Help
FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
keithli_FTNT
Staff
Staff

Created on ‎03-16-2021 04:55 PM Edited on ‎08-29-2022 06:31 AM By Community Manager

Article Id 190099

Threat Coverage: How FortiEDR blocks DearCry ransomware attacks

Description


This article describes how FortiEDR natively blocks the DearCry ransomware attack.

DearCry, or DoejoCrypt, is installed in human-operated attacks using the MS.Exchange server exploits.

 

Here are the stages of execution observed in FortiEDR.
 
Pre-execution:
 
Once executed FortiEDR blocks:
FortiEDR-DearCry-Pre-execution-block.png
Rules Triggered:
FortiEDR-DearCry-Pre-rules-triggered.png
Process Termination:

FortiEDR-DearCry-processtermination.png

 
Post-execution:
Once executed with Execution policies set to simulation, FortiEDR blocks the attempt of encrypting the files – starting with desktop.ini with the extension of .CRYPT:
 
FortiEDR-DearCry-Post-execution.png
Rules Triggered:

FortiEDR-DearCry-Post-rules-triggered.png

Service creation blocked:

FortiEDR-DearCry-servicecreation-block.png

 
 

FortiEDR-DearCry-servicecreation-rules-triggered.png

Additional Information:

An example SHA256 hash associated with DearCry:
e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6
 
For more information about this ransomware attack, see the following FortiGuard Threat Signal Report:

Campaigns Leveraging Recent Microsoft Exchange Vulnerabilities to Install DoejoCrypt/DearCry Ransomw...

1517
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.