DescriptionThis article describes how to use FortiSandbox and FortiClient to scan and detect ransomware like behaviour in malware file samples infected with ransomware used in the Kaseya VSA attack.
For more information about the Kaseya VSA Supply-Chain ransomware attack, see the following FortiGuard Threat Signal description:
ScopeConfigurations involve three products:
- FortiClient EMS
- FortiClient
- FortiSandbox
FortiClient endpoints managed by FortiClient EMS are protected by forwarding High-Risk files to FortiSandbox for behavioral analysis. If verdict is High-Risk, the file is quarantined and will not be executed.
SolutionThe following describes the configurations on FortiClient EMS related to Sandboxing. To be protected, FortiClient endpoints must have Sandbox Detection enabled. When the FortiClient endpoint is managed by FortiClient EMS, it must be registered and have its endpoint profile synchronized with the FortiClient EMS server.
To configure Sandbox Detection on FortiClient EMS:
- Go to Endpoint Profiles > Manage Profiles, and create a new profile. Alternatively, edit an existing profile.
- Go to the Sandbox tab. Enable Sandbox Detection.
- Sandbox Detection can be performed by FortiSandbox Appliance, or FortiClient Cloud Sandbox. Select the option that applies.
- For Inspection mode, select High-Risk Files.
- Enable the option “Wait for FortiSandbox Results before Allowing File Access”. This option ensures that the scan is completed and a verdict is provided before the file can be executed.
- Under Remediation action, it is recommended to set the Action to Quarantine.
- Save the profile
Endpoint Profile example using FortiSandbox Appliance:
Endpoint Profile example using FortiClient Cloud Sandbox:
To view results of the detection on FortiSandbox:
- On the FortiSandbox, go to Log & Report > File Scan.
- Locate the Scan Job associated with the malicious file.
- Under the Action column, click the pop-up icon to open the detail report in a new window. For convenience, click the download button on the top right to save a copy of the report.
- The report provides details of the scan job, including an Indicator Summary.
- Indicator Summary will identify “Ransomware like behaviors were detected”
- Furthermore, Suspicious Indicator Details will indicate the Rating for the infected file.