FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
Article Id 197052
This article describes how to use custom Rules and Report in FortiSIEM to detect activities that are related to the DearCry ransomware attack.

DearCry uses recent MS.Exchange server vulnerabilities to exploit its targets. For more information about this ransomware attack, see the Fortinet blog post:
New DearCry Ransomware Targets Microsoft Exchange Server Vulnerabilities

These include the following virus signatures:
  •     W32/DearCry.OGE!tr
  •     W32/DearCry.OGE!tr.ransom
  •     W32/Filecoder.OGE!tr
  •     PossibleThreat.ARN.H
  •     W32/Encoder.OGE!tr.ransom
  •     W32/Encoder!tr

The report summarizes findings on DearCry attacks from FortiGate, FortiClient and FortiSandbox logs.

What is included in

1. DEARCRY_Report_v1.xml
The reports can be ran on historical data looking for indicators associated with DEARCRY.

2. DEARCRY_Rule_v2.xml
The Rules will detect indicators relating to the DEARCRY malware.

See the Solution section for instruction on how to load these into a FortiSIEM

The custom Rules and Reports can be loaded into FortiSIEM 5.x and 6.x versions.

All screen shots provided below for illustration purposes are taken from FortiSIEM 6.x

1. Download the file (contains 2 file)

2. Unzip

3. Use DEARCRY_Report_v1.xml as the file to import the Reports
    a. Navigate to Resource / Reports
    b. It is recommended that a new group under Resource / Reports / Security is created called “DEARCRY” and reports are imported to this group.
    c. Select the Import option under "More"
    d. Select DEARCRY _Report_v1.xml and import.

4. Use DEARCRY _Rule_v1.xml as the file to import the Rules
    a. Navigate to Resource / rules
    b. It is recommended that a new group under Resource / Rules / Security / Threat Hunting is created called “DEARCRY” and rules are imported to this group.
    c. Click the Import
    d. Select DEARCRY _Rules_v1.xml and import.
    e. Filter the rules on DEARCRY and ensure that they are Enabled.

Imported and enabled Rules:

Imported Reports: