RansomLord is a proof-of-concept Anti-Ransomware exploitation tool that automates the creation of PE files, used to compromise ransomware pre-encryption.
Goal is to exploit vulnerabilities inherent in certain strains of ransomware by deploying exploits to defend the network!
The DLLs may also provide additonal coverage against generic and info stealer malwares.
RansomLord and its exported DLLs are NOT malicious see -s flag for security info.
Update and Feature
- RansomLord now intercepts and terminates ransomware tested from 49 different threat groups.
- Adding StopCrypt, RisePro, RuRansom, MoneyMessage, CryptoFortress and Onyx to the victim list.
- Windows event IOC log now includes the SHA256 hash plus full path of the intercepted malware
Generating exploits
The -g flag lists ransomware to exploit based on the selected ransomware group. It will output a 32 or 64-bit DLL appropriately named based on the family selected.
Strategy
The created DLL exploit file logic is simple, we check if the current directory is C:\Windows\System32. If not we grab our own process ID (PID) and terminate ourselves and the Malware pre-encryption as we now control code execution flow.
Event Log IOC
The -e flag sets up a custom Windows Event source in the Windows registry. Events are written to ‘Windows Logs\Application’ as ‘RansomLord’ event ID 1 Malware name and full process path are also included in the general information. Windows event log feature -e flag will now log the SHA256 hash of the ransomware.
DLL Map
The -m flag displays ransomware groups, DLL required and architecture x32 or 64-bit.
Trophy Room
The -t flag lists old ransomware advisorys from 2022 with Malware vulnerability id.
Warning
The ransomware familys and or samples listed do NOT guarantee a successful outcome. Many factors can ruin success: different variants, OS versions, Malware location etc. Therefore, proceed with caution as mileage may vary, good luck.
Test Environment
Testing was done in a Windows 10 Virtual Machine and Win-7 embedded OS Thin-client.