recovering-from-ransomware-attack

Featured

Executes structured recovery from a ransomware incident following NIST and CISA frameworks, including environment isolation, forensic evidence preservation, clean infrastructure rebuild, prioritized system restoration from verified backups, credential reset, and validation against re-infection. Covers Active Directory recovery, database restoration, and application stack rebuild in dependency order. Activates for requests involving ransomware recovery, post-encryption restoration, or disaster recovery from ransomware.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Recovering from Ransomware Attack ## When to Use - After ransomware has encrypted production systems and the decision has been made to recover from backups - When building or validating a ransomware recovery runbook before an actual incident - After receiving a decryption key (paid ransom or law enforcement provided) and needing to safely decrypt - When partial recovery is needed alongside decryption of remaining systems - Conducting a recovery drill to validate RTO commitments **Do not use** before completing containment and forensic scoping. Premature recovery without understanding the attacker's access and persistence mechanisms risks re-infection. ## Prerequisites - Incident declared and containment phase completed (all attacker access severed) - Forensic evidence preserved (disk images, memory dumps, network captures) - Backup integrity verified (immutable/air-gapped copies confirmed clean) - Clean build media available (OS installation media, golden images) - Recovery environment prepared (clean network segment isolated from compromised infrastructure) - Recovery priority list documented (Tier 1/2/3 systems in dependency order) ## Workflow ### Step 1: Establish Clean Recovery Environment Build recovery infrastructure isolated from the compromised network: ```bash # Create isolated recovery VLAN # No connectivity to compromised network segments # Dedicated internet access for patch downloads only (via proxy) # Recovery network architecture: # VLAN 999 (Recove...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-ransomware-response

Executes a structured ransomware incident response from initial detection through containment, forensic analysis, decryption assessment, recovery, and post-incident hardening. Addresses ransom negotiation considerations, backup integrity verification, and regulatory notification requirements. Activates for requests involving ransomware response, ransomware recovery, crypto-ransomware, data encryption attack, ransom payment decision, or ransomware containment.

12,642 Updated today
mukul975
AI & Automation Featured

implementing-ransomware-backup-strategy

Designs and implements a ransomware-resilient backup strategy following the 3-2-1-1-0 methodology (3 copies, 2 media types, 1 offsite, 1 immutable/air-gapped, 0 errors on restore verification). Configures backup schedules aligned to RPO/RTO requirements, implements backup credential isolation to prevent ransomware from compromising backup infrastructure, and establishes automated restore testing. Activates for requests involving ransomware backup planning, backup resilience, air-gapped backup design, or backup recovery point objective configuration.

12,642 Updated today
mukul975
Testing & QA Featured

testing-ransomware-recovery-procedures

Test and validate ransomware recovery procedures including backup restore operations, RTO/RPO target verification, recovery sequencing, and clean restore validation to ensure organizational resilience against destructive ransomware attacks.

12,642 Updated today
mukul975
AI & Automation Featured

building-ransomware-playbook-with-cisa-framework

Builds a structured ransomware incident response playbook aligned with the CISA StopRansomware Guide and NIST Cybersecurity Framework. Covers preparation, detection, containment, eradication, recovery, and post-incident phases with actionable checklists. Activates for requests involving ransomware response planning, CISA compliance, incident response playbook creation, or ransomware preparedness assessment.

12,642 Updated today
mukul975
AI & Automation Featured

investigating-ransomware-attack-artifacts

Identify, collect, and analyze ransomware attack artifacts to determine the variant, initial access vector, encryption scope, and recovery options.

12,642 Updated today
mukul975