FortiDeceptor provides Deception-based Breach Protection to deceive, expose and eliminate external and internal threats.
Article Id 189624

This article describes how to use FortiDeceptor and SMB Deception Lure to detect activities that are related to the DearCry ransomware and any Ransomware malware attack.

DearCry uses recent MS. Exchange server vulnerabilities to exploit its targets. For more information about this ransomware attack, see the Fortinet blog post:

New DearCry Ransomware Targets Microsoft Exchange Server Vulnerabilities

Cyber Deception Against Any Ransomware:

1. FortiDeceptor starts by deploying a fake network shared across every endpoint/server in your network. This pseudo network is hidden from legitimate users to avoid clicking on decoy systems and generating false alerts.

2. This fake network drive also contains fake files and workflows that are sacrificed to expose an attacker and/or malicious ransomware.

3. The fake network is mapped using a network decoy that acts as a fake file server, complete with fake traffic and files.

4. The FortiDeceptor tool that creates and manages this fake network can be fully integrated into your third-party security tools, such as your Firewall, Network Access Control, and Next-Gen AV, so that malicious activity can be identified and mitigated.

5. Once the ransomware compromises an endpoint and starts to encrypt the fake files on the fake network drive, the decoy (fake file server) detects this malicious network activity and uses one of your existing security tools to automatically isolate the infected endpoint, protecting the rest of the network.

The File Server Decoy and SMB Deception Lure against Ransomware malware can be used in FortiDeceptor V.3.3 and above

Please follow the steps below for Deception Protection against Ransomware malware:

1. Deploy windows Decoy with SMB enabled

2. Download the Deception lure package from the Decoy configuration section

3. Deploy the Deception lure package across your endpoint using the A/D Logon script. Keep in mind that the Deception lure package is an “Agent-Less” technology. (see FortiDeceptor Admin guide)

4. To verify the Deception lure package deployment, please run the command “net use” on any endpoint that is part of the domain, and you should see the network drive map configuration in place.

5. Once Ransomware malware penetrated the network and infected the endpoint, an encryption process started against the local & network drives. 

6. FortiDeceptor technology will detect the encryption process and will raise a real-time alert.

Ransomware encryption.jpg

FDC Detect Ransomware.png

7. FortiDeceptor will leverage the Fortinet Fabric to execute a threat mitigation response to isolated the threat.