detecting-ransomware-encryption-behavior

Featured

Detects ransomware encryption activity in real time using entropy analysis, file system I/O monitoring, and behavioral heuristics. Identifies mass file modification patterns, abnormal entropy spikes in written data, and suspicious process behavior characteristic of ransomware encryption routines. Activates for requests involving ransomware behavioral detection, entropy-based file monitoring, I/O anomaly detection, or real-time encryption activity alerting.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Ransomware Encryption Behavior ## When to Use - Building or tuning a behavioral detection layer for ransomware that catches unknown/zero-day variants - Monitoring file servers and endpoints for mass encryption activity that evades signature-based detection - Implementing entropy-based detection to identify when files are being replaced with encrypted (high-entropy) content - Analyzing suspicious process behavior patterns: rapid sequential file opens, writes, renames, and deletes - Validating EDR detection rules against actual ransomware encryption patterns during red team exercises **Do not use** entropy analysis alone as the only detection signal. Compressed files (ZIP, JPEG, MP4) naturally have high entropy and will cause false positives. Always combine entropy with behavioral signals like I/O rate and file rename patterns. ## Prerequisites - Python 3.8+ with `watchdog` and `psutil` libraries - Administrative access for process monitoring and file system event capture - Understanding of Shannon entropy and its application to file content analysis - Windows: Sysmon installed for detailed process and file system event logging - Linux: auditd configured for file access monitoring, or inotify-based watchers - Baseline entropy values for common file types in the monitored environment ## Workflow ### Step 1: Establish Entropy Baselines Calculate normal entropy ranges for files in the environment: ``` Entropy Baselines by File Type: ━━━━━━━━━━━━━━━━━━━━━━━━━━━...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-ransomware-precursors-in-network

Detects early-stage ransomware indicators in network traffic before encryption begins, including initial access broker activity, command-and-control beaconing, credential harvesting, reconnaissance scanning, and staging behavior. Uses network detection tools (Zeek, Suricata, Arkime), SIEM correlation rules, and threat intelligence feeds to identify ransomware precursor patterns such as Cobalt Strike beacons, Mimikatz network signatures, and RDP brute-force attempts. Activates for requests involving pre-ransomware detection, network-based ransomware indicators, or early warning ransomware monitoring.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-ransomware-encryption-mechanisms

Analyzes encryption algorithms, key management, and file encryption routines used by ransomware families to assess decryption feasibility, identify implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20, and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis, encryption analysis, key recovery assessment, or ransomware decryption feasibility.

12,642 Updated today
mukul975
AI & Automation Solid

analyzing-ransomware-network-indicators

Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration flows, and encryption key exchange via Zeek conn.log and NetFlow analysis

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

deploying-decoy-files-for-ransomware-detection

Deploys canary files (honeytokens) across file systems to detect ransomware encryption activity in real time. Uses strategically placed decoy documents monitored via file integrity monitoring or OS-level watchdogs to trigger alerts when ransomware modifies or encrypts them. Activates for requests involving ransomware canary deployment, honeyfile setup, deception-based ransomware detection, or file integrity monitoring for encryption.

12,642 Updated today
mukul975
AI & Automation Featured

performing-ransomware-response

Executes a structured ransomware incident response from initial detection through containment, forensic analysis, decryption assessment, recovery, and post-incident hardening. Addresses ransom negotiation considerations, backup integrity verification, and regulatory notification requirements. Activates for requests involving ransomware response, ransomware recovery, crypto-ransomware, data encryption attack, ransom payment decision, or ransomware containment.

12,642 Updated today
mukul975