -i add_REvil_ZTNA_Rules.txt
  2. This script will add ZTNA tagging rules as seen in the screenshot below. Edit one of the newly added rules and check to see if configured properly and click save. You can also add additional rules to detect and tag endpoints with other critical vulnerabilities.
  3. Under Zero Trust Tags > Tag Monitor, look for any endpoints with “REvil Compromised” Tags. If any detected then these endpoints can be quarantined (disconnected from network) and sent for investigation/remediation.
  4. As part of the Fabric you can also use these Zero Trust Tags on FortiGate to restrict or automatically quarantine network access for these suspicious endpoints. See How to add EMS ZTNA Tags in FortiOS dynamic policy for instructions.
ZTNA Tagging Rules:
FCT-Kaseya-zero_trust_tag_rules.png

ZTNA Tag Monitor:
FCT-Kaseya-zero_trust_tag_monitor.png

Quarantining an Endpoint:
FCT-Kaseya-endpoint_details.png

Contributors