lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAHK0WSktQNXuk-+m8DxpH7m1GKvVdarnW3oJ5gvXui=cSC3EA@mail.gmail.com> Date: Tue, 1 Aug 2023 20:31:02 -0400 From: malvuln <malvuln13@...il.com> To: fulldisclosure@...lists.org Subject: [FD] RansomLord v1 / Anti-Ransomware Exploit Tool RansomLord is a proof-of-concept tool that automates the creation of PE files, used to compromise Ransomware pre-encryption. Lang: C SHA256: b0dfa2377d7100949de276660118bbf21fa4e56a4a196db15f5fb344a5da33ee Video PoC: https://www.youtube.com/watch?v=_Ho0bpeJWqI Download: https://github.com/malvuln/RansomLord RansomLord generated PE files are saved to disk in the x32 or x64 directorys where the program is run from. Goal is to exploit code execution flaws inherent in certain strains of Ransomware [Malvuln history] In May 2022, I publicly disclosed a novel strategy to successfully defeat Ransomware. Using a well known attacker technique (DLL hijack) to terminate malware pre-encryption. The first malware to be successfully exploited was from the group Lockbit MVID-2022-0572. Followed by Conti, REvil, BlackBasta and CryptoLocker proving many are vulnerable. RansomLord v1 intercepts and terminates malware tested from 33 different threat groups. Clop, Play, Royal, BlackCat (alphv), Yanluowang, DarkSide, Nokoyawa etc... [Generating exploits] The -g flag lists Ransomware to exploit based on the selected Ransomware group. It will output a 32 or 64-bit DLL appropriately named based on the family selected. [Strategy] The created DLL exploit file logic is simple, we check if the current directory is C:\Windows\System32. If not we grab our own process ID (PID) and terminate ourselves and the Malware pre-encryption as we now control code execution flow. [Event Log IOC] The -e flag sets up a custom Windows Event source in the Windows registry. Events are written to 'Windows Logs\Application' as 'RansomLord' event ID 1 Malware name and full process path are also included in the general information. [DLL Map] The -m flag displays Ransomware groups, DLL required and architecture x32 or 64-bit. [Trophy Room] The -t flag lists old Ransomware advisorys from 2022 with Malware vulnerability id. [Warning] The Ransomware familys and or samples listed do NOT guarantee a successful outcome. Many factors can ruin success: different variants, OS versions, Malware location etc. Therefore, proceed with caution as mileage may vary, good luck. [Test Environment] Testing was done in a Windows 10 Virtual Machine and Win-7 embedded OS Thin-client. [About] The -a flag general information, contact and disclaimer. Using this program and or its DLL files, you accept all risk and the full disclaimer. By John Page (aka Malvuln) Copyright (c) 2023 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists