lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAAHK0WQZHaFHxCs_VV-wJaahyP3YwQWC3XJ7EG1kGhLar9DSQg@mail.gmail.com>
Date: Thu, 19 Jun 2025 01:58:34 -0400
From: malvuln <malvuln13@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] RansomLord (NG v1.0) anti-ransomware exploit tool

First official NG versioned release with significant updates, fixes
and new features
https://github.com/malvuln/RansomLord/releases/tag/v1.0

RansomLord (NG) v1.0 Anti-Ransomware exploit tool.
Proof-of-concept tool that automates the creation of PE files, used to
exploit ransomware pre-encryption.

Lang: C
SHA256: ACB0C4EEAB421761B6C6E70B0FA1D20CE08247525641A7CD03B33A6EE3D35D8A

Deweaponize feature PoC video:
https://www.youtube.com/watch?v=w5TKNvnE0_g

Exploit x32/x64 DLL MD5:
61126F5D55BA58398C317814389CF05C
3CB517B752D6668FDC06BE8F1664378A

RansomLordNG v1.0 DLLs intercept and terminate ransomware from
sixty-one threat groups Adding VanHelsing, Pe32Ransom, Makop,
Superblack, Mamona, Lynx and Fog to the pwned list. Note: if you plan
on testing Fog ransomware, you will have to bypass many malware
anti-analysis and debugging techniques. Failure to do that will result
in 'Sandbox detected! Exiting process...'

[deweaponize]
deweaponize feature (experimental/optional) attempts to render a
malware inoperable This experimental option potentially works for
malware ran with high integrity (Admin) Goal is to reduce the risk of
subsequent malware execution post exploitation by accident or from
improper malware handling during DFIR or other security response
operations.

[SHA256 improved]
NG v1.0 release also contains a more reliable, stable SHA256 hash
generation for event logging In prior versions, hashing was done by
creating a new process in memory that used native Windows certutil.exe
to try an calculate a malwares SHA256 hash, this worked intermittently
at best Now malware is hashed more reliably in C code, using the
public informational standard RFC4634.

[Event Log IOC]
The -e flag sets up a custom Windows Event source in the Windows
registry Events are written to 'Windows Logs\Application' as
'RansomLord' event ID 1 malware name, SHA256 hash and process path are
included in the general information Additional logging now includes
the DLL name that intercepted the malware. In addition if deweaponize
and or MalDump is enabled they are also logged to the general
information.

malvuln
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists