Agent skill

performing-ransomware-incident-response

Execute a structured ransomware incident response including containment, decryption assessment, recovery from backups, and eradication of ransomware persistence mechanisms.

View SKILL.md on GitHub Repository
Stars 0
Forks 0

Install this agent skill to your Project

npx add-skill https://github.com/autohandai/community-skills/tree/main/performing-ransomware-incident-response

SKILL.md

Performing Ransomware Incident Response

When to Use

  • Ransomware encryption detected on one or more endpoints
  • Ransom note files discovered on file shares or endpoints
  • File extensions changed to known ransomware variants (.locked, .encrypted, .ryuk, etc.)
  • Volume Shadow Copies deleted or backup systems targeted
  • EDR/AV alerts for known ransomware families (LockBit, BlackCat/ALPHV, Cl0p, Royal, Play)

Prerequisites

  • Incident Response Plan with ransomware-specific playbook
  • Offline/immutable backup infrastructure
  • EDR platform with ransomware rollback capability
  • No Ransom (nomoreransom.org) decryptor database access
  • Network segmentation capability for rapid isolation
  • Communication plan for stakeholders and potentially law enforcement

Workflow

Step 1: Detect and Confirm Ransomware

bash
# Check for ransom note files across file shares
find /mnt/shares -name "README*.txt" -o -name "DECRYPT*.txt" -o -name "HOW_TO_RECOVER*" \
  -o -name "RESTORE_FILES*" -newer /tmp/baseline_timestamp 2>/dev/null

# Check for mass file encryption indicators
find /mnt/shares -name "*.encrypted" -o -name "*.locked" -o -name "*.BlackCat" \
  -o -name "*.lockbit" -mmin -60 2>/dev/null | head -50

# Identify ransomware variant from ransom note
strings ransom_note.txt | grep -iE "(bitcoin|wallet|tor|onion|decrypt|payment)"

# Upload sample to ID Ransomware for variant identification
curl -X POST "https://id-ransomware.malwarehunterteam.com/api/upload" \
  -F "ransom_note=@ransom_note.txt" -F "encrypted_file=@sample.encrypted"

Step 2: Isolate Infected Systems Immediately

bash
# CrowdStrike Falcon - Mass contain infected hosts
for device_id in $(cat infected_device_ids.txt); do
  curl -X POST "https://api.crowdstrike.com/devices/entities/devices-actions/v2?action_name=contain" \
    -H "Authorization: Bearer $FALCON_TOKEN" \
    -H "Content-Type: application/json" \
    -d "{\"ids\": [\"$device_id\"]}"
done

# Block known ransomware C2 IPs at firewall
while read ip; do
  iptables -A INPUT -s "$ip" -j DROP
  iptables -A OUTPUT -d "$ip" -j DROP
done < ransomware_c2_ips.txt

# Disable SMB/lateral movement protocols between segments
# Palo Alto firewall
set rulebase security rules block-smb-lateral from internal to internal application ms-ds-smb action deny
commit force

Step 3: Assess Encryption Scope and Impact

bash
# Splunk query - identify affected hosts by file modification patterns
index=endpoint sourcetype=sysmon EventCode=11
| stats dc(TargetFilename) as files_created by Computer
| where files_created > 1000
| sort -files_created

# Check if Volume Shadow Copies were deleted
wevtutil qe Application /q:"*[System[Provider[@Name='VSS']]]" /f:text /c:20

# Check backup integrity
veeam-backup-check --repository "primary_backup" --verify-integrity
restic -r /backup/repo check --read-data-subset=1/10

Step 4: Check for Available Decryptors

bash
# Check No More Ransom project for free decryptors
# https://www.nomoreransom.org/en/decryption-tools.html

# Check Kaspersky decryptor database
# https://noransom.kaspersky.com/

# Check Emsisoft decryptor database
# https://www.emsisoft.com/en/ransomware-decryption/

# Test if files can be recovered from shadow copies (if not deleted)
vssadmin list shadows
mklink /D C:\ShadowCopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

# Check previous file versions
wmic shadowcopy list brief

Step 5: Eradicate Ransomware and Persistence

bash
# Scan all systems for ransomware artifacts
yara -r ransomware_rules.yar /mnt/infected_disk/

# Check common persistence locations
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s
schtasks /query /fo CSV /v | findstr /i "encrypt lock ransom"

