Ransomlord – Anti-Ransomware Exploitation Tool

Ransomlord
Ransomlord

RansomLord is a proof-of-concept Anti-Ransomware exploitation tool that automates the creation of PE files, used to compromise ransomware pre-encryption.

Goal is to exploit vulnerabilities inherent in certain strains of ransomware by deploying exploits to defend the network!

The DLLs may also provide additonal coverage against generic and info stealer malwares.
RansomLord and its exported DLLs are NOT malicious see -s flag for security info.

Update and Feature

  • RansomLord now intercepts and terminates ransomware tested from 49 different threat groups.
  • Adding StopCrypt, RisePro, RuRansom, MoneyMessage, CryptoFortress and Onyx to the victim list.
  • Windows event IOC log now includes the SHA256 hash plus full path of the intercepted malware

Generating exploits

The -g flag lists ransomware to exploit based on the selected ransomware group. It will output a 32 or 64-bit DLL appropriately named based on the family selected.

Strategy

The created DLL exploit file logic is simple, we check if the current directory is C:\Windows\System32. If not we grab our own process ID (PID) and terminate ourselves and the Malware pre-encryption as we now control code execution flow.

Event Log IOC

The -e flag sets up a custom Windows Event source in the Windows registry. Events are written to ‘Windows Logs\Application’ as ‘RansomLord’ event ID 1 Malware name and full process path are also included in the general information. Windows event log feature -e flag will now log the SHA256 hash of the ransomware.

DLL Map

The -m flag displays ransomware groups, DLL required and architecture x32 or 64-bit.

Trophy Room

The -t flag lists old ransomware advisorys from 2022 with Malware vulnerability id.

Warning

The ransomware familys and or samples listed do NOT guarantee a successful outcome. Many factors can ruin success: different variants, OS versions, Malware location etc. Therefore, proceed with caution as mileage may vary, good luck.

Test Environment

Testing was done in a Windows 10 Virtual Machine and Win-7 embedded OS Thin-client.

Download Ransomlord

Join Our Club

Enter your Email address to receive notifications | Join over Million Followers

Previous Article
Malware in security

Analysis of BloodAlchemy Malware: A New Evolution of Deed RAT

Next Article
Toshiba Emails Compromised

Toshiba Email Compromise Leaks Social Security Numbers - Analysis

Related Posts
Total
0
Share