[+] Credits: malvuln (aka hyp3rlinx) [+] RansomLord v3.1 - Anti-Ransomware exploit tool [+] RansomLord is a proof-of-concept tool that automates the creation of PE files, used to compromise Ransomware pre-encryption. Leveraging DLL hijack vulnerabilities in many types of malware. [+] Lang: C [+] SHA256: 647494bda466e645768d6f7d1cd051097aee319f88018d1a80547d8d538c98db [+] Downloads: https://github.com/malvuln/RansomLord/releases/tag/v3 [+] Video PoC: https://www.youtube.com/watch?v=_Ho0bpeJWqI This version now intercepts and terminates malware tested from 49 different threat groups and relies on only 12 exploit DLLs. These DLLs are actually only two DLLs, that get renamed depending on the target ransomware we wish to compromise. Adding: StopCrypt, RisePro, RuRansom, MoneyMessage, CryptoFortress and Onyx Feature update: Windows event IOC log now includes the SHA256 hash plus full path of the intercepted malware Added -r flag to output a Sigma rule for detecting RansomLord activity using Windows event log. Lamer Security engines may incorrectly flag RansomLord DLLs as malicious. They are NOT! they export Win32 API function stubs, provide functionality to generate Windows IOC event logs and eventually call exit() [+] Generated exploit DLL MD5 file hashes: [+] x32: 37b9ebad522e0744aa8daa0bf5b2a58b [+] x64: 7807454015bb44161ccf593e2fe5334b References: https://hyp3rlinx.altervista.org/advisories/RansomLord_v2_Anti-Ransomware_Exploit_Tool.txt https://hyp3rlinx.altervista.org/advisories/RansomLord_v1_Anti-Ransomware_Exploit_Tool.txt https://web.archive.org/web/20220601204439/https://www.bleepingcomputer.com/news/security/conti-revil-lockbit-ransomware-bugs-exploited-to-block-encryption/ https://web.archive.org/web/20220504180432/https://www.securityweek.com/vulnerabilities-allow-hijacking-most-ransomware-prevent-file-encryption/ malvuln circa 2024