RansomLord (NG) Anti-Ransomware Exploit Tool

2024.12.16
Credit: malvuln
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

https://github.com/malvuln/RansomLord/releases/tag/NG This next generation version dumps process memory of the targeted Malware prior to termination The process memory dump file MalDump.dmp varies in size and can be 50 MB plus RansomLord now intercepts and terminates ransomware from 54 different threat groups Adding GPCode, DarkRace, Snocry, Hydra and Sage to the ever growing victim list Lang: C SHA256: fcb259471a4a7afa938e3aa119bdff25620ae83f128c8c7d39266f410a7ec9aa Video PoC (old v2): https://www.youtube.com/watch?v=_Ho0bpeJWqI The RansomLord NG version now has option to dump process memory of the targeted Malware Why memory dump? Performing static analysis on E.g. DarkRace ransomware MD5: cfc7b4d9933483c25141ba49b4d5755e using for example Detect It Easy (DIE) static analysis tool reveal no links or other interesting strings. However, loading MalDump.dmp file generated by RansomLordNG into DIE we may quickly find interesting strings like: http://g3h3klsev3eiofxhykmtenmdpi67wzmaixredk5pjuttbx7okcfkftqd.onion You can install qtox to contanct us online https://tox.chat/download.html Tox ID Contact: 2793D009872AF80ED9B1A461F7B9BD6209744047DC1707A42CB622053716AD4BA624193606C9 Another sample HydraCrypt MD5: c2f30cd537c79b6bcd292e6824ea874e reveals no interesting strings when doing basic static analysis. Again, using RansomLordNG MalDump feature we quickly find interesting strings like: "supl0@post.com - SUPPORT " etc RansomLordNG leverages code execution vulnerabilities and saving process memory to disk prior to termination of the Malware pre-encryption. This may be useful as we can possibly avoid unpacking, anti-debugging techniques or fully executing the malware. The MalDump feature is optional and can be toggled to enabled=1 or disabled=0


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top