Download: https://github.com/malvuln/RansomLord
RansomLord is a proof-of-concept tool that automates the creation of PE files, used to compromise Ransomware pre-encryption.
Lang: C
SHA256: b0dfa2377d7100949de276660118bbf21fa4e56a4a196db15f5fb344a5da33ee
Video PoC:
https://www.youtube.com/watch?v=_Ho0bpeJWqI
RansomLord generated PE files are saved to disk in the x32 or x64 directorys where the program is run from.
Goal is to exploit code execution flaws inherent in certain strains of Ransomware
[Malvuln history]
In May 2022, I publicly disclosed a novel strategy to successfully defeat Ransomware. Using a well known attacker technique (DLL hijack) to terminate malware pre-encryption. The first malware to be successfully exploited was from the group Lockbit MVID-2022-0572. Followed by Conti, REvil, BlackBasta and CryptoLocker proving many are vulnerable. RansomLord v1 intercepts and terminates malware tested from 33 different threat groups. Clop, Play, Royal, BlackCat (alphv), Yanluowang, DarkSide, Nokoyawa etc...
[Generating exploits]
The -g flag lists Ransomware to exploit based on the selected Ransomware group. It will output a 32 or 64-bit DLL appropriately named based on the family selected.
[Strategy]
The created DLL exploit file logic is simple, we check if the current directory is C:\Windows\System32. If not we grab our own process ID (PID) and terminate ourselves and the Malware pre-encryption as we now control code execution flow.
[Event Log IOC]
The -e flag sets up a custom Windows Event source in the Windows registry. Events are written to 'Windows Logs\Application' as 'RansomLord' event ID 1 Malware name and full process path are also included in the general information.
[DLL Map]
The -m flag displays Ransomware groups, DLL required and architecture x32 or 64-bit.
[Trophy Room]
The -t flag lists old Ransomware advisorys from 2022 with Malware vulnerability id.