npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- Ransomware has been detected executing or file encryption is actively occurring
- Users report inability to open files with unfamiliar extensions appended
- A ransom note is discovered on one or more systems
- EDR detects mass file modification patterns consistent with encryption behavior
- Threat intelligence warns of an imminent ransomware campaign targeting the organization
Do not use for general malware incidents that do not involve file encryption or extortion; use malware incident response procedures instead.
Prerequisites
- Ransomware-specific incident response playbook reviewed and approved by executive leadership
- Tested and verified offline backup strategy with air-gapped or immutable copies
- Incident retainer with a specialized ransomware response firm (e.g., Mandiant, CrowdStrike Services, Kroll)
- Legal counsel pre-engaged for OFAC sanctions screening and regulatory notification
- Cyber insurance carrier contact information and policy coverage details
- Bitcoin/cryptocurrency analysis capability or third-party engagement for payment tracing
Workflow
Step 1: Detect and Confirm Ransomware
Validate that the incident is ransomware and determine the variant:
- Identify the ransomware by analyzing the ransom note filename, extension appended to encrypted files, and note content
- Upload the ransom note and a sample encrypted file to ID Ransomware (id-ransomware.malwarehunterteam.com)
- Check NoMoreRansom.org for available free decryptors
- Determine the ransomware deployment method from EDR/SIEM logs
- Identify the ransomware group (e.g., LockBit, BlackCat/ALPHV, Royal, Akira, Play)
Ransomware Identification:
━━━━━━━━━━━━━━━━━━━━━━━━━
Variant: LockBit 3.0 (Black)
Extension: .lockbit3
Ransom Note: README-LOCKBIT.txt
Tor Site: lockbit[redacted].onion
Deployment: Group Policy Object pushing ransomware.exe to all domain-joined systems
Initial Access: VPN credential compromise (no MFA)
Dwell Time: 12 days
Data Exfiltration: Yes - 47GB uploaded to MEGA via rclone prior to encryptionStep 2: Immediate Containment
Stop ransomware propagation before assessing damage:
- Priority 1: Disconnect affected network segments from core infrastructure (pull the network cable, not shutdown)
- Priority 2: Isolate all domain controllers immediately if GPO-based deployment is suspected
- Priority 3: Disable the compromised accounts used for deployment
- Priority 4: Block lateral movement protocols (SMB TCP/445, RDP TCP/3389, WinRM TCP/5985-5986)
- Priority 5: Preserve at least one encrypted system live (do not power off) for memory forensics
- Do NOT: Shut down encrypted systems; keep them powered on to preserve encryption keys in memory
Step 3: Assess Damage and Scope
Quantify the impact to inform recovery and business decisions:
- Count the number of encrypted systems (workstations, servers, domain controllers)
- Determine which business-critical systems and data are affected
- Verify backup integrity: check that backups were not encrypted, deleted, or corrupted
- Assess whether data exfiltration occurred (check for rclone, WinSCP, MEGA, cloud storage activity)
- Determine the ransom demand amount and payment deadline
- Check OFAC sanctions lists to verify the ransomware group is not a sanctioned entity (paying is legally risky)
Impact Assessment:
Encrypted Systems: 187 of 340 endpoints (55%)
Encrypted Servers: 12 of 28 (43%) - includes 2 file servers, 1 database server
Domain Controllers: 2 of 3 encrypted
Backup Status: Veeam repository intact (offline copy verified clean)
Data Exfiltration: Confirmed - 47GB to MEGA (file listing under analysis)
Ransom Demand: $2.5M in Bitcoin (72-hour deadline)
OFAC Screening: LockBit - not currently sanctioned entity (verify with counsel)Step 4: Recovery Decision Matrix
Evaluate recovery options in consultation with legal, executive leadership, and cyber insurance:
| Option | Pros | Cons | Recommended When |
|---|---|---|---|
| Restore from backup | No payment, no legal risk | Recovery time may be days | Clean backups available |
| Free decryptor | No payment, fast | Rare availability | Variant has published decryptor |
| Negotiate and pay | Potentially faster | No guarantee, legal risk, funds threat actors | No backups, business survival at stake |
| Rebuild from scratch | Clean environment | Longest timeline, data loss | Backups compromised, willing to accept data loss |
Step 5: Execute Recovery
Implement the chosen recovery strategy:
If restoring from backup:
- Build a clean isolated network segment for recovery operations
- Rebuild domain controllers first from clean media (do NOT restore DC backups older than the dwell time)
- Reset ALL user and service account passwords before joining any system to the new domain
- Restore servers in priority order: authentication, DNS, DHCP, then business-critical applications
- Restore workstations via reimaging, not file-level restore
- Restore data from verified clean backups to rebuilt file servers
