DescriptionThis article describes how to use custom Rules and Reports to detect REvil Ransomware that targets Kaseya VSA vulnerability.For more information on the threat, see the FortiGuard Lab Threat Signal Report:Global ransomware and supply-chain attack on Kaseya VSA affecting multiple organizationsWhat is included in Fortinet_FortiSIEM_SOC-REvil-Detection-v2.zip?1. REvil_Report_v2.xmlThe reports can be ran on historical data looking for indicators associated with REvil.
2. REvil-Rules_v2.xmlThe Rules will detect indicators associated with REvil in real time.
See the Solution section for instruction on how to load these into a FortiSIEM
ScopeThe custom Rules and Reports can be loaded into FortiSIEM 6.x versions.SolutionAll screen shots provided below for illustration purposes are taken from FortiSIEM 6.x
1. Download the Fortinet_FortiSIEM_SOC-REvil-Detection-v2.zip file (contains 2 file)
2. Unzip Fortinet_FortiSIEM_SOC-REvil-Detection-v2.zip
3. Use REvil_Report_v2.xml as the file to import the Reports
a. Navigate to Resource / Reports
b. It is recommended that a new group under Resource / Reports / Security is created called “REvil Attack” and reports are imported to this group.
d. Select the Import option under "More"
e. Select REvil_Report_v2.xml and import.
4. Use REvil_Rule_v2.xml as the file to import the Rules
a. Navigate to Resource / rules
b. It is recommended that a new group under Resource / Rules / Security / Threat Hunting is created called “REvil Attack” and rules are imported to this group.
d. Click the Import
e. Select REvil_Rules_v2.xml and import.
f. Filter the rules on REvil and ensure that they are Enabled.
Imported and enabled Rules
Imported Reports