Targeting the MS Exchange Exploit
Following initial compromise of the MS Exchange system, the attacker can execute the primary
objective. From monitoring these incidents, a new family of ransomware has been
detected. The threat is known as DoejoCrypt or DearCry.
https://twitter.com/MsftSecIntel/status/1370236539427459076
DearCry Ransomware
Fortinet Products Summary
FortiGate NGFW
FortiClient
FortiEDR
FortiAnalyzer
Threat Hunting Report
Anti-Virus
Anti-Virus
EDR
Event Handler
NGAV Detects & Blocks malware file transfers
84.00634
84.00634
SaaS
6.2, 6.4
Services
Version
Other info
FortiClient AV real-time protection blocks ransomware file
Existing behaviour detection & blocking of DoejoCrypt/DearCry ransomware activity out of the box.
January 6, 2021
Earliest Vulnerability Detection
Earliest detection of the MS Exchange vulnerability is covered in the Outbreak report:
On March 11, Microsoft released the following announcement referring to the ransomware:
https://twitter.com/MsftSecIntel/status/1370236539427459076
March 11, 2021
MSFT Annoucement
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
C2
Action
FortiGate
FortiClient
FortiEDR
FortiMail
FortiSandbox
FortiAI
FortiCASB
FortiCWP
Version Info: 84.00634
Link: https://www.fortiguard.com/encyclopedia/virus/10009650/w32-dearcry-oge-tr-ransom
FortiClient
FortiEDR
FortiMail
FortiSandbox
FortiAI
FortiCASB
FortiCWP
Version Info: 84.00634
Link: https://www.fortiguard.com/encyclopedia/virus/10009650/w32-dearcry-oge-tr-ransom
FortiGuard Anti-Malware Protection
FortiAnalyzer Event Hanlders & Reports
Version Info: 6.2, 6.4
Link: https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD51762
Other Info: Detects indicators attributed to DearCry from across the Security Fabric products.
Version Info: 6.2, 6.4
Link: https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD51762
Other Info: Detects indicators attributed to DearCry from across the Security Fabric products.
SIEM Rules & Reports
Version Info: 5.x, 6.x
Link: https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD51777
Other Info: Detects indicators attributed to DearCry from across the Security Fabric products and 3rd party.
Version Info: 5.x, 6.x
Link: https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD51777
Other Info: Detects indicators attributed to DearCry from across the Security Fabric products and 3rd party.
FortiAnalyzer Event Handlers & Reports
FortiSIEM Rules & Reports
Analyzer / SIEM / SOAR Threat Hunting & Playbooks
Incident Response (Security Operations)
To help customers identify and protect vulnerable, FortiAnalyzer, FortiSIEM and FortiSOAR updates are
available to raise alerts and escalate to incident response:
Cyber Kill Chain
FortiSIEM
Rules & Threat Hunting Report
5.x, 6.x
FortiGuard Labs released the Threat Signal report:
https://www.fortiguard.com/threat-signal-report/3885/observed-in-the-wild-campaigns-leveraging-recent-microsoft-exchange-server-vulnerabilities-to-install-doejocrypt-dearcry-ransomware
March 12, 2021
Latest Developments
https://fndn.fortinet.net/FortiGuard-Alert-Outbreaks/Hafnium-full/
Anti-Ransomware
6.4
Detects & defuses the ransomware based on suspicious process behaviour.
FortiMail
FortiCASB
FortiCWP
FortiCASB
FortiCWP
Anti-Virus
84.00634
Detected by pre-filter or scan engines, as this is a known ransomware.
Behavior Detection
Version Info: SaaS
Link: https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD51764
Other Info: Default FortiEDR and FortiXDR deployments detect and block DoejoCrypt/DearCry ransomware activity out of the box.
Version Info: SaaS
Link: https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD51764
Other Info: Default FortiEDR and FortiXDR deployments detect and block DoejoCrypt/DearCry ransomware activity out of the box.
FortiEDR
Anti-Ransomware
Version Info: 6.4.3
Link: https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD51766
Other Info: FortiClient Anti-ransomware engine identifies and defuses DearCry ransomware.
Version Info: 6.4.3
Link: https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD51766
Other Info: FortiClient Anti-ransomware engine identifies and defuses DearCry ransomware.
FortiClient
FortiSandbox
Sandboxing
3.x
Existing behaviour detection of the ransomware (launching files, visible windows, etc.).
Behavior Detection
Version Info: 3.2
Link: https://filestore.fortinet.com/fortiguard/downloads/FortiSandbox_DearCry_Behaviour_Report.pdf
Other Info: FortiSandbox detects the ransomware behaviours of this malware, including (1) The file tries to launch the original file, and (2) The executable had visible window(s).
Version Info: 3.2
Link: https://filestore.fortinet.com/fortiguard/downloads/FortiSandbox_DearCry_Behaviour_Report.pdf
Other Info: FortiSandbox detects the ransomware behaviours of this malware, including (1) The file tries to launch the original file, and (2) The executable had visible window(s).
FortiSandbox
Detects indicators attributed to DearCry from Fabric products and 3rd parties.
Detects indicators attributed to DearCry from Fabric products.
Pre-filter
84.00634
Detected by pre-filter or scan engines, as this is a known ransomware.
FortiDeceptor
Decoy
3.x
A Deception Decoy that acts as a file server will detect the ransomware while encrypting the fake network
drive share on the infected endpoint.
Deception Lure (SMB) + Deception Decoy (file server)
Version Info: 3.x
Link: https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD52010
Other Info: A Deception Decoy that acts as a file server will detect the ransomware while encrypting the fake network drive share on the infected endpoint.
Version Info: 3.x
Link: https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD52010
Other Info: A Deception Decoy that acts as a file server will detect the ransomware while encrypting the fake network drive share on the infected endpoint.
FortiDeceptor
Artificial Neural Networks (ANN)
Version Info: 1.066
Link: https://filestore.fortinet.com/fortiguard/downloads/FortiAI_dearCry_c6eeb14485d93f4e30fb79f3a57518fc.pdf
Other Info: FortiAI detects as Ransomware, please see FortiAI VSA.
Version Info: 1.066
Link: https://filestore.fortinet.com/fortiguard/downloads/FortiAI_dearCry_c6eeb14485d93f4e30fb79f3a57518fc.pdf
Other Info: FortiAI detects as Ransomware, please see FortiAI VSA.
FortiAI
FortiAI
ANN
1.066
FortiAI detects the sample as Ransomware, please see FortiAI VSA.