FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
keithli_FTNT
Staff
Staff
Description
This article describes how FortiEDR natively blocks the DearCry ransomware attack.

DearCry, or DoejoCrypt, is installed in human-operated attacks using the MS.Exchange server exploits.

Here are the stages of execution observed in FortiEDR.

Pre-execution:
Once executed FortiEDR blocks:
FortiEDR-DearCry-Pre-execution-block.png
Rules Triggered:
FortiEDR-DearCry-Pre-rules-triggered.png
Process Termination:
FortiEDR-DearCry-processtermination.png

Post-execution:
Once executed with Execution policies set to simulation, FortiEDR blocks the attempt of encrypting the files – starting with desktop.ini with the extension of .CRYPT:

FortiEDR-DearCry-Post-execution.png
Rules Triggered:
FortiEDR-DearCry-Post-rules-triggered.png
Service creation blocked:
FortiEDR-DearCry-servicecreation-block.png


FortiEDR-DearCry-servicecreation-rules-triggered.png

Additional Information:


An example SHA256 hash associated with DearCry:
e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6

For more information about this ransomware attack, see the following FortiGuard Threat Signal Report:
Campaigns Leveraging Recent Microsoft Exchange Vulnerabilities to Install DoejoCrypt/DearCry Ransomw...

Contributors