This article describes how to configure FortiClient to detect, mitigate, and recover from Black Basta Ransomware.
Table of Contents
Scope
Configuration of FortiClient EMS, How endpoints will see the detection, Recovery, and Logs.’
Solution
On the EMS, enable Anti-Ransomware under Endpoint Profiles > Malware Protection profile and also enable the ‘Enable File Backup’ option.
More information on the FortiClient EMS Malware Protection feature can be found in this related document:EMS Administration Guide
Anti-Ransomware on Endpoints
Once FortiClient is connected to EMS, endpoints receive Anti-Ransomeware configuration as configured in the previous step.
The moment a suspicious ransomware activity is detected, FortiClient will show a pop-up window notification just like below.
That allows the user to terminate the suspicious ransomware process and the user gets to see the below notification FortiClient tray, upon process termination.
FortiClient GUI will show the number of quarantined file details under the malware protection section as shown below.
FortiClient quarantines all the files affected by the ransomware attack and terminates the ransomware. Selecting the number link will show the quarantined files.
FortiClient recovers the affected files back to its original state, List of “Recovered files” can be seen from FortiClient GUI as shown below.
Te recovered files from the file browser are like below:
FortiClient log for ransomware event
To get logs from FortiClient, go under Settings > Export logs.
How EMS Can See Detection
Once the ransomware file is detected by FortiClient, the event will be sent to EMS where the FortiClient is registered. The event can be seen on the EMS endpoints page as shown below.
