analyzing-ransomware-encryption-mechanisms

Featured

Analyzes encryption algorithms, key management, and file encryption routines used by ransomware families to assess decryption feasibility, identify implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20, and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis, encryption analysis, key recovery assessment, or ransomware decryption feasibility.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Analyzing Ransomware Encryption Mechanisms ## When to Use - A ransomware infection has occurred and recovery requires understanding the encryption scheme used - Assessing whether decryption is possible without paying the ransom (implementation flaws, known decryptors) - Reverse engineering ransomware to identify the encryption algorithm, key derivation, and key storage mechanism - Developing a decryptor tool when a weakness in the ransomware's cryptographic implementation is identified - Classifying a ransomware sample by its encryption approach to attribute it to a known family **Do not use** for production data recovery operations without first verifying the decryption method on test copies of encrypted files. ## Prerequisites - Ghidra or IDA Pro for reverse engineering the ransomware binary - Python 3.8+ with `pycryptodome` library for testing encryption/decryption routines - Sample encrypted files and their corresponding plaintext originals (known-plaintext pairs) - Access to the ransomware binary (unpacked if applicable) - Familiarity with symmetric (AES, ChaCha20) and asymmetric (RSA) cryptographic algorithms - NoMoreRansom.org database for checking existing free decryptors ## Workflow ### Step 1: Identify the Encryption Algorithm Determine which cryptographic algorithm the ransomware uses: ```python # Check for Windows Crypto API usage in imports import pefile pe = pefile.PE("ransomware.exe") crypto_apis = { "CryptAcquireContextA": "Windows CryptoAPI",...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

reverse-engineering-ransomware-encryption-routine

Reverse engineer ransomware encryption routines to identify cryptographic algorithms, key generation flaws, and potential decryption opportunities using static and dynamic analysis.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-ransomware-encryption-behavior

Detects ransomware encryption activity in real time using entropy analysis, file system I/O monitoring, and behavioral heuristics. Identifies mass file modification patterns, abnormal entropy spikes in written data, and suspicious process behavior characteristic of ransomware encryption routines. Activates for requests involving ransomware behavioral detection, entropy-based file monitoring, I/O anomaly detection, or real-time encryption activity alerting.

12,642 Updated today
mukul975
AI & Automation Featured

investigating-ransomware-attack-artifacts

Identify, collect, and analyze ransomware attack artifacts to determine the variant, initial access vector, encryption scope, and recovery options.

12,642 Updated today
mukul975
AI & Automation Solid

analyzing-ransomware-network-indicators

Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration flows, and encryption key exchange via Zeek conn.log and NetFlow analysis

12,642 Updated today
mukul975
AI & Automation Featured

performing-ransomware-response

Executes a structured ransomware incident response from initial detection through containment, forensic analysis, decryption assessment, recovery, and post-incident hardening. Addresses ransom negotiation considerations, backup integrity verification, and regulatory notification requirements. Activates for requests involving ransomware response, ransomware recovery, crypto-ransomware, data encryption attack, ransom payment decision, or ransomware containment.

12,642 Updated today
mukul975