- Reconnect to production network only after validation
If using a decryptor:
- Test the decryptor on a non-critical system first
- Decrypt in order of business priority
- Scan all decrypted systems for residual malware before reconnection
Step 6: Post-Ransomware Hardening
Implement controls to prevent recurrence:
- Enforce MFA on all remote access (VPN, RDP, cloud portals)
- Implement 3-2-1-1-0 backup strategy (3 copies, 2 media types, 1 offsite, 1 immutable, 0 errors)
- Deploy application whitelisting on servers
- Implement network segmentation between workstation and server VLANs
- Enable Protected Users security group for privileged accounts
- Disable NTLM authentication where possible
- Deploy LAPS (Local Administrator Password Solution) for local admin accounts
Key Concepts
| Term | Definition |
|---|---|
| Double Extortion | Ransomware tactic combining file encryption with data exfiltration and threat to publish stolen data |
| Immutable Backup | Backup storage that cannot be modified or deleted for a defined retention period, protecting against ransomware targeting backups |
| OFAC Sanctions | U.S. Office of Foreign Assets Control restrictions that may prohibit ransom payments to sanctioned entities or jurisdictions |
| Dwell Time | Days the attacker was present before deploying ransomware; critical for determining which backups are clean |
| Ransomware-as-a-Service (RaaS) | Criminal business model where ransomware developers lease their malware to affiliates who conduct attacks |
| Rclone | Legitimate cloud sync tool commonly abused by ransomware operators for data exfiltration before encryption |
| 3-2-1-1-0 Backup Rule | Backup strategy requiring 3 copies, 2 media types, 1 offsite, 1 immutable/air-gapped, and 0 errors in recovery testing |
Tools & Systems
- ID Ransomware: Online service to identify ransomware variant from ransom note or encrypted file sample
- NoMoreRansom.org: Europol-backed project providing free decryption tools for certain ransomware families
- Veeam / Commvault: Enterprise backup platforms with immutable repository and instant VM recovery capabilities
- KAPE: Rapid forensic triage collection from encrypted systems to determine initial access and dwell time
- Cado Response: Cloud-native forensics platform for investigating ransomware that affects cloud infrastructure
Common Scenarios
Scenario: LockBit 3.0 via Compromised VPN
Context: Attackers compromised VPN credentials (no MFA), spent 12 days performing reconnaissance, disabled antivirus via GPO, exfiltrated 47GB of data, and deployed LockBit 3.0 across the domain via GPO at 2:00 AM on a Sunday.
Approach:
- Disconnect all network segments at the core switch level
- Verify offline backup integrity (Veeam repository on immutable storage)
- Preserve two encrypted servers powered on for memory forensics
- Engage incident response retainer and cyber insurance carrier
- Begin recovery in isolated network: rebuild DCs, reset all passwords, restore in priority order
- Conduct forensic investigation in parallel to determine initial access and full adversary activity
Pitfalls:
- Restoring from backups that were created during the 12-day dwell time (may contain backdoors)
- Paying the ransom without OFAC screening and legal counsel review
- Reconnecting recovered systems to the production network before full password reset
- Not checking for data exfiltration, leaving the organization exposed to the extortion threat
Output Format
RANSOMWARE INCIDENT REPORT
===========================
Incident: INC-2025-1892
Ransomware Family: LockBit 3.0 (Black)
Date Detected: 2025-11-17T06:45:00Z
Initial Access: VPN credential compromise (no MFA)
Dwell Time: 12 days
IMPACT SUMMARY
Encrypted Systems: 187 endpoints, 12 servers
Business Impact: Full operations disruption
Data Exfiltrated: 47GB (finance, HR, legal documents)
Ransom Demand: $2.5M BTC (72-hour deadline)
Backup Status: Veeam immutable repository - CLEAN
RECOVERY APPROACH
Decision: Restore from backup (no ransom payment)
Recovery Start: 2025-11-17T10:00:00Z
DC Rebuild: Complete - 2025-11-17T18:00:00Z
Critical Systems: Restored - 2025-11-18T12:00:00Z
Full Recovery: Estimated 2025-11-21
CONTAINMENT TIMELINE
06:45 UTC - Ransomware detected by SOC analyst
07:00 UTC - Network segments disconnected
07:15 UTC - Incident commander activated IR plan
07:30 UTC - Backup integrity verification started
08:00 UTC - Memory forensics initiated on 2 live systems
10:00 UTC - Recovery operations commenced in clean room
POST-INCIDENT ACTIONS
1. MFA enforced on all VPN and remote access
2. 3-2-1-1-0 backup architecture implemented
3. Network segmentation between workstation/server VLANs
4. LAPS deployed for local administrator passwords
5. Regulatory notifications filed (GDPR 72-hour, state AG)References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.0 KB
API Reference: Ransomware Response
Ransomware Identification Services
| Service | URL | Purpose |
|---|---|---|
