-
Notifications
You must be signed in to change notification settings - Fork 40
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
53 additions
and
42 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,10 @@ | ||
# RansomLord Anti-Ransomware exploit tool. | ||
# RansomLord (NG) Anti-Ransomware exploit tool. | ||
Proof-of-concept tool that automates the creation of PE files, used to exploit ransomware pre-encryption. <br> | ||
|
||
Updated v3.1: https://github.com/malvuln/RansomLord/releases/tag/v3 | ||
Updated version NG: https://github.com/malvuln/RansomLord/releases/tag/NG | ||
|
||
Lang: C <br> | ||
SHA256: 647494bda466e645768d6f7d1cd051097aee319f88018d1a80547d8d538c98db | ||
SHA256: fcb259471a4a7afa938e3aa119bdff25620ae83f128c8c7d39266f410a7ec9aa | ||
|
||
Video PoC (old v2): <br > | ||
https://www.youtube.com/watch?v=_Ho0bpeJWqI | ||
|
@@ -16,57 +16,68 @@ The DLLs may also provide additonal coverage against generic and info stealer ma | |
RansomLord and its exported DLLs are NOT malicious see -s flag for security info.<br> | ||
|
||
[Malvuln history] <br> | ||
In May 2022, I publicly disclosed a novel strategy to successfully defeat ransomware. | ||
Using a well known attacker technique (DLL hijack) to terminate malware pre-encryption. | ||
The first malware to be successfully exploited was from the group Lockbit MVID-2022-0572. | ||
Followed by Conti, REvil, BlackBasta and CryptoLocker proving many are vulnerable. | ||
RansomLord v1 intercepts and terminates malware tested from 33 different threat groups. | ||
Clop, Play, Royal, BlackCat (alphv), Yanluowang, DarkSide, Nokoyawa etc... | ||
|
||
[v3.1 Update] <br> | ||
RansomLord now intercepts and terminates ransomware tested from 49 different threat groups. <br> | ||
Adding StopCrypt, RisePro, RuRansom, MoneyMessage, CryptoFortress and Onyx to the victim list. <br> | ||
Windows event log feature -e flag will attempt to log the SHA256 hash of the ransomware. <br> | ||
Added -r flag to output a Sigma rule for detecting RansomLord activity using Windows event log. <br> | ||
|
||
[Generating exploits] <br> | ||
The -g flag lists ransomware to exploit based on the selected ransomware group. | ||
It will output a 32 or 64-bit DLL appropriately named based on the family selected. | ||
|
||
[Strategy] <br> | ||
The created DLL exploit file logic is simple, we check if the current directory | ||
is C:\Windows\System32. If not we grab our own process ID (PID) and terminate | ||
ourselves and the Malware pre-encryption as we now control code execution flow. | ||
|
||
[Event Log IOC] <br> | ||
The -e flag sets up a custom Windows Event source in the Windows registry. | ||
Events are written to 'Windows Logs\Application' as 'RansomLord' event ID 1 | ||
Malware name and full process path are also included in the general information. | ||
Windows event log feature -e flag will now log the SHA256 hash of the ransomware. | ||
May of 2022, I publicly disclosed a novel strategy to successfully defeat ransomware | ||
Using a well known attacker technique (DLL Hijack) to terminate Malware pre-encryption | ||
The first Malware to be successfully exploited was from Lockbit group MVID-2022-0572 | ||
Followed by Conti, REvil, BlackBasta and CryptoLocker proving many are vulnerable | ||
|
||
[NG Version] <br> | ||
Next gen version dumps process memory of the targeted Malware prior to termination <br> | ||
The process memory dump file MalDump.dmp varies in size and can be 50 MB plus <br> | ||
RansomLord now intercepts and terminates ransomware from 54 different threat groups <br> | ||
Adding GPCode, DarkRace, Snocry, Hydra and Sage to the ever growing victim list <br> | ||
|
||
[DLL Exploit Generation] <br> | ||
The -g flag lists ransomware to exploit based on the selected ransomware group | ||
