Skip to content

RansomLord (NG) Anti-Ransomware exploit tool.

Latest
Compare
Choose a tag to compare
@malvuln malvuln released this 13 Dec 04:54
· 8 commits to main since this release
0c3a98a

This next generation version dumps process memory of the targeted Malware prior to termination The process memory dump file MalDump.dmp varies in size and can be 50 MB plus RansomLord now intercepts and terminates ransomware from 54 different threat groups Adding GPCode, DarkRace, Snocry, Hydra and Sage to the ever growing victim list

Lang: C

SHA256: fcb259471a4a7afa938e3aa119bdff25620ae83f128c8c7d39266f410a7ec9aa

Video PoC (old v2):

https://www.youtube.com/watch?v=_Ho0bpeJWqI

The RansomLord NG version now has option to dump process memory of the targeted Malware

Why memory dump?
Performing static analysis on E.g. DarkRace ransomware MD5: cfc7b4d9933483c25141ba49b4d5755e
using for example Detect It Easy (DIE) static analysis tool reveal no links or other interesting strings.

However, loading MalDump.dmp file generated by RansomLordNG into DIE we may quickly find interesting strings like:

http://g3h3klsev3eiofxhykmtenmdpi67wzmaixredk5pjuttbx7okcfkftqd.onion
You can install qtox to contanct us online https://tox.chat/download.html
Tox ID Contact: 2793D009872AF80ED9B1A461F7B9BD6209744047DC1707A42CB622053716AD4BA624193606C9

Another sample HydraCrypt MD5: c2f30cd537c79b6bcd292e6824ea874e reveals no interesting strings when doing basic static analysis. Again, using RansomLordNG MalDump feature we quickly find interesting strings like: "[email protected] - SUPPORT " etc

RansomLordNG leverages code execution vulnerabilities and saving process memory to disk prior to termination of the Malware pre-encryption. This may be useful as we can possibly avoid unpacking, anti-debugging techniques or fully executing the malware.
The MalDump feature is optional and can be toggled to enabled=1 or disabled=0