| ID Ransomware | https://id-ransomware.malwarehunterteam.com/ | Upload ransom note or sample for identification |
| NoMoreRansom | https://www.nomoreransom.org/en/decryption-tools.html | Free decryption tools |
| CISA StopRansomware | https://www.cisa.gov/stopransomware | Federal guidance and resources |
OFAC Sanctions Screening
| Resource | URL | Purpose |
|---|---|---|
| OFAC SDN List | https://sanctionssearch.ofac.treas.gov/ | Check if ransomware group is sanctioned |
| OFAC Advisory | https://home.treasury.gov/policy-issues/financial-sanctions | Ransomware payment guidance |
Key Containment Commands
| Action | Command | Description |
|---|---|---|
| Block SMB | netsh advfirewall firewall add rule name="Block SMB" dir=in action=block protocol=TCP localport=445 |
Block lateral movement |
| Block RDP | netsh advfirewall firewall add rule name="Block RDP" dir=in action=block protocol=TCP localport=3389 |
Block RDP |
| Disable account | Disable-ADAccount -Identity <username> |
Disable compromised AD account |
Recovery Validation
| Check | Command | Description |
|---|---|---|
| Backup integrity | veeamcli verify |
Verify backup is not encrypted |
| Password reset | Set-ADAccountPassword |
Reset all domain passwords |
| DC health | dcdiag /v |
Validate rebuilt domain controller |
Python Libraries
| Library | Version | Purpose |
|---|---|---|
requests |
>=2.28 | Query ransomware identification APIs |
hashlib |
stdlib | Hash encrypted file samples |
json |
stdlib | Incident tracking and reporting |
References
- CISA Ransomware Guide: https://www.cisa.gov/stopransomware/ransomware-guide
- NIST SP 1800-26: https://www.nccoe.nist.gov/data-integrity-recovering-ransomware
- NoMoreRansom: https://www.nomoreransom.org/
- Veeam recovery: https://www.veeam.com/ransomware-recovery.html
Scripts 1
agent.py9.1 KB
#!/usr/bin/env python3
"""Agent for performing ransomware response.
Automates ransomware identification, impact assessment, backup
verification, IOC extraction, and recovery tracking during
ransomware incident response.
"""
import json
import sys
import hashlib
from pathlib import Path
from datetime import datetime
class RansomwareResponseAgent:
"""Assists with structured ransomware incident response."""
def __init__(self, case_id, output_dir):
self.case_id = case_id
self.output_dir = Path(output_dir)
self.output_dir.mkdir(parents=True, exist_ok=True)
self.incident = {
"case_id": case_id,
"status": "active",
"timeline": [],
}
def log_event(self, event_type, description, details=None):
"""Add a timestamped event to the incident timeline."""
event = {
"timestamp": datetime.utcnow().isoformat(),
"type": event_type,
"description": description,
}
if details:
event["details"] = details
self.incident["timeline"].append(event)
def identify_ransomware(self, ransom_note_path=None, encrypted_file_path=None,
extension=None):
"""Identify ransomware variant from note, file, or extension."""
identification = {
"method": "manual",
"extension": extension,
}
if ransom_note_path and Path(ransom_note_path).exists():
note_content = Path(ransom_note_path).read_text(errors="ignore")
identification["ransom_note"] = note_content[:2000]
known_patterns = {
"LockBit": ["lockbit", "LOCKBIT", "restore-my-files"],
"BlackCat/ALPHV": ["ALPHV", "BlackCat", "RECOVER-"],
"Royal": ["Royal", "royal_w"],
"Akira": ["akira", ".akira"],
"Play": [".play", "PLAY"],
"Cl0p": ["CL0P", "clop"],
"Rhysida": ["rhysida", "RHYSIDA"],
}
for family, patterns in known_patterns.items():
for pattern in patterns:
if pattern in note_content:
identification["family"] = family
break
if encrypted_file_path and Path(encrypted_file_path).exists():
file_hash = hashlib.sha256(
Path(encrypted_file_path).read_bytes()
).hexdigest()
identification["encrypted_sample_hash"] = file_hash
self.incident["identification"] = identification
self.log_event("identification", f"Ransomware identified: {identification.get('family', 'Unknown')}")
return identification
def check_decryptor_availability(self, family):
"""Check NoMoreRansom and known sources for free decryptors."""
known_decryptors = {
"GandCrab": "https://www.nomoreransom.org/en/decryption-tools.html",
"REvil": "https://www.nomoreransom.org/en/decryption-tools.html",
"Maze": "https://www.nomoreransom.org/en/decryption-tools.html",
"Shade": "https://www.nomoreransom.org/en/decryption-tools.html",
"Jigsaw": "https://www.nomoreransom.org/en/decryption-tools.html",
}
has_decryptor = family in known_decryptors
return {
"family": family,
"decryptor_available": has_decryptor,
"source": known_decryptors.get(family, "None known"),
"nomoreransom_url": "https://www.nomoreransom.org/en/decryption-tools.html",
"id_ransomware_url": "https://id-ransomware.malwarehunterteam.com/",
}
def assess_impact(self, encrypted_hosts=0, total_hosts=0,
encrypted_servers=0, total_servers=0,
dc_affected=0, total_dcs=0,
data_exfiltrated_gb=0, ransom_amount="",
backup_status="unknown"):
"""Assess the scope and impact of the ransomware incident."""
