Description |
This article describes configuring FortiClient to detect, mitigate, and recover from Akira Ransomware. |
Scope |
|
Solution |
On FortiClient Endpoint Management Server (EMS), Enable Anti-Ransomware under Endpoint Profiles >Malware Protection profile and also allow the “Enable File Backup” option.
More information on the FortiClient Endpoint Management Server (EMS) > Malware Protection feature can be found in the EMS Administration Guide.
Anti-Ransomware on Endpoints
FortiClient on endpoints will then receive the configuration. Once a suspicious ransomware activity is detected, FortiClient will show a pop-up window notification just like the one below.
FortiClient allows the user to terminate the suspicious ransomware process and the user gets to see the below notification FortiClient tray, after process termination.
FortiClient GUI will show the total number of quarantined files and their details under the malware protection section as shown below.
FortiClient quarantines all the files affected by the Akira ransomware attack and terminates the ransomware. Clicking the number link will show the quarantined files.
FortiClient then recovers the affected files back to their original state, List of 'Recovered files' can be seen from FortiClient GUI as shown below.
Below, the recovered files can be seen in the file browser,
FortiClient log for Ransomware Event:
To get logs from FortiClient, go to FortiClient GUI -> Settings -> Export logs.
5/6/2024 5:44:06 PM warning antiransomware date=2024-05-06 time=17:44:05 logver=1 id=98000 type=securityevent subtype=antiransomware eventtype=status level=warning uid=9638815F17974A38A1A9165059C658BF devid=FCT8001244636066 hostname=AV-TEST-WIN10X6 pcdomain=N/A deviceip=192.168.1.25 devicemac=02-00-45-99-04-45 site=default fctver=7.2.5.0993 fgtserial=N/A emsserial=FCTEMS8824090428 os="Microsoft Windows 10 Professional Edition, 64-bit (build 19045)" user=Admin msg="AntiRansomware has found a suspicious process" file=C:\Users\Admin\Desktop\1650201791.exe action=kill default_used=1 checksum=131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07 PID=1736
How FortiClient Endpoint Management Server (EMS) Can See Detection:
When FortiClient detects the ransomware file and quarantines it, the event will be sent to EMS to which the FortiClient is registered. The event can be seen on the EMS endpoints summary page as shown below.
|