The development of multi ransomware killswitch!
I am Harish SG, a security researcher who studies Masters in Cybersecurity at UT Dallas and AI security intern at Cisco,previously hunted on the Microsoft Bug Bounty Program and Google VRP
I am sharing this article for security awareness and educational purposes only and I am sharing only personal opinions and none of these are related to my work at Cisco.
In this Article I am gonna share about I developed a multiple ransomware killswitch ie Killswitch is a tool which can be used against multiple ransomware sample such as Lockbit , Blackbasta etc to kill those process before starting encryption of files
Following Ransomware can be killed using my killswitch tool.
- Akira Ransomware
- Lockbit Ransomware
- Blackbasta Rasomware
- 8Base Ransomware
- Clop Ransomware
- Play Ransomware
- BianLian Ransomware
- AlphaV Ransomware
- Play Ransomware
- even more undocumented Ransomware also.
Why should I develop a Killswitch tool against these Ransomware?
These are the total number of attacks by known ransomware in july 2023 according to malwarebytes. Most of these gangs are from Russia or former Soviet Union countries. these gangs are the operating as organised criminals. They attacked all kind of organisations across the world. but when Hive gang attacked an US hospital one year back which made feel really bad and I started to understand is there way I can develop a tool or something which can be used to protect against these Ransomware.
The Patterns
Most of these ransomware sample uses some live on the land binaries (Lolbin) such as cmd.exe , powershell.exe , vssadmin.exe , run32dll.exe etc , most of these ransomware process launch those binaries to delete backup volume etc
From the above two screenshots you can observe that ransomware samples launch as cmd .exe , vssadmin.exe , bcdedit .exe in the common like wise I found most of these ransomware run these process before start encryption of files in the machine. Also we know that most of these are process are not going run by user normally. For example no one is going to execute cmd.exe in machine owned by people in C Suite Roles , Support Team and non executive role etc
Development of tool
I developed a tool which can be deployed to Windows machine used by non technical people in the coporate network and This tool is written using C++ for fast execution and this tool looks if some binary launches as parent process which launches LOLbin binaries in a suspicious pattern and it will kill the parent process immediately and I am currently working developing v2 version of this tool which will have advanced features such as whitelisting and blacklisting certain binaries , which prompts users a allow or disallow popup to users for certain unsafe processes etc
Note : V1 version of this tool also has certain false postives
Impact of this tool against Ransomware
From the above screenshot the RansomKillSwitch kills the Ransomware process before the encryption phrase
Note : Rename of this binaries with some random windows process name (I know this is not efficient idea)
Conclusion:
Even though this tool is not 100% efficient against Ransomware but this can stop malware before downloading or installing its second payload , encryption files etc if the malware uses some live on the land binaries
you can download beta version of this tool from my website : harishsg.com
Try hacking LLM : https://github.com/harishsg993010/DamnVulnerableLLMProject
Hacking into Bard : https://infosecwriteups.com/hacking-google-bard-24f9dfa7b455
Hacking into Facial Recognition system : https://medium.com/bugbountywriteup/hacking-into-facial-recognition-system-using-generative-ai-69a741077f0e
Follow me on twitter: https://twitter.com/CoderHarish
Follow me on linkedin :https://www.linkedin.com/in/harish-santhanalakshmi-ganesan-31ba96171/
