cybersecuritySkill
Traces ransomware cryptocurrency payment flows using blockchain analysis tools such as Chainalysis Reactor, WalletExplorer, and blockchain.com APIs. Identifies wallet clusters, tracks fund movement through mixers and exchanges, and supports law enforcement attribution. Activates for requests involving ransomware payment tracing, bitcoin wallet analysis, cryptocurrency forensics, or blockchain intelligence gathering.
Ransomware Defense
bitcoinblockchaincryptocurrencyforensics+2
ATT&CK2, 2 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Builds a structured ransomware incident response playbook aligned with the CISA StopRansomware Guide and NIST Cybersecurity Framework. Covers preparation, detection, containment, eradication, recovery, and post-incident phases with actionable checklists. Activates for requests involving ransomware response planning, CISA compliance, incident response playbook creation, or ransomware preparedness assessment.
Ransomware Defense
cisacomplianceincident-responsenist+2
ATT&CK7, 7 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Deploys canary files (honeytokens) across file systems to detect ransomware encryption activity in real time. Uses strategically placed decoy documents monitored via file integrity monitoring or OS-level watchdogs to trigger alerts when ransomware modifies or encrypts them. Activates for requests involving ransomware canary deployment, honeyfile setup, deception-based ransomware detection, or file integrity monitoring for encryption.
Ransomware Defense
canary-filesdeceptiondetectionfile-integrity+2
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Deploys and monitors ransomware canary files across critical directories using Python's watchdog library for real-time filesystem event detection. Places strategically named decoy files that mimic high-value targets (financial records, credentials, database exports) in locations ransomware typically enumerates first. Monitors for any read, modify, rename, or delete operations on canary files and triggers immediate alerts via email, Slack webhook, or syslog when interaction is detected, providing early warning before full encryption begins.
Ransomware Defense
canary-filesdeceptiondefensedetection+3
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Detects ransomware encryption activity in real time using entropy analysis, file system I/O monitoring, and behavioral heuristics. Identifies mass file modification patterns, abnormal entropy spikes in written data, and suspicious process behavior characteristic of ransomware encryption routines. Activates for requests involving ransomware behavioral detection, entropy-based file monitoring, I/O anomaly detection, or real-time encryption activity alerting.
Ransomware Defense
behavioral-analysisdetectionentropyfile-monitoring+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Detects early-stage ransomware indicators in network traffic before encryption begins, including initial access broker activity, command-and-control beaconing, credential harvesting, reconnaissance scanning, and staging behavior. Uses network detection tools (Zeek, Suricata, Arkime), SIEM correlation rules, and threat intelligence feeds to identify ransomware precursor patterns such as Cobalt Strike beacons, Mimikatz network signatures, and RDP brute-force attempts. Activates for requests involving pre-ransomware detection, network-based ransomware indicators, or early warning ransomware monitoring.
Ransomware Defense
defensedetectionincident-responsenetwork-security+1
ATT&CK22, 22 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Configures Windows Group Policy Objects (GPO) to prevent ransomware execution and limit its spread. Implements AppLocker rules, Software Restriction Policies, Controlled Folder Access, attack surface reduction rules, and network protection settings. Activates for requests involving Windows GPO hardening against ransomware, AppLocker configuration, Controlled Folder Access setup, or endpoint protection via Group Policy.
Ransomware Defense
applockergroup-policyhardeningprevention+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Deploys canary files, honeypot shares, and decoy systems to detect ransomware activity at the earliest possible stage. Configures canary tokens embedded in strategic file locations that trigger alerts when ransomware attempts encryption, uses honeypot network shares that mimic high-value targets, and deploys Thinkst Canary appliances for comprehensive deception-based detection. Activates for requests involving ransomware honeypots, canary files, deception technology for ransomware, or early ransomware alerting.
Ransomware Defense
canarydeceptiondefensedetection+2
ATT&CK7, 7 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Implements immutable backup strategy using restic with S3-compatible storage and object lock for ransomware-resistant data protection. Automates backup creation, integrity verification via restic check --read-data, snapshot retention policy enforcement, and restore testing. Integrates with AWS S3 Object Lock, MinIO, and Backblaze B2 for WORM (Write Once Read Many) storage that prevents backup deletion or encryption by ransomware actors.
Ransomware Defense
backupimmutableobject-lockransomware+4
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsATLAS3, 3 mappingsAI RMF3, 3 mappings
cybersecuritySkill
Designs and implements a ransomware-resilient backup strategy following the 3-2-1-1-0 methodology (3 copies, 2 media types, 1 offsite, 1 immutable/air-gapped, 0 errors on restore verification). Configures backup schedules aligned to RPO/RTO requirements, implements backup credential isolation to prevent ransomware from compromising backup infrastructure, and establishes automated restore testing. Activates for requests involving ransomware backup planning, backup resilience, air-gapped backup design, or backup recovery point objective configuration.
Ransomware Defense
backupdefenseimmutable-storageincident-response+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsATLAS3, 3 mappingsAI RMF5, 5 mappings
cybersecuritySkill
Detects and exploits ransomware kill switch mechanisms including mutex-based execution guards, domain-based kill switches, and registry-based termination checks. Implements proactive mutex vaccination and kill switch domain monitoring to prevent ransomware from executing. Activates for requests involving ransomware kill switch analysis, mutex vaccination, WannaCry-style domain kill switches, or malware execution guard detection.
Ransomware Defense
detectionkill-switchmalware-analysismutex+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Plans and facilitates tabletop exercises simulating ransomware incidents to test organizational readiness, decision-making, and communication procedures. Designs realistic scenarios based on current ransomware threat actors (LockBit, ALPHV/BlackCat, Cl0p), injects covering double extortion, backup destruction, and regulatory notification requirements. Evaluates participant responses against NIST CSF and CISA guidelines. Activates for requests involving ransomware tabletop, incident response exercise, or ransomware readiness drill.
Ransomware Defense
defenseincident-responsepreparednessransomware+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Executes structured recovery from a ransomware incident following NIST and CISA frameworks, including environment isolation, forensic evidence preservation, clean infrastructure rebuild, prioritized system restoration from verified backups, credential reset, and validation against re-infection. Covers Active Directory recovery, database restoration, and application stack rebuild in dependency order. Activates for requests involving ransomware recovery, post-encryption restoration, or disaster recovery from ransomware.
Ransomware Defense
backupdefenseincident-responseransomware+1
ATT&CK10, 10 mappingsNIST CSF4, 4 mappings