keithli_FTNT
Staff
Staff

Description


This article describes how FortiEDR natively blocks the DearCry ransomware attack.

DearCry, or DoejoCrypt, is installed in human-operated attacks using the MS.Exchange server exploits.

 

Here are the stages of execution observed in FortiEDR.
 
Pre-execution:
 
Once executed FortiEDR blocks:
FortiEDR-DearCry-Pre-execution-block.png
Rules Triggered:
FortiEDR-DearCry-Pre-rules-triggered.png
Process Termination:

FortiEDR-DearCry-processtermination.png

 
Post-execution:
Once executed with Execution policies set to simulation, FortiEDR blocks the attempt of encrypting the files – starting with desktop.ini with the extension of .CRYPT:
 
FortiEDR-DearCry-Post-execution.png
Rules Triggered:

FortiEDR-DearCry-Post-rules-triggered.png

Service creation blocked:

FortiEDR-DearCry-servicecreation-block.png

 
 

FortiEDR-DearCry-servicecreation-rules-triggered.png

Additional Information:

An example SHA256 hash associated with DearCry:
e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6
 
For more information about this ransomware attack, see the following FortiGuard Threat Signal Report:

Campaigns Leveraging Recent Microsoft Exchange Vulnerabilities to Install DoejoCrypt/DearCry Ransomw...