assessment = {
"encrypted_hosts": encrypted_hosts,
"total_hosts": total_hosts,
"host_impact_pct": round(encrypted_hosts / max(total_hosts, 1) * 100, 1),
"encrypted_servers": encrypted_servers,
"total_servers": total_servers,
"dc_affected": dc_affected,
"total_dcs": total_dcs,
"data_exfiltrated_gb": data_exfiltrated_gb,
"double_extortion": data_exfiltrated_gb > 0,
"ransom_amount": ransom_amount,
"backup_status": backup_status,
}
if backup_status == "clean":
assessment["recommended_recovery"] = "Restore from backup"
elif backup_status == "compromised":
assessment["recommended_recovery"] = "Rebuild from scratch"
else:
assessment["recommended_recovery"] = "Verify backup integrity first"
self.incident["impact_assessment"] = assessment
self.log_event("impact_assessment", f"{encrypted_hosts}/{total_hosts} hosts encrypted")
return assessment
def generate_containment_checklist(self):
"""Generate prioritized containment checklist."""
checklist = [
{"priority": 1, "action": "Disconnect affected network segments from core infrastructure",
"status": "pending", "note": "Pull network cable, do NOT power off"},
{"priority": 2, "action": "Isolate all domain controllers immediately",
"status": "pending", "note": "If GPO-based deployment suspected"},
{"priority": 3, "action": "Disable compromised accounts used for deployment",
"status": "pending"},
{"priority": 4, "action": "Block lateral movement protocols (SMB 445, RDP 3389, WinRM 5985-5986)",
"status": "pending"},
{"priority": 5, "action": "Preserve at least one encrypted system powered on for memory forensics",
"status": "pending", "note": "Encryption keys may be in memory"},
{"priority": 6, "action": "Verify offline backup integrity",
"status": "pending"},
{"priority": 7, "action": "Engage incident response retainer and cyber insurance",
"status": "pending"},
{"priority": 8, "action": "Notify legal counsel for OFAC screening and regulatory assessment",
"status": "pending"},
]
self.incident["containment_checklist"] = checklist
return checklist
def generate_recovery_plan(self):
"""Generate recovery plan based on impact assessment."""
assessment = self.incident.get("impact_assessment", {})
backup_status = assessment.get("backup_status", "unknown")
steps = []
if backup_status == "clean":
steps = [
"Build clean isolated network segment for recovery",
"Rebuild domain controllers from clean media",
"Reset ALL user and service account passwords",
"Restore servers in priority: auth > DNS > DHCP > business apps",
"Reimage workstations (do not file-level restore)",
"Restore data from verified clean backups",
"Validate and reconnect to production network",
]
else:
steps = [
"Verify backup integrity before proceeding",
"If no clean backups, evaluate rebuild from scratch",
"Check NoMoreRansom.org for available decryptors",
"Consult with IR retainer on recovery options",
]
plan = {
"strategy": assessment.get("recommended_recovery", "TBD"),
"steps": steps,
"post_recovery_hardening": [
"Enforce MFA on all remote access",
"Implement 3-2-1-1-0 backup strategy",
"Deploy application whitelisting on servers",
"Implement network segmentation",
"Deploy LAPS for local admin passwords",
"Disable NTLM where possible",
],
}
self.incident["recovery_plan"] = plan
return plan
def generate_report(self):
"""Generate comprehensive ransomware incident report."""
self.generate_containment_checklist()
self.generate_recovery_plan()
report = self.incident.copy()
report["report_date"] = datetime.utcnow().isoformat()
report_path = self.output_dir / f"{self.case_id}_ransomware_report.json"
with open(report_path, "w") as f:
json.dump(report, f, indent=2)
print(json.dumps(report, indent=2))
return report
def main():
if len(sys.argv) < 2:
print("Usage: agent.py <case_id> [output_dir] [ransom_note_path]")
sys.exit(1)
case_id = sys.argv[1]
output_dir = sys.argv[2] if len(sys.argv) > 2 else "./ransomware_response"
agent = RansomwareResponseAgent(case_id, output_dir)
if len(sys.argv) > 3:
agent.identify_ransomware(ransom_note_path=sys.argv[3])
agent.assess_impact(
encrypted_hosts=0, total_hosts=0,
backup_status="unknown"
)
agent.generate_report()
if __name__ == "__main__":
main()