Technical Tip: Akira Ransomware Detection using FortiClient

Introduction

The Akira ransomware is a type of malicious software designed to encrypt files on a victim's computer, rendering them inaccessible. This ransomware variant demands payment from the victim, usually in cryptocurrency, in exchange for a decryption key that will unlock the encrypted files. The Akira ransomware group, which is responsible for deploying this ransomware, has been active since at least March 2023 and has targeted numerous organizations across various sectors worldwide.

How FortiClient Can Detect Akira

FortiClient offers two methods for combatting Akira ransomware: Real-time Protection (RTP) and Anti-Ransomware. It's crucial to utilize both methods simultaneously as they leverage distinct detection mechanisms:

1. Real-time Protection (RTP): This feature is designed to immediately stop known ransomware from executing.
2. Anti-ransomware: This functionality operates on a behavioral basis, capable of thwarting new, previously unseen variants of ransomware by observing their actions on the endpoint. However, it's important to note that before FortiClient identifies ransomware, it's possible that the ransomware may have already encrypted or damaged files. To address this, FortiClient backs up metadata of selected user folders and files, enabling the restoration of 'ransomed' files once the ransomware is disabled.

By leveraging both RTP and Anti-ransomware features, FortiClient ensures comprehensive protection against Akira and its variants, safeguarding a system from both known and emerging threats.

Using Anti-Ransomware

Ransomware attacks have increased recently. In response, FortiClient has introduced new behavior-based ransomware protection, which can roll back changes made by malicious programs, putting the endpoint back to a preinfection state. When the Anti-Ransomware feature and 'Enable File Backup' are enabled in EMS, FortiClient creates backups of the metadata for files specified in the 'Protected Folders' section. Using these backups, FortiClient can restore encrypted files to their original state, providing robust protection against ransomware attacks. On EMS, enable Anti-Ransomware under Endpoint Profiles >Malware Protection profile and also enable the 'Enable File Backup' option.

More information on the FortiClient EMS Malware Protection feature can be found in the 'EMS Administration Guide'.

Anti-Ransomware on Endpoints.

FortiClient on endpoints will then receive this configuration. Once a suspicious ransomware activity is detected, the FortiClient tray will show a notification just like below.

FortiClient GUI will show the number of quarantined files details under malware protection section as shown below.

FortiClient quarantines all the files affected by the ransomware attack and terminates the ransomware. Clicking the number link will show the quarantined files.

FortiClient then recovers the affected files back to their original state. A list of 'Recovered files' can be seen from the FortiClient GUI as shown below.

The recovered files from the file browser are shown below:

FortiClient log for ransomware event.

To get logs from FortiClient, navigate to FortiClient GUI -> Settings -> Export logs.

5/6/2024 5:44:06 PM     warning                antiransomware               date=2024-05-06 time=17:44:05 logver=1 id=98000 type=securityevent subtype=antiransomware eventtype=status level=warning uid=9638815F17974A38A1A9165059C658BF devid=FCT8001244636066 hostname=AV-TEST-WIN10X6 pcdomain=N/A deviceip=192.168.1.25 devicemac=02-00-45-99-04-45 site=default fctver=7.2.5.0993 fgtserial=N/A emsserial=FCTEMS8824090428 os="Microsoft Windows 10 Professional Edition, 64-bit (build 19045)" user=Admin msg="AntiRansomware has found a suspicious process" file=C:\Users\Admin\Desktop\1650201791.exe action=kill default_used=1 checksum=131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07 PID=1736

Detection using Real-Time Protection.

FortiClient can detect this ransomware through its real-time protection too.

On EMS, enable Real-Time Protection under Endpoint Profiles -> Malware Protection profile.

How EMS Can See Detection.

Once FortiClient detects the ransomware file, the event will be sent to EMS where the FortiClient is registered. The event can be seen on the EMS endpoints page as shown below.

Also under the Quarantine Management page, users should be able to see quarantined files.

EMS users can also see these alerts on the EMS Dashboard page. To see the alerts, enable the Antivirus Detection widget.

How Endpoints Can See Detection.

This particular strain of ransomware exhibits versatility in its methods of deployment. It possesses the capability to infiltrate systems through various channels, including but not limited to downloading from the internet, dissemination via email, or propagation through the copying of files. Upon the unwitting execution of the ransomware file by an endpoint user, FortiClient swiftly detects and intercepts the malicious activity, promptly quarantining the offending sample to prevent further harm to the system.

Summary.

FortiClient uses both technologies to maximize malware detection. Both Ransomware Protection and, Malware and Exploit Prevention are effective ways to mitigate these kind of attacks. The attacks malicious capabilities are effectively neutralized, rendering it impotent in its attempts to infect and encrypt the system.