Description
This article describes how to use a custom Event Handler and Report in FortiAnalyzer to detect activities that are related to the DearCry ransomware attack.
DearCry uses recent MS.Exchange server vulnerabilities to exploit its targets. For more information about this ransomware attack, see the Fortinet blog post:
New DearCry Ransomware Targets Microsoft Exchange Server Vulnerabilities
What is included in Fortinet_SOC-DearCry-Ransomware-Detection.zip?
1. Fortinet_SOC-DearCry-Ransomware-Detection.json
This event handler helps detect DearCry ransomware attack based on FortiGate AV and FortiClient AV detections.
These include the following virus signatures:
2) DearCry Report - Fortinet.dat
A report to summarize findings on DearCry attacks from FortiGate and FortiClient logs.
See the Solution section for instruction on how to load these into a FortiAnalyzer unit.
Scope
The custom Event Handler provided can be used in FortiAnalyzer 6.2 and FortiAnalyzer 6.4.
Solution
All screen shots provided below for illustration purposes are taken from FortiAnalyzer 6.4.4.
1) Download the Fortinet_SOC-DearCry-Ransomware-Detection.zip file (contains 2 files)
2. Unzip Fortinet_SOC-DearCry-Ransomware-Detection.zip
3) Use Fortinet_SOC-DearCry-Ransomware-Detection.json to import into Event Handlers
a. Choose an ADOM (if ADOMs are enabled)
b. Choose the FortiSOC module
c. Select Event Handler List
d. Select the Import option under "More"
e. Select Fortinet_SOC-DearCry-Ransomware-Detection.json
Result: Fortinet_SOC-DearCry-Ransomware-Detection.json is enabled and will be triggered if the appropriate logs are received after the event handler was imported
4) Use DearCry Report - Fortinet.dat to import into Reports
a. Choose a Fabric ADOM (if ADOMs are enabled)
b. Choose the Report module
c. Select the Import option under "More"
d. Select DearCry Report - Fortinet.dat
Result: ‘DearCry Report - Fortinet' can be run anytime as determined by an admin user.
This article describes how to use a custom Event Handler and Report in FortiAnalyzer to detect activities that are related to the DearCry ransomware attack.
DearCry uses recent MS.Exchange server vulnerabilities to exploit its targets. For more information about this ransomware attack, see the Fortinet blog post:
New DearCry Ransomware Targets Microsoft Exchange Server Vulnerabilities
What is included in Fortinet_SOC-DearCry-Ransomware-Detection.zip?
1. Fortinet_SOC-DearCry-Ransomware-Detection.json
This event handler helps detect DearCry ransomware attack based on FortiGate AV and FortiClient AV detections.
These include the following virus signatures:
- W32/DearCry.OGE!tr
- W32/DearCry.OGE!tr.ransom
- W32/Filecoder.OGE!tr
- PossibleThreat.ARN.H
- W32/Encoder.OGE!tr.ransom
- W32/Encoder!tr
2) DearCry Report - Fortinet.dat
A report to summarize findings on DearCry attacks from FortiGate and FortiClient logs.
See the Solution section for instruction on how to load these into a FortiAnalyzer unit.
Scope
The custom Event Handler provided can be used in FortiAnalyzer 6.2 and FortiAnalyzer 6.4.
Solution
All screen shots provided below for illustration purposes are taken from FortiAnalyzer 6.4.4.
1) Download the Fortinet_SOC-DearCry-Ransomware-Detection.zip file (contains 2 files)
2. Unzip Fortinet_SOC-DearCry-Ransomware-Detection.zip
3) Use Fortinet_SOC-DearCry-Ransomware-Detection.json to import into Event Handlers
a. Choose an ADOM (if ADOMs are enabled)
b. Choose the FortiSOC module
c. Select Event Handler List
d. Select the Import option under "More"
e. Select Fortinet_SOC-DearCry-Ransomware-Detection.json
Result: Fortinet_SOC-DearCry-Ransomware-Detection.json is enabled and will be triggered if the appropriate logs are received after the event handler was imported
4) Use DearCry Report - Fortinet.dat to import into Reports
a. Choose a Fabric ADOM (if ADOMs are enabled)
b. Choose the Report module
c. Select the Import option under "More"
d. Select DearCry Report - Fortinet.dat
Result: ‘DearCry Report - Fortinet' can be run anytime as determined by an admin user.
