Description
This article describes how to use custom Rules and Report in FortiSIEM to detect activities that are related to the DearCry ransomware attack.
DearCry uses recent MS.Exchange server vulnerabilities to exploit its targets. For more information about this ransomware attack, see the Fortinet blog post:
New DearCry Ransomware Targets Microsoft Exchange Server Vulnerabilities
The report summarizes findings on DearCry attacks from FortiGate, FortiClient and FortiSandbox logs.
What is included in Fortinet_FortiSIEM-DEARCRY-Detection_v1.zip?
1. DEARCRY_Report_v1.xml
The reports can be ran on historical data looking for indicators associated with DEARCRY.
Scope
The custom Rules and Reports can be loaded into FortiSIEM 5.x and 6.x versions.
Solution
All screen shots provided below for illustration purposes are taken from FortiSIEM 6.x
2. Unzip Fortinet_FortiSIEM-DEARCRY-Detection_v1.zip
3. Use DEARCRY_Report_v1.xml as the file to import the Reports
a. Navigate to Resource / Reports
b. It is recommended that a new group under Resource / Reports / Security is created called “DEARCRY” and reports are imported to this group.
c. Select the Import option under "More"
d. Select DEARCRY _Report_v1.xml and import.
4. Use DEARCRY _Rule_v1.xml as the file to import the Rules
a. Navigate to Resource / rules
b. It is recommended that a new group under Resource / Rules / Security / Threat Hunting is created called “DEARCRY” and rules are imported to this group.
c. Click the Import
d. Select DEARCRY _Rules_v1.xml and import.
e. Filter the rules on DEARCRY and ensure that they are Enabled.
Imported and enabled Rules:
Imported Reports:
This article describes how to use custom Rules and Report in FortiSIEM to detect activities that are related to the DearCry ransomware attack.
DearCry uses recent MS.Exchange server vulnerabilities to exploit its targets. For more information about this ransomware attack, see the Fortinet blog post:
New DearCry Ransomware Targets Microsoft Exchange Server Vulnerabilities
These include the following virus signatures:
- W32/DearCry.OGE!tr
- W32/DearCry.OGE!tr.ransom
- W32/Filecoder.OGE!tr
- PossibleThreat.ARN.H
- W32/Encoder.OGE!tr.ransom
- W32/Encoder!tr
The report summarizes findings on DearCry attacks from FortiGate, FortiClient and FortiSandbox logs.
What is included in Fortinet_FortiSIEM-DEARCRY-Detection_v1.zip?
1. DEARCRY_Report_v1.xml
The reports can be ran on historical data looking for indicators associated with DEARCRY.
2. DEARCRY_Rule_v2.xml
The Rules will detect indicators relating to the DEARCRY malware.
See the Solution section for instruction on how to load these into a FortiSIEM
The Rules will detect indicators relating to the DEARCRY malware.
See the Solution section for instruction on how to load these into a FortiSIEM
Scope
The custom Rules and Reports can be loaded into FortiSIEM 5.x and 6.x versions.
Solution
All screen shots provided below for illustration purposes are taken from FortiSIEM 6.x
1. Download the Fortinet_FortiSIEM-DEARCRY-Detection_v1.zip file (contains 2 file)
3. Use DEARCRY_Report_v1.xml as the file to import the Reports
a. Navigate to Resource / Reports
b. It is recommended that a new group under Resource / Reports / Security is created called “DEARCRY” and reports are imported to this group.
c. Select the Import option under "More"
d. Select DEARCRY _Report_v1.xml and import.
4. Use DEARCRY _Rule_v1.xml as the file to import the Rules
a. Navigate to Resource / rules
b. It is recommended that a new group under Resource / Rules / Security / Threat Hunting is created called “DEARCRY” and rules are imported to this group.
c. Click the Import
d. Select DEARCRY _Rules_v1.xml and import.
e. Filter the rules on DEARCRY and ensure that they are Enabled.
Imported and enabled Rules:
Imported Reports:
