Claude
Skills
Sign in
Back

investigating-ransomware-attack-artifacts

Included with Lifetime
$97 forever

Identify, collect, and analyze ransomware attack artifacts to determine the variant, initial access vector, encryption scope, and recovery options.

AI Agentsforensicsransomwaremalware-analysisincident-responseencryption-recoveryevidence-collectionscripts

What this skill does


# Investigating Ransomware Attack Artifacts

## When to Use
- Immediately after discovering ransomware encryption on systems
- When performing forensic analysis to understand the full scope of a ransomware incident
- For identifying the ransomware variant and determining if decryption is possible
- When tracing the attack chain from initial access to encryption
- For documenting evidence to support law enforcement and insurance claims

## Prerequisites
- Forensic images of affected systems (preserve before remediation)
- Memory dumps captured before system shutdown (if available)
- Ransom notes and encrypted file samples
- Network traffic captures from the attack period
- Windows Event Logs, Prefetch files, and registry hives
- Access to ransomware identification tools (ID Ransomware, No More Ransom)
- Isolated sandbox environment for malware analysis

## Workflow

### Step 1: Preserve Evidence and Identify the Ransomware Variant

```bash
# CRITICAL: Do NOT restart systems. Preserve memory first if possible.
# Encryption keys may still be in memory.

# Capture memory from running systems
# Windows: DumpIt.exe (generates memory.raw)
# Linux: sudo insmod lime.ko "path=/evidence/memory.lime format=lime"

# Collect ransom note
cp /mnt/evidence/Users/*/Desktop/README*.txt /cases/case-2024-001/ransomware/ransom_notes/
cp /mnt/evidence/Users/*/Desktop/DECRYPT*.txt /cases/case-2024-001/ransomware/ransom_notes/
cp /mnt/evidence/Users/*/Desktop/HOW_TO*.txt /cases/case-2024-001/ransomware/ransom_notes/
find /mnt/evidence/ -name "*.hta" -o -name "*DECRYPT*" -o -name "*RANSOM*" -o -name "*README*" \
   2>/dev/null | head -20 > /cases/case-2024-001/ransomware/note_locations.txt

# Collect sample encrypted files (for identification)
find /mnt/evidence/Users/ -name "*.encrypted" -o -name "*.locked" -o -name "*.crypted" \
   -o -name "*.crypt" -o -name "*.enc" | head -10 > /cases/case-2024-001/ransomware/encrypted_samples.txt

# Copy sample encrypted files
mkdir -p /cases/case-2024-001/ransomware/samples/
head -5 /cases/case-2024-001/ransomware/encrypted_samples.txt | while read f; do
    cp "$f" /cases/case-2024-001/ransomware/samples/
done

# Identify ransomware variant using file extension and ransom note
python3 << 'PYEOF'
import os, hashlib, json

ransomware_indicators = {
    '.lockbit': 'LockBit',
    '.blackcat': 'BlackCat/ALPHV',
    '.royal': 'Royal',
    '.akira': 'Akira',
    '.clop': 'Cl0p',
    '.conti': 'Conti',
    '.ryuk': 'Ryuk',
    '.revil': 'REvil/Sodinokibi',
    '.maze': 'Maze',
    '.phobos': 'Phobos',
    '.dharma': 'Dharma/CrySIS',
    '.stop': 'STOP/Djvu',
    '.hive': 'Hive',
    '.blackbasta': 'Black Basta',
    '.play': 'Play',
}

# Check encrypted file extensions
samples_dir = '/cases/case-2024-001/ransomware/samples/'
for f in os.listdir(samples_dir):
    ext = os.path.splitext(f)[1].lower()
    variant = ransomware_indicators.get(ext, 'Unknown')
    sha256 = hashlib.sha256(open(os.path.join(samples_dir, f), 'rb').read()).hexdigest()
    print(f"File: {f}")
    print(f"  Extension: {ext}")
    print(f"  Suspected Variant: {variant}")
    print(f"  SHA-256: {sha256}")
    print()

# Parse ransom note for IoCs
note_dir = '/cases/case-2024-001/ransomware/ransom_notes/'
for note in os.listdir(note_dir):
    with open(os.path.join(note_dir, note), 'r', errors='ignore') as f:
        content = f.read()
        print(f"\n=== Ransom Note: {note} ===")
        # Extract bitcoin addresses
        import re
        btc = re.findall(r'[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[a-zA-HJ-NP-Z0-9]{25,39}', content)
        tor = re.findall(r'[a-z2-7]{56}\.onion', content)
        emails = re.findall(r'[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}', content)

        if btc: print(f"  Bitcoin addresses: {btc}")
        if tor: print(f"  Tor addresses: {tor}")
        if emails: print(f"  Contact emails: {emails}")
PYEOF
```

### Step 2: Determine the Attack Timeline

```bash
# Find the earliest encrypted file (encryption start time)
find /mnt/evidence/ -name "*.encrypted" -printf '%T+ %p\n' 2>/dev/null | sort | head -5 \
   > /cases/case-2024-001/ransomware/encryption_start.txt

# Find the latest encrypted file (encryption end time)
find /mnt/evidence/ -name "*.encrypted" -printf '%T+ %p\n' 2>/dev/null | sort -r | head -5 \
   > /cases/case-2024-001/ransomware/encryption_end.txt

# Analyze Prefetch for ransomware executable
ls /mnt/evidence/Windows/Prefetch/ | grep -iE "(encrypt|ransom|lock|crypt)" \
   > /cases/case-2024-001/ransomware/prefetch_hits.txt

# Check Windows Event Logs for key events
python3 << 'PYEOF'
import json
from evtx import PyEvtxParser

# Security log - authentication and access events
parser = PyEvtxParser("/cases/case-2024-001/evtx/Security.evtx")

attack_events = []
for record in parser.records_json():
    data = json.loads(record['data'])
    event_id = str(data['Event']['System']['EventID'])
    timestamp = data['Event']['System']['TimeCreated']['#attributes']['SystemTime']

    # Key events for ransomware investigation
    if event_id in ('4624', '4625', '4648', '4672', '4697', '4698', '4688', '1102'):
        event_data = data['Event'].get('EventData', {})
        attack_events.append({
            'time': timestamp,
            'event_id': event_id,
            'data': json.dumps(event_data, default=str)[:200]
        })

# Sort and display timeline
attack_events.sort(key=lambda x: x['time'])
print("=== RANSOMWARE ATTACK TIMELINE ===\n")
for event in attack_events[-50:]:
    print(f"  [{event['time']}] EventID {event['event_id']}: {event['data'][:150]}")
PYEOF

# Check for Volume Shadow Copy deletion (common ransomware behavior)
# Look for vssadmin.exe or wmic shadowcopy in event logs and Prefetch
grep -l "vssadmin" /cases/case-2024-001/evtx/*.evtx 2>/dev/null
ls /mnt/evidence/Windows/Prefetch/ | grep -i "vssadmin\|wmic\|bcdedit\|wbadmin"
```

### Step 3: Trace Initial Access and Lateral Movement

```bash
# Check for common ransomware initial access vectors

# RDP brute force
python3 << 'PYEOF'
import json
from evtx import PyEvtxParser
from collections import defaultdict

parser = PyEvtxParser("/cases/case-2024-001/evtx/Security.evtx")

failed_rdp = defaultdict(int)
successful_rdp = []

for record in parser.records_json():
    data = json.loads(record['data'])
    event_id = str(data['Event']['System']['EventID'])
    event_data = data['Event'].get('EventData', {})
    timestamp = data['Event']['System']['TimeCreated']['#attributes']['SystemTime']

    if event_id == '4625':  # Failed logon
        logon_type = str(event_data.get('LogonType', ''))
        if logon_type == '10':  # RDP
            source_ip = event_data.get('IpAddress', 'Unknown')
            failed_rdp[source_ip] += 1

    if event_id == '4624':  # Successful logon
        logon_type = str(event_data.get('LogonType', ''))
        if logon_type in ('10', '3'):  # RDP or Network
            source_ip = event_data.get('IpAddress', 'Unknown')
            username = event_data.get('TargetUserName', 'Unknown')
            successful_rdp.append({'time': timestamp, 'user': username, 'ip': source_ip, 'type': logon_type})

print("=== FAILED RDP ATTEMPTS ===")
for ip, count in sorted(failed_rdp.items(), key=lambda x: x[1], reverse=True)[:10]:
    print(f"  {ip}: {count} failed attempts")

print(f"\n=== SUCCESSFUL NETWORK/RDP LOGONS ===")
for logon in successful_rdp[-20:]:
    type_name = 'RDP' if logon['type'] == '10' else 'Network'
    print(f"  [{logon['time']}] {logon['user']} from {logon['ip']} ({type_name})")
PYEOF

# Check for phishing-related artifacts
# Browser downloads, email attachments, Office macros
find /mnt/evidence/Users/*/Downloads/ -name "*.exe" -o -name "*.dll" -o -name "*.js" \
   -o -name "*.vbs" -o -name "*.hta" -o -name "*.ps1" 2>/dev/null \
   > /cases/case-2024-001/ransomware/suspicious_downloads.txt

# Check PowerShell execution
ls /mnt/evidence/Windows/Prefetch/ | grep -i powershell
```

