| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAHK0WQZHaFHxCs_VV-wJaahyP3YwQWC3XJ7EG1kGhLar9DSQg@mail.gmail.com> Date: Thu, 19 Jun 2025 01:58:34 -0400 From: malvuln <malvuln13@...il.com> To: fulldisclosure@...lists.org Subject: [FD] RansomLord (NG v1.0) anti-ransomware exploit tool First official NG versioned release with significant updates, fixes and new features https://github.com/malvuln/RansomLord/releases/tag/v1.0 RansomLord (NG) v1.0 Anti-Ransomware exploit tool. Proof-of-concept tool that automates the creation of PE files, used to exploit ransomware pre-encryption. Lang: C SHA256: ACB0C4EEAB421761B6C6E70B0FA1D20CE08247525641A7CD03B33A6EE3D35D8A Deweaponize feature PoC video: https://www.youtube.com/watch?v=w5TKNvnE0_g Exploit x32/x64 DLL MD5: 61126F5D55BA58398C317814389CF05C 3CB517B752D6668FDC06BE8F1664378A RansomLordNG v1.0 DLLs intercept and terminate ransomware from sixty-one threat groups Adding VanHelsing, Pe32Ransom, Makop, Superblack, Mamona, Lynx and Fog to the pwned list. Note: if you plan on testing Fog ransomware, you will have to bypass many malware anti-analysis and debugging techniques. Failure to do that will result in 'Sandbox detected! Exiting process...' [deweaponize] deweaponize feature (experimental/optional) attempts to render a malware inoperable This experimental option potentially works for malware ran with high integrity (Admin) Goal is to reduce the risk of subsequent malware execution post exploitation by accident or from improper malware handling during DFIR or other security response operations. [SHA256 improved] NG v1.0 release also contains a more reliable, stable SHA256 hash generation for event logging In prior versions, hashing was done by creating a new process in memory that used native Windows certutil.exe to try an calculate a malwares SHA256 hash, this worked intermittently at best Now malware is hashed more reliably in C code, using the public informational standard RFC4634. [Event Log IOC] The -e flag sets up a custom Windows Event source in the Windows registry Events are written to 'Windows Logs\Application' as 'RansomLord' event ID 1 malware name, SHA256 hash and process path are included in the general information Additional logging now includes the DLL name that intercepted the malware. In addition if deweaponize and or MalDump is enabled they are also logged to the general information. malvuln _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists