RansomLord (NG v1.0) anti-ransomware exploit tool
RansomLord NG v1.0发布,新增自动化PE文件生成、deweaponize功能和改进的SHA256算法,可拦截并终止61个勒索软件威胁组的活动。 2025-6-24 03:12:26 Author: seclists.org(查看原文) 阅读量:15 收藏
RansomLord NG v1.0发布,新增自动化PE文件生成、deweaponize功能和改进的SHA256算法,可拦截并终止61个勒索软件威胁组的活动。 2025-6-24 03:12:26 Author: seclists.org(查看原文) 阅读量:15 收藏
Full Disclosure mailing list archives
From: malvuln <malvuln13 () gmail com>
Date: Thu, 19 Jun 2025 01:58:34 -0400
First official NG versioned release with significant updates, fixes and new features https://github.com/malvuln/RansomLord/releases/tag/v1.0 RansomLord (NG) v1.0 Anti-Ransomware exploit tool. Proof-of-concept tool that automates the creation of PE files, used to exploit ransomware pre-encryption. Lang: C SHA256: ACB0C4EEAB421761B6C6E70B0FA1D20CE08247525641A7CD03B33A6EE3D35D8A Deweaponize feature PoC video: https://www.youtube.com/watch?v=w5TKNvnE0_g Exploit x32/x64 DLL MD5: 61126F5D55BA58398C317814389CF05C 3CB517B752D6668FDC06BE8F1664378A RansomLordNG v1.0 DLLs intercept and terminate ransomware from sixty-one threat groups Adding VanHelsing, Pe32Ransom, Makop, Superblack, Mamona, Lynx and Fog to the pwned list. Note: if you plan on testing Fog ransomware, you will have to bypass many malware anti-analysis and debugging techniques. Failure to do that will result in 'Sandbox detected! Exiting process...' [deweaponize] deweaponize feature (experimental/optional) attempts to render a malware inoperable This experimental option potentially works for malware ran with high integrity (Admin) Goal is to reduce the risk of subsequent malware execution post exploitation by accident or from improper malware handling during DFIR or other security response operations. [SHA256 improved] NG v1.0 release also contains a more reliable, stable SHA256 hash generation for event logging In prior versions, hashing was done by creating a new process in memory that used native Windows certutil.exe to try an calculate a malwares SHA256 hash, this worked intermittently at best Now malware is hashed more reliably in C code, using the public informational standard RFC4634. [Event Log IOC] The -e flag sets up a custom Windows Event source in the Windows registry Events are written to 'Windows Logs\Application' as 'RansomLord' event ID 1 malware name, SHA256 hash and process path are included in the general information Additional logging now includes the DLL name that intercepted the malware. In addition if deweaponize and or MalDump is enabled they are also logged to the general information. malvuln _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- RansomLord (NG v1.0) anti-ransomware exploit tool malvuln (Jun 23)
文章来源: https://seclists.org/fulldisclosure/2025/Jun/21
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh