REvil Ransomware
Targeting the Kaseya VSA Vulnerability
https://en.wikipedia.org/wiki/Revil
A recent high profile exploit involing Kaseya VSA product was linked to the REvil ransomware. This report summarizes the Fortinet Security Fabric coverage for the REvil ransomware itself. Refer to the separate report for more detail about the Kaseya vulnerability.
Background
Kaseya is a high profile outbreak, with information still pending to be released regarding the initial vulnerability that was compromised. REvil is a known ransomware group/family that has been used in the past, and is part of existing security coverage by multiple Fortinet security products. Recently, it has been used by attackers targeting the high profile Kaseya VSA vulnerability, to demand ransom from many global organizations including MSPs who represent many hundred or thousand customers underneath. This report focusses specifcally on the REvil ransomware protection and IOC detections by the Security Fabric products.
Announced
July 5: REvil ransomware gang takes credit for the Kaseya attack -

https://gizmodo.com/revil-gang-takes-credit-for-massive-kaseya-attack-and-a-1847232663

Latest Developments
Refer to the Kaseya timeline for the latest status of the on-premise patch and restoration of their SaaS service:

https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689

Fortinet Products SummaryServicesVersionOther Info
FortiGateAV87.00359FortiGuard AV detects the REvil payloads and file extractor
FortiClientAV87.00359FortiGuard AV detects the REvil payloads and file extractor
FortiEDRAV (Pre-filter)87.00359FortiGuard AV detects the REvil payloads and file extractor
EDRv4+FortiEDR can be used to effectively detect and mitigate post-exploitation activity associated with this threat.
FortiSandboxAV (Pre-filter)87.00359FortiGuard AV detects the REvil payloads and file extractor
Behavior Detection3.2.2+FortiSandbox detects ransomware behaviors of the samples
FortiAIAV (Pre-filter)87.00359FortiGuard AV detects the REvil payloads and file extractor
ANN1.077Artificial Neural Networks (ANN) Engine detects the known hashes
FortiMailAV87.00359FortiGuard AV detects the REvil payloads and file extractor
FortiCASBAV87.00359FortiGuard AV detects the REvil payloads and file extractor
FortiCWPAV87.00359FortiGuard AV detects the REvil payloads and file extractor
FortiADCAV87.00359FortiGuard AV detects the REvil payloads and file extractor
FortiProxyAV87.00359FortiGuard AV detects the REvil payloads and file extractor
FortiAnalyzerIOC0.01915FortiGuard IOC detects past log-based events accessing knowing C&C IPs and domains
Event Handlers & Reports6.2+Detects indicators attributed to REvil from Fabric products.
FortiSIEMIOC0.01915FortiGuard IOC detects past log-based events accessing knowing C&C IPs and domains
Rules & Reports6.2+Detects indicators attributed to REvil from Fabric products and 3rd party products.
FortiClient/EMSZTNA Auto Tagging6.4+Detect and tag endpoints that are suspected compromised by the REvil ransomware
Cyber Kill Chain
Reconnaissance
Weaponization
Delivery
FortiGate
FortiClient
FortiEDR
AV (Pre-filter)
Version Info: 87.00359
Link: https://www.fortiguard.com/encyclopedia/virus/10039110
FortiSandbox
AV (Pre-filter)
Version Info: 87.00359
Link: https://www.fortiguard.com/encyclopedia/virus/10039110
FortiAI
AV (Pre-filter)
Version Info: 87.00359
Link: https://www.fortiguard.com/encyclopedia/virus/10039110
FortiMail
FortiCASB
FortiCWP
FortiADC
FortiProxy
Exploitation
Installation
FortiEDR
C2
Action
Endpoint
FortiClient/EMS
Incident Response (Security Operations)
To help customers identify and protect vulnerable, FortiAnalyzer, FortiSIEM and FortiSOAR updates are available to raise alerts and escalate to incident response:
Analyzer / SIEM / SOAR Threat Hunting & Playbooks
FortiAnalyzer
IOC
Version Info: 0.01915
Link: https://www.fortiguard.com/updates/ioc
FortiSIEM
IOC
Version Info: 0.01915
Link: https://www.fortiguard.com/updates/ioc