investigating-ransomware-attack-artifacts

Featured

Identify, collect, and analyze ransomware attack artifacts to determine the variant, initial access vector, encryption scope, and recovery options.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Investigating Ransomware Attack Artifacts ## When to Use - Immediately after discovering ransomware encryption on systems - When performing forensic analysis to understand the full scope of a ransomware incident - For identifying the ransomware variant and determining if decryption is possible - When tracing the attack chain from initial access to encryption - For documenting evidence to support law enforcement and insurance claims ## Prerequisites - Forensic images of affected systems (preserve before remediation) - Memory dumps captured before system shutdown (if available) - Ransom notes and encrypted file samples - Network traffic captures from the attack period - Windows Event Logs, Prefetch files, and registry hives - Access to ransomware identification tools (ID Ransomware, No More Ransom) - Isolated sandbox environment for malware analysis ## Workflow ### Step 1: Preserve Evidence and Identify the Ransomware Variant ```bash # CRITICAL: Do NOT restart systems. Preserve memory first if possible. # Encryption keys may still be in memory. # Capture memory from running systems # Windows: DumpIt.exe (generates memory.raw) # Linux: sudo insmod lime.ko "path=/evidence/memory.lime format=lime" # Collect ransom note cp /mnt/evidence/Users/*/Desktop/README*.txt /cases/case-2024-001/ransomware/ransom_notes/ cp /mnt/evidence/Users/*/Desktop/DECRYPT*.txt /cases/case-2024-001/ransomware/ransom_notes/ cp /mnt/evidence/Users/*/Desktop/HOW_TO*.txt /cases/case-2024-001/ransomwa...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

recovering-from-ransomware-attack

Executes structured recovery from a ransomware incident following NIST and CISA frameworks, including environment isolation, forensic evidence preservation, clean infrastructure rebuild, prioritized system restoration from verified backups, credential reset, and validation against re-infection. Covers Active Directory recovery, database restoration, and application stack rebuild in dependency order. Activates for requests involving ransomware recovery, post-encryption restoration, or disaster recovery from ransomware.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-linux-system-artifacts

Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity.

12,642 Updated today
mukul975
AI & Automation Featured

performing-ransomware-response

Executes a structured ransomware incident response from initial detection through containment, forensic analysis, decryption assessment, recovery, and post-incident hardening. Addresses ransom negotiation considerations, backup integrity verification, and regulatory notification requirements. Activates for requests involving ransomware response, ransomware recovery, crypto-ransomware, data encryption attack, ransom payment decision, or ransomware containment.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-ransomware-encryption-mechanisms

Analyzes encryption algorithms, key management, and file encryption routines used by ransomware families to assess decryption feasibility, identify implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20, and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis, encryption analysis, key recovery assessment, or ransomware decryption feasibility.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-ransomware-precursors-in-network

Detects early-stage ransomware indicators in network traffic before encryption begins, including initial access broker activity, command-and-control beaconing, credential harvesting, reconnaissance scanning, and staging behavior. Uses network detection tools (Zeek, Suricata, Arkime), SIEM correlation rules, and threat intelligence feeds to identify ransomware precursor patterns such as Cobalt Strike beacons, Mimikatz network signatures, and RDP brute-force attempts. Activates for requests involving pre-ransomware detection, network-based ransomware indicators, or early warning ransomware monitoring.

12,642 Updated today
mukul975