It will output a 32 or 64-bit DLL appropriately named based on the family selected | ||
|
||
[Strategy] <br> | ||
The created DLL exploit file logic is simple, we check if the current directory | ||
is C:\Windows\System32. If not we grab our own process ID (PID) and terminate | ||
ourselves and the Malware pre-encryption as we now control code execution flow | ||
|
||
[MalDump] <br> | ||
The -d flag creates a custom Windows registry key, that exploit DLLs will check | ||
to perform a process memory dump of Malware based on whether enabled=1 or disabled=0 | ||
Leveraging code execution vulnerabilities to dump cleartext strings etc from process | ||
memory to disk, may be useful as we may avoid PE unpacking, anti-debugging techniques | ||
or relying on fully executing the Malware | ||
|
||
[Event Log IOC] <br> | ||
The -e flag sets up a custom Windows Event source in the Windows registry | ||
Events are written to 'Windows Logs\Application' as 'RansomLord' event ID 1 | ||
Malware name, SHA256 hash and process path are included in the general information | ||
Due to potential errors, at times only the Malware path and name may get recorded | ||
|
||
[Sigma Rule Detection] <br> | ||
The -r flag saves the required Sigma rule RansomLord_Sigma.txt to disk | ||
The sigma rule is used along with the -e flag to enable endpoint detection capability | ||
Useful for IOC and alerting on potential Malware activity and may also help track down | ||
false positives E.g. programs run by end users that get terminated but are not malicious | ||
|
||
[DLL Map] <br> | ||
The -m flag displays ransomware groups, DLL required and architecture x32 or 64-bit. | ||
The -m flag displays ransomware groups, DLL required and architecture x32 or 64-bit | ||
|
||
[Trophy Room] <br> | ||
The -t flag lists old ransomware advisorys from 2022 with Malware vulnerability id. | ||
The -t flag lists old ransomware advisorys from 2022 with Malware vulnerability id | ||
|
||
[Warning] <br> | ||
The ransomware familys and or samples listed do NOT guarantee a successful outcome. | ||
Many factors can ruin success: different variants, OS versions, Malware location etc. | ||
Therefore, proceed with caution as mileage may vary, good luck. | ||
There is also the chance a vulnerable but legit program may be prevented from starting | ||
If ran from the same location exploit DLLs exists and the program is vulnerable to hijack | ||
Therefore, monitoring for RansomLord generated IOC alerts are helpful in such scenarios | ||
RansomLord proved a very high success rate within a virtual machine testing environment | ||
However, non vulnerable variants, OS version, environment or location etc. may ruin success | ||
|
||
[Test Environment] <br> | ||
Testing was done in a Windows 10 Virtual Machine and Win-7 embedded OS Thin-client. | ||
Primary testing was done in a Windows 10 Virtual Machine and Win-7 embedded OS Thin-client | ||
|
||
[About] <br> | ||
The -a flag general information, contact and disclaimer. | ||
Using this program and or its DLL files, you accept all risk and the full disclaimer. | ||
By John Page (aka Malvuln) Copyright (c) 2023 | ||
The -a flag general information, contact and disclaimer | ||
By using this software and or its DLL files, you accept all risk and the full disclaimer | ||
By John Page (aka malvuln) Copyright (c) 2024 - [email protected] | ||
|
||
<br> | ||
References: <br> | ||
https://web.archive.org/web/20220601204439/https://www.bleepingcomputer.com/news/security/conti-revil-lockbit-ransomware-bugs-exploited-to-block-encryption/ <br><br> | ||
https://web.archive.org/web/20220504180432/https://www.securityweek.com/vulnerabilities-allow-hijacking-most-ransomware-prevent-file-encryption/ <br><br> | ||
|
||
![RansomLord_v3 1_Victims](https://github.com/malvuln/RansomLord/assets/75002643/85d5fb8c-7dc5-4ca4-88c6-21c2d3401d51) | ||
|