Skip to content

Commit

Permalink
Update README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
malvuln authored Dec 13, 2024
1 parent f22f12c commit 0c3a98a
Showing 1 changed file with 53 additions and 42 deletions.
95 changes: 53 additions & 42 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
# RansomLord Anti-Ransomware exploit tool.
# RansomLord (NG) Anti-Ransomware exploit tool.
Proof-of-concept tool that automates the creation of PE files, used to exploit ransomware pre-encryption. <br>

Updated v3.1: https://github.com/malvuln/RansomLord/releases/tag/v3
Updated version NG: https://github.com/malvuln/RansomLord/releases/tag/NG

Lang: C <br>
SHA256: 647494bda466e645768d6f7d1cd051097aee319f88018d1a80547d8d538c98db
SHA256: fcb259471a4a7afa938e3aa119bdff25620ae83f128c8c7d39266f410a7ec9aa

Video PoC (old v2): <br >
https://www.youtube.com/watch?v=_Ho0bpeJWqI
Expand All @@ -16,57 +16,68 @@ The DLLs may also provide additonal coverage against generic and info stealer ma
RansomLord and its exported DLLs are NOT malicious see -s flag for security info.<br>

[Malvuln history] <br>
In May 2022, I publicly disclosed a novel strategy to successfully defeat ransomware.
Using a well known attacker technique (DLL hijack) to terminate malware pre-encryption.
The first malware to be successfully exploited was from the group Lockbit MVID-2022-0572.
Followed by Conti, REvil, BlackBasta and CryptoLocker proving many are vulnerable.
RansomLord v1 intercepts and terminates malware tested from 33 different threat groups.
Clop, Play, Royal, BlackCat (alphv), Yanluowang, DarkSide, Nokoyawa etc...

[v3.1 Update] <br>
RansomLord now intercepts and terminates ransomware tested from 49 different threat groups. <br>
Adding StopCrypt, RisePro, RuRansom, MoneyMessage, CryptoFortress and Onyx to the victim list. <br>
Windows event log feature -e flag will attempt to log the SHA256 hash of the ransomware. <br>
Added -r flag to output a Sigma rule for detecting RansomLord activity using Windows event log. <br>

[Generating exploits] <br>
The -g flag lists ransomware to exploit based on the selected ransomware group.
It will output a 32 or 64-bit DLL appropriately named based on the family selected.

[Strategy] <br>
The created DLL exploit file logic is simple, we check if the current directory
is C:\Windows\System32. If not we grab our own process ID (PID) and terminate
ourselves and the Malware pre-encryption as we now control code execution flow.

[Event Log IOC] <br>
The -e flag sets up a custom Windows Event source in the Windows registry.
Events are written to 'Windows Logs\Application' as 'RansomLord' event ID 1
Malware name and full process path are also included in the general information.
Windows event log feature -e flag will now log the SHA256 hash of the ransomware.
May of 2022, I publicly disclosed a novel strategy to successfully defeat ransomware
Using a well known attacker technique (DLL Hijack) to terminate Malware pre-encryption
The first Malware to be successfully exploited was from Lockbit group MVID-2022-0572
Followed by Conti, REvil, BlackBasta and CryptoLocker proving many are vulnerable

[NG Version] <br>
Next gen version dumps process memory of the targeted Malware prior to termination <br>
The process memory dump file MalDump.dmp varies in size and can be 50 MB plus <br>
RansomLord now intercepts and terminates ransomware from 54 different threat groups <br>
Adding GPCode, DarkRace, Snocry, Hydra and Sage to the ever growing victim list <br>

[DLL Exploit Generation] <br>
The -g flag lists ransomware to exploit based on the selected ransomware group
It will output a 32 or 64-bit DLL appropriately named based on the family selected

[Strategy] <br>
The created DLL exploit file logic is simple, we check if the current directory
is C:\Windows\System32. If not we grab our own process ID (PID) and terminate
ourselves and the Malware pre-encryption as we now control code execution flow

[MalDump] <br>
The -d flag creates a custom Windows registry key, that exploit DLLs will check
to perform a process memory dump of Malware based on whether enabled=1 or disabled=0
Leveraging code execution vulnerabilities to dump cleartext strings etc from process
memory to disk, may be useful as we may avoid PE unpacking, anti-debugging techniques
or relying on fully executing the Malware

[Event Log IOC] <br>
The -e flag sets up a custom Windows Event source in the Windows registry
Events are written to 'Windows Logs\Application' as 'RansomLord' event ID 1
Malware name, SHA256 hash and process path are included in the general information
Due to potential errors, at times only the Malware path and name may get recorded

[Sigma Rule Detection] <br>
The -r flag saves the required Sigma rule RansomLord_Sigma.txt to disk
The sigma rule is used along with the -e flag to enable endpoint detection capability
Useful for IOC and alerting on potential Malware activity and may also help track down
false positives E.g. programs run by end users that get terminated but are not malicious

[DLL Map] <br>
The -m flag displays ransomware groups, DLL required and architecture x32 or 64-bit.
The -m flag displays ransomware groups, DLL required and architecture x32 or 64-bit

[Trophy Room] <br>
The -t flag lists old ransomware advisorys from 2022 with Malware vulnerability id.
The -t flag lists old ransomware advisorys from 2022 with Malware vulnerability id

[Warning] <br>
The ransomware familys and or samples listed do NOT guarantee a successful outcome.
Many factors can ruin success: different variants, OS versions, Malware location etc.
Therefore, proceed with caution as mileage may vary, good luck.
There is also the chance a vulnerable but legit program may be prevented from starting
If ran from the same location exploit DLLs exists and the program is vulnerable to hijack
Therefore, monitoring for RansomLord generated IOC alerts are helpful in such scenarios
RansomLord proved a very high success rate within a virtual machine testing environment
However, non vulnerable variants, OS version, environment or location etc. may ruin success

[Test Environment] <br>
Testing was done in a Windows 10 Virtual Machine and Win-7 embedded OS Thin-client.
Primary testing was done in a Windows 10 Virtual Machine and Win-7 embedded OS Thin-client

[About] <br>
The -a flag general information, contact and disclaimer.
Using this program and or its DLL files, you accept all risk and the full disclaimer.
By John Page (aka Malvuln) Copyright (c) 2023
The -a flag general information, contact and disclaimer
By using this software and or its DLL files, you accept all risk and the full disclaimer
By John Page (aka malvuln) Copyright (c) 2024 - [email protected]

<br>
References: <br>
https://web.archive.org/web/20220601204439/https://www.bleepingcomputer.com/news/security/conti-revil-lockbit-ransomware-bugs-exploited-to-block-encryption/ <br><br>
https://web.archive.org/web/20220504180432/https://www.securityweek.com/vulnerabilities-allow-hijacking-most-ransomware-prevent-file-encryption/ <br><br>

![RansomLord_v3 1_Victims](https://github.com/malvuln/RansomLord/assets/75002643/85d5fb8c-7dc5-4ca4-88c6-21c2d3401d51)

0 comments on commit 0c3a98a

Please sign in to comment.