### Step 4: Assess Encryption Scope and Recovery Options
Files: 4
Size: 35.9 KB
Complexity: 65/100
Category: AI Agents
Source: https://github.com/mukul975/anthropic-cybersecurity-skills/tree/main/skills/investigating-ransomware-attack-artifacts

Related in AI Agents

skill-development

Included

Comprehensive meta-skill for creating, managing, validating, auditing, and distributing Claude Code skills and slash commands (unified in v2.1.3+). Provides skill templates, creation workflows, validation patterns, audit checklists, naming conventions, YAML frontmatter guidance, progressive disclosure examples, and best practices lookup. Use when creating new skills, validating existing skills, auditing skill quality, understanding skill architecture, needing skill templates, learning about YAML frontmatter requirements, progressive disclosure patterns, tool restrictions (allowed-tools), skill composition, skill naming conventions, troubleshooting skill activation issues, creating custom slash commands, configuring command frontmatter, using command arguments ($ARGUMENTS, $1, $2), bash execution in commands, file references in commands, command namespacing, plugin commands, MCP slash commands, Skill tool configuration, or deciding between skills vs slash commands. Delegates to docs-management skill for official documentation.

AI Agentsscripts

reprompter

Included

Transform messy prompts into well-structured, effective prompts — single or multi-agent. Use when: "reprompt", "reprompt this", "clean up this prompt", "structure my prompt", rough text needing XML tags and best practices, "reprompter teams", "repromptception", "run with quality", "smart run", "smart agents", multi-agent tasks, audits, parallel work, anything going to agent teams. Don't use when: simple Q&A, pure chat, immediate execution-only tasks. See "Don't Use When" section for details. Outputs: Structured XML/Markdown prompt, quality score (before/after), optional team brief + per-agent sub-prompts, agent team output files. Success criteria: Single mode quality score ≥ 7/10; Repromptception per-agent prompt quality score 8+/10; all required sections present, actionable and specific.

AI Agentsscripts

adaptive-compaction

Included

Adaptive add-on policy and recovery layer that decides WHEN to compact, prune, snapshot, or fork -- replacing fixed-percent auto-compaction across Claude Code, Codex, and MCP-capable hosts. Trigger on auto-compact timing or damage: "when should I compact", "is it safe to compact now or start a fresh session", "auto-compact fires too early/mid-task", "switching to an unrelated task but the window still has space", "context rot", "answers get worse the longer the session runs", "the agent forgot the plan or my decisions after it summarized", "add a layer on top that manages context without changing the agent", raising autoCompactWindow to give the policy room, or installing/tuning a cross-tool compaction policy or PreCompact hook -- even when "compaction" is never said but the problem is context-window pressure or post-summarization memory loss. Do NOT use to summarize a conversation, build RAG, write a summarization prompt (decides WHEN not HOW), or answer max-context-length trivia.

AI Agentsscripts

agent-skill-creator

Included

Create cross-platform agent skills from workflow descriptions. Activates when users ask to create an agent, automate a repetitive workflow, create a custom skill, or need advanced agent creation. Triggers on phrases like create agent for, automate workflow, create skill for, every day I have to, daily I need to, turn process into agent, need to automate, create a cross-platform skill, validate this skill, export this skill, migrate this skill. Supports single skills, multi-agent suites, transcript processing, template-based creation, interactive configuration, cross-platform export, and spec validation.

AI Agentsscripts

llm-wiki

Included

Use when building or maintaining a persistent personal knowledge base (second brain) in Obsidian where an LLM incrementally ingests sources, updates entity/concept pages, maintains cross-references, and keeps a synthesis current. Triggers include "second brain", "Obsidian wiki", "personal knowledge management", "ingest this paper/article/book", "build a research wiki", "compound knowledge", "Memex", or whenever the user wants knowledge to accumulate across sessions instead of being re-derived by RAG on every query.

AI Agentsscripts

skill-master

Included

Agent Skills authoring, evaluation, and optimization. Create, edit, validate, benchmark, and improve skills following the agentskills.io specification. Use when designing SKILL.md files, structuring skill folders (references, scripts, assets), ingesting external documentation into skills, running trigger evals, benchmarking skill quality, optimizing descriptions, or performing blind A/B comparisons. Keywords: agentskills.io, SKILL.md, skill authoring, eval, benchmark, trigger optimization.

AI Agentsscripts
Sign up & unlock — $97