This next generation version dumps process memory of the targeted Malware prior to termination The process memory dump file MalDump.dmp varies in size and can be 50 MB plus RansomLord now intercepts and terminates ransomware from 54 different threat groups Adding GPCode, DarkRace, Snocry, Hydra and Sage to the ever growing victim list
Lang: C
SHA256: fcb259471a4a7afa938e3aa119bdff25620ae83f128c8c7d39266f410a7ec9aa
Video PoC (old v2):
https://www.youtube.com/watch?v=_Ho0bpeJWqI
The RansomLord NG version now has option to dump process memory of the targeted Malware
Why memory dump?
Performing static analysis on E.g. DarkRace ransomware MD5: cfc7b4d9933483c25141ba49b4d5755e
using for example Detect It Easy (DIE) static analysis tool reveal no links or other interesting strings.
However, loading MalDump.dmp file generated by RansomLordNG into DIE we may quickly find interesting strings like:
http://g3h3klsev3eiofxhykmtenmdpi67wzmaixredk5pjuttbx7okcfkftqd.onion
You can install qtox to contanct us online https://tox.chat/download.html
Tox ID Contact: 2793D009872AF80ED9B1A461F7B9BD6209744047DC1707A42CB622053716AD4BA624193606C9
Another sample HydraCrypt MD5: c2f30cd537c79b6bcd292e6824ea874e reveals no interesting strings when doing basic static analysis. Again, using RansomLordNG MalDump feature we quickly find interesting strings like: "supl0@post.com - SUPPORT " etc
RansomLordNG leverages code execution vulnerabilities and saving process memory to disk prior to termination of the Malware pre-encryption. This may be useful as we can possibly avoid unpacking, anti-debugging techniques or fully executing the malware.
The MalDump feature is optional and can be toggled to enabled=1 or disabled=0