implementing-ransomware-kill-switch-detection

Featured

Detects and exploits ransomware kill switch mechanisms including mutex-based execution guards, domain-based kill switches, and registry-based termination checks. Implements proactive mutex vaccination and kill switch domain monitoring to prevent ransomware from executing. Activates for requests involving ransomware kill switch analysis, mutex vaccination, WannaCry-style domain kill switches, or malware execution guard detection.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Implementing Ransomware Kill Switch Detection ## When to Use - Analyzing a ransomware sample to determine if it contains a kill switch mechanism (mutex, domain, registry) - Deploying proactive mutex vaccination across endpoints to prevent known ransomware families from executing - Monitoring DNS for kill switch domain lookups that indicate ransomware attempting to check before encrypting - During incident response to quickly determine if a ransomware variant can be stopped by activating its kill switch - Building detection signatures for ransomware mutex creation events using Sysmon or EDR telemetry **Do not use** kill switch vaccination as a primary defense. Not all ransomware families implement kill switches, and those that do may remove them in newer versions. This is a supplementary detection and prevention layer. ## Prerequisites - Python 3.8+ with `ctypes` (Windows) for mutex creation and enumeration - Sysmon installed with Event ID 1 (process creation) and Event ID 17/18 (pipe/mutex events) configured - Access to malware analysis sandbox for identifying kill switch mechanisms in samples - DNS monitoring capability for detecting kill switch domain resolution attempts - Familiarity with Windows internals: mutexes (mutants), kernel objects, named pipes - Reference database of known ransomware mutexes (github.com/albertzsigovits/malware-mutex) ## Workflow ### Step 1: Identify Kill Switch Mechanisms in Ransomware Analyze samples for common kill switch patterns: `...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-ransomware-precursors-in-network

Detects early-stage ransomware indicators in network traffic before encryption begins, including initial access broker activity, command-and-control beaconing, credential harvesting, reconnaissance scanning, and staging behavior. Uses network detection tools (Zeek, Suricata, Arkime), SIEM correlation rules, and threat intelligence feeds to identify ransomware precursor patterns such as Cobalt Strike beacons, Mimikatz network signatures, and RDP brute-force attempts. Activates for requests involving pre-ransomware detection, network-based ransomware indicators, or early warning ransomware monitoring.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-ransomware-encryption-behavior

Detects ransomware encryption activity in real time using entropy analysis, file system I/O monitoring, and behavioral heuristics. Identifies mass file modification patterns, abnormal entropy spikes in written data, and suspicious process behavior characteristic of ransomware encryption routines. Activates for requests involving ransomware behavioral detection, entropy-based file monitoring, I/O anomaly detection, or real-time encryption activity alerting.

12,642 Updated today
mukul975
AI & Automation Featured

performing-ransomware-response

Executes a structured ransomware incident response from initial detection through containment, forensic analysis, decryption assessment, recovery, and post-incident hardening. Addresses ransom negotiation considerations, backup integrity verification, and regulatory notification requirements. Activates for requests involving ransomware response, ransomware recovery, crypto-ransomware, data encryption attack, ransom payment decision, or ransomware containment.

12,642 Updated today
mukul975
AI & Automation Solid

analyzing-ransomware-network-indicators

Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration flows, and encryption key exchange via Zeek conn.log and NetFlow analysis

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-ransomware-encryption-mechanisms

Analyzes encryption algorithms, key management, and file encryption routines used by ransomware families to assess decryption feasibility, identify implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20, and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis, encryption analysis, key recovery assessment, or ransomware decryption feasibility.

12,642 Updated today
mukul975