performing-ransomware-response

Featured

Executes a structured ransomware incident response from initial detection through containment, forensic analysis, decryption assessment, recovery, and post-incident hardening. Addresses ransom negotiation considerations, backup integrity verification, and regulatory notification requirements. Activates for requests involving ransomware response, ransomware recovery, crypto-ransomware, data encryption attack, ransom payment decision, or ransomware containment.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Performing Ransomware Response ## When to Use - Ransomware has been detected executing or file encryption is actively occurring - Users report inability to open files with unfamiliar extensions appended - A ransom note is discovered on one or more systems - EDR detects mass file modification patterns consistent with encryption behavior - Threat intelligence warns of an imminent ransomware campaign targeting the organization **Do not use** for general malware incidents that do not involve file encryption or extortion; use malware incident response procedures instead. ## Prerequisites - Ransomware-specific incident response playbook reviewed and approved by executive leadership - Tested and verified offline backup strategy with air-gapped or immutable copies - Incident retainer with a specialized ransomware response firm (e.g., Mandiant, CrowdStrike Services, Kroll) - Legal counsel pre-engaged for OFAC sanctions screening and regulatory notification - Cyber insurance carrier contact information and policy coverage details - Bitcoin/cryptocurrency analysis capability or third-party engagement for payment tracing ## Workflow ### Step 1: Detect and Confirm Ransomware Validate that the incident is ransomware and determine the variant: - Identify the ransomware by analyzing the ransom note filename, extension appended to encrypted files, and note content - Upload the ransom note and a sample encrypted file to ID Ransomware (id-ransomware.malwarehunterteam.com) - Check NoM...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-ransomware-tabletop-exercise

Plans and facilitates tabletop exercises simulating ransomware incidents to test organizational readiness, decision-making, and communication procedures. Designs realistic scenarios based on current ransomware threat actors (LockBit, ALPHV/BlackCat, Cl0p), injects covering double extortion, backup destruction, and regulatory notification requirements. Evaluates participant responses against NIST CSF and CISA guidelines. Activates for requests involving ransomware tabletop, incident response exercise, or ransomware readiness drill.

12,642 Updated today
mukul975
AI & Automation Featured

building-soc-playbook-for-ransomware

Builds a structured SOC incident response playbook for ransomware attacks covering detection, containment, eradication, and recovery phases with specific SIEM queries, isolation procedures, and decision trees. Use when SOC teams need formalized response procedures for ransomware incidents aligned to NIST SP 800-61 and MITRE ATT&CK ransomware techniques.

12,642 Updated today
mukul975
AI & Automation Featured

recovering-from-ransomware-attack

Executes structured recovery from a ransomware incident following NIST and CISA frameworks, including environment isolation, forensic evidence preservation, clean infrastructure rebuild, prioritized system restoration from verified backups, credential reset, and validation against re-infection. Covers Active Directory recovery, database restoration, and application stack rebuild in dependency order. Activates for requests involving ransomware recovery, post-encryption restoration, or disaster recovery from ransomware.

12,642 Updated today
mukul975
AI & Automation Featured

building-ransomware-playbook-with-cisa-framework

Builds a structured ransomware incident response playbook aligned with the CISA StopRansomware Guide and NIST Cybersecurity Framework. Covers preparation, detection, containment, eradication, recovery, and post-incident phases with actionable checklists. Activates for requests involving ransomware response planning, CISA compliance, incident response playbook creation, or ransomware preparedness assessment.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-ransomware-precursors-in-network

Detects early-stage ransomware indicators in network traffic before encryption begins, including initial access broker activity, command-and-control beaconing, credential harvesting, reconnaissance scanning, and staging behavior. Uses network detection tools (Zeek, Suricata, Arkime), SIEM correlation rules, and threat intelligence feeds to identify ransomware precursor patterns such as Cobalt Strike beacons, Mimikatz network signatures, and RDP brute-force attempts. Activates for requests involving pre-ransomware detection, network-based ransomware indicators, or early warning ransomware monitoring.

12,642 Updated today
mukul975