Skip to main content
keithli_FTNT
Staff
keithli_FTNT
Staff
July 6, 2021

Technical Tip: How to use FortiAnalyzer to detect activities related to REvil Ransomware targeting Kaseya VSA vulnerability

  • July 6, 2021
  • 0 replies
  • 1589 views
Description
This article describes how to use a custom Event Handler and Report in FortiAnalyzer to detect REvil Ransomware that targets Kaseya VSA vulnerability.

For more information on the threat, see the FortiGuard Lab Threat Signal Report:

What is included in Fortinet_SOC-REvil-Detection-v3.zip?

1) REvil Ransomware Detection-v3.json
This event handler helps identify exploit attempts detected by FortiGate's and FortiClient's AV signatures. Logs triggering the event handler are generated from FortiGate and FortiClient. Therefore, their corresponding AV signature should be kept up to date to prevent and log the exploits.

2) REvil_ransomware_detection_report-v3.dat
A report to summarize findings on exploit attempts using REvil ransomware, as detected by the AV Engine on FortiGate and FortiClient devices.

See the Solution section for instruction on how to load the event handler into a FortiAnalyzer unit.

Scope
The custom Event Handler and Report provided can be used in FortiAnalyzer 6.4+.
Solution
All screen shots provided below for illustration purposes are taken from FortiAnalyzer 6.4.4.
1) Download the Fortinet_SOC-REvil-Detection-v3.zip file (contains 2 files)
2) Unzip Fortinet_SOC-REvil-Detection-v3.zip
3) Use REvil Ransomware Detection-v3.json to import into Event Handlers
    a. Choose an ADOM (if ADOMs are enabled)
    b. Choose the FortiSOC module
    c. Select Event Handler List
    d. Select the Import option under "More"
    e. Select REvil Ransomware Detection-v3.json
EventHandlerList-FortiDemo.png
Result: REvil Ransomware Detection-v3.json is enabled and will be triggered if the appropriate logs are received after after the event handler was imported

4) Use REvil_ransomware_detection_report-v3.dat to import into Reports
    a. Choose a Fabric ADOM (if ADOMs are enabled)
    b. Choose the Report module
    c. Select the Import option under "More"
    d. Select REvil_ransomware_detection_report-v3.dat
ImportReport.png
Result: 'REvil_ransomware_detection_report-v3.dat' can be run anytime as determined by an admin user.

Terms & ConditionsAccessibility statement