creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-16 07:53:18 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ccce7d4e068efecc2f98c385c8e5c01d969fc9bc
Anthropic-Cybersecurity-Skills/skills/performing-ransomware-incident-response/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

1.8 KiB
Raw Blame History

Ransomware Incident Response - API Reference

File System Scanning

Ransomware Extensions

Common encrypted file extensions: .encrypted, .locked, .crypt, .locky, .cerber, .zepto, .wncry, .wnry, .wcry, .onion, .micro, .r5a

Ransom Note Filenames

Common patterns: readme.txt, how_to_decrypt.txt, decrypt_instructions.html, restore_files.txt, _readme.txt, how_to_recover.txt

IOC Collection

hashlib (Python stdlib)

sha = hashlib.sha256()
with open(path, "rb") as f:
    for chunk in iter(lambda: f.read(8192), b""):
        sha.update(chunk)
sha.hexdigest()

ID Ransomware Identification

Upload ransom note or encrypted file sample to id-ransomware.malwarehunterteam.com for variant identification.

Shadow Copy Detection (Windows)

vssadmin list shadows

Ransomware commonly deletes shadow copies via:

vssadmin delete shadows /all /quiet
wmic shadowcopy delete

Containment Checklist

  1. Network isolation - Disable NICs or move to quarantine VLAN
  2. Evidence preservation - Disk image before remediation
  3. Credential reset - krbtgt (twice), DA accounts, service accounts
  4. Scope assessment - Enumerate affected hosts and shares
  5. Variant identification - Submit IOCs to threat intel platforms
  6. Recovery - Restore from clean backups after root cause confirmed

Output Schema

{
  "report": "ransomware_incident_response",
  "encrypted_files_found": 342,
  "ransom_notes_found": 5,
  "shadow_copy_status": {"intact": false, "shadow_copies": 0},
  "containment_actions": [{"priority": 1, "action": "Isolate affected hosts"}],
  "file_hashes": [{"path": "/data/file.encrypted", "sha256": "abc123..."}]
}

CLI Usage

python agent.py --target /mnt/affected_share --max-files 5000 --output report.json
Reference in New Issue View Git Blame Copy Permalink