# Check for ransomware loader in Group Policy
find /mnt/sysvol -name "*.exe" -o -name "*.dll" -o -name "*.bat" -newer /tmp/baseline

# Remove ransomware artifacts
# After forensic imaging is complete
Get-ChildItem -Path C:\ -Include *.encrypted,*.locked -Recurse | Remove-Item -Force
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "malicious_entry" /f

Step 6: Recover Systems from Clean Backups

bash
# Verify backup integrity before restoration
sha256sum backup_image_server01.vhdx
restic -r /backup/repo restore latest --target /mnt/restore --verify

# Restore from Veeam backup
# Veeam PowerShell
Start-VBRRestoreSession -BackupObject (Get-VBRBackup -Name "Server01_Backup") \
  -RestorePoint (Get-VBRRestorePoint -Backup "Server01_Backup" | Sort-Object -Property CreationTime -Descending | Select-Object -First 1)

# Rebuild from golden images if backups compromised
packer build -var "os_version=2022" golden_image.pkr.hcl
terraform apply -var="image_id=ami-golden-2024" -auto-approve

Step 7: Post-Recovery Validation

bash
# Verify no ransomware persistence remains
Get-CimInstance -ClassName Win32_StartupCommand | Select-Object Name, Command, Location
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"} | Select-Object TaskName, TaskPath

# Verify file integrity post-restore
fciv -r C:\restored_data\ -sha256 > post_restore_hashes.txt
diff pre_infection_hashes.txt post_restore_hashes.txt

# Enhanced monitoring for re-infection
# Deploy canary files in sensitive directories
for dir in /mnt/shares/*/; do
  echo "CANARY_$(date +%s)" > "$dir/.canary_monitor.txt"
done

Key Concepts

Concept Description
Double Extortion Attacker encrypts data AND exfiltrates it, threatening public release
Triple Extortion Adding DDoS threats or contacting victims' customers to increase pressure
Ransomware-as-a-Service (RaaS) Criminal business model where affiliates pay operators for ransomware tools
Decryptor Availability Free decryptors may exist for some ransomware families via No More Ransom
Immutable Backups Backup copies that cannot be modified or deleted, critical for ransomware recovery
Dwell Time Time between initial compromise and ransomware deployment (often weeks)
IOC Sharing Sharing indicators with ISACs and law enforcement improves collective defense

Tools & Systems

Tool Purpose
ID Ransomware Identify ransomware variant from samples
No More Ransom Free decryptor database (nomoreransom.org)
CrowdStrike Falcon Endpoint containment and ransomware rollback
Veeam/Commvault Backup verification and restoration
YARA Ransomware artifact scanning
Volatility Memory forensics for ransomware analysis
Splunk/Elastic Log analysis for encryption scope assessment

Common Scenarios

  1. LockBit 3.0 Enterprise Attack: Attacker compromises VPN, deploys LockBit across domain via GPO. Isolate domain controllers first, verify backup integrity, restore from immutable backups.
  2. BlackCat/ALPHV Double Extortion: Data exfiltrated before encryption. Engage legal for breach notification, restore from backups, negotiate through authorized channels if needed.
  3. Cl0p MOVEit Exploitation: Mass exploitation of file transfer application. Patch vulnerability, identify exfiltrated data, rebuild affected systems.
  4. Targeted Healthcare Ransomware: Patient data encrypted. Activate emergency manual procedures, engage HHS, prioritize clinical system recovery.
  5. Ransomware via Compromised MSP: Attacker accesses multiple clients through MSP tools. Disconnect MSP access, contain per-client, coordinate multi-tenant response.

Output Format

  • Ransomware variant identification report
  • Encryption scope assessment with affected systems list
  • Backup integrity verification results
  • Recovery timeline and prioritized restoration plan
  • Eradication verification report
  • Lessons learned document with prevention recommendations

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

autohandai/community-skills

mapping-mitre-attack-techniques

Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.

0 0
Explore
autohandai/community-skills

hunting-for-spearphishing-indicators

Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.

0 0
Explore
autohandai/community-skills

analyzing-malicious-url-with-urlscan

URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat

0 0
Explore
autohandai/community-skills

implementing-zero-standing-privilege-with-cyberark

Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.

0 0
Explore
autohandai/community-skills

implementing-pam-for-database-access

Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia

0 0
Explore
autohandai/community-skills

detecting-t1003-credential-dumping-with-edr

Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.

0 0
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results