recovering-from-ransomware-attack
Executes structured recovery from a ransomware incident following NIST and CISA frameworks, including environment isolation, forensic evidence preservation, clean infrastructure rebuild, prioritized system restoration from verified backups, credential reset, and validation against re-infection. Covers Active Directory recovery, database restoration, and application stack rebuild in dependency order. Activates for requests involving ransomware recovery, post-encryption restoration, or disaster recovery from ransomware.
What this skill does
# Recovering from Ransomware Attack
## When to Use
- After ransomware has encrypted production systems and the decision has been made to recover from backups
- When building or validating a ransomware recovery runbook before an actual incident
- After receiving a decryption key (paid ransom or law enforcement provided) and needing to safely decrypt
- When partial recovery is needed alongside decryption of remaining systems
- Conducting a recovery drill to validate RTO commitments
**Do not use** before completing containment and forensic scoping. Premature recovery without understanding the attacker's access and persistence mechanisms risks re-infection.
## Prerequisites
- Incident declared and containment phase completed (all attacker access severed)
- Forensic evidence preserved (disk images, memory dumps, network captures)
- Backup integrity verified (immutable/air-gapped copies confirmed clean)
- Clean build media available (OS installation media, golden images)
- Recovery environment prepared (clean network segment isolated from compromised infrastructure)
- Recovery priority list documented (Tier 1/2/3 systems in dependency order)
## Workflow
### Step 1: Establish Clean Recovery Environment
Build recovery infrastructure isolated from the compromised network:
```bash
# Create isolated recovery VLAN
# No connectivity to compromised network segments
# Dedicated internet access for patch downloads only (via proxy)
# Recovery network architecture:
# VLAN 999 (Recovery) - 10.99.0.0/24
# - Recovery workstations (10.99.0.10-20)
# - Recovered DCs (10.99.0.50-55)
# - Recovered servers (10.99.0.100+)
# - Proxy for internet (10.99.0.1) - patches and updates only
# Firewall rules: DENY all from recovery VLAN to production VLANs
# Allow: Recovery VLAN -> Internet (HTTPS only, via proxy)
# Allow: Recovery VLAN -> Backup infrastructure (restore traffic only)
```
### Step 2: Recover Identity Infrastructure First
Active Directory must be recovered before any domain-joined systems:
```powershell
# AD Recovery Procedure
# Step 2a: Restore AD from known-good backup
# Use DSRM (Directory Services Restore Mode) boot
# 1. Build clean Windows Server from ISO
# 2. Promote as DC using AD restore
# 3. Restore System State from immutable backup
# Verify AD backup is pre-compromise
# Check backup timestamp against earliest known compromise date
wbadmin get versions -backuptarget:E: -machine:DC01
# Restore system state in DSRM
wbadmin start systemstaterecovery -version:02/15/2026-04:00 -backuptarget:E: -machine:DC01 -quiet
# After restore, reset critical accounts
# Reset krbtgt password TWICE (invalidates all Kerberos tickets)
# This prevents Golden Ticket persistence
Import-Module ActiveDirectory
Set-ADAccountPassword -Identity krbtgt -Reset -NewPassword (ConvertTo-SecureString "NewKrbtgt2026!Complex#1" -AsPlainText -Force)
# Wait for replication (minimum 12 hours), then reset again
Set-ADAccountPassword -Identity krbtgt -Reset -NewPassword (ConvertTo-SecureString "NewKrbtgt2026!Complex#2" -AsPlainText -Force)
# Reset all privileged account passwords
$privilegedGroups = @("Domain Admins", "Enterprise Admins", "Schema Admins", "Administrators")
foreach ($group in $privilegedGroups) {
Get-ADGroupMember -Identity $group -Recursive | ForEach-Object {
Set-ADAccountPassword -Identity $_.SamAccountName -Reset `
-NewPassword (ConvertTo-SecureString (New-Guid).Guid -AsPlainText -Force)
Set-ADUser -Identity $_.SamAccountName -ChangePasswordAtLogon $true
}
}
# Validate AD health
dcdiag /v /c /d /e /s:DC01
repadmin /showrepl
```
### Step 3: Validate Backup Integrity Before Restoration
```bash
# Scan backup files for ransomware artifacts before restoring
# Use offline antivirus scanning on backup mount
# Mount backup as read-only
mount -o ro,noexec /dev/backup_lv /mnt/backup_verify
# Scan with ClamAV
clamscan -r --infected --log=/var/log/backup_scan.log /mnt/backup_verify
# Check for known ransomware indicators
find /mnt/backup_verify -name "*.encrypted" -o -name "*.locked" \
-o -name "*.lockbit" -o -name "DECRYPT_*" -o -name "readme.txt" \
-o -name "RECOVER-*" -o -name "HOW_TO_*" | tee /var/log/ransomware_check.log
# Verify database consistency (SQL Server example)
# Restore database to temporary instance for validation
RESTORE VERIFYONLY FROM DISK = '/mnt/backup_verify/databases/erp_db.bak'
WITH CHECKSUM
```
### Step 4: Restore Systems in Priority Order
Follow dependency-based recovery sequence:
```
Recovery Order:
Phase 1 (Hours 0-4): Identity & Infrastructure
1. Domain Controllers (AD, DNS, DHCP)
2. Certificate Authority (if applicable)
3. Core network services (DHCP, NTP)
Phase 2 (Hours 4-12): Critical Business Systems
4. Database servers (SQL, Oracle, PostgreSQL)
5. Core business applications (ERP, CRM)
6. Email (Exchange, M365 hybrid)
Phase 3 (Hours 12-24): Important Systems
7. File servers
8. Web applications
9. Monitoring and security tools (SIEM, EDR)
Phase 4 (Hours 24-48): Remaining Systems
10. Development environments
11. Archive systems
12. Non-critical applications
```
```powershell
# Veeam Instant Recovery - fastest restore for VMware/Hyper-V
# Boots VM directly from backup file, then migrates to production storage
# Instant recovery for Tier 1 system
Start-VBRInstantRecovery -RestorePoint (Get-VBRRestorePoint -Name "DC01" |
Sort-Object CreationTime -Descending | Select-Object -First 1) `
-VMName "DC01-Recovered" `
-Server (Get-VBRServer -Name "esxi01.recovery.local") `
-Datastore "recovery-datastore"
# After validation, migrate to production storage
Start-VBRQuickMigration -VM "DC01-Recovered" `
-Server (Get-VBRServer -Name "esxi01.prod.local") `
-Datastore "production-datastore"
```
### Step 5: Validate Recovered Systems and Harden
Before connecting recovered systems to production:
```powershell
# Check for persistence mechanisms
# Scheduled Tasks
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"} |
Select-Object TaskName, TaskPath, State, Author |
Export-Csv C:\recovery\scheduled_tasks.csv
# Services
Get-Service | Where-Object {$_.StartType -eq "Automatic"} |
Select-Object Name, DisplayName, StartType, Status |
Export-Csv C:\recovery\auto_services.csv
# Startup items
Get-CimInstance Win32_StartupCommand |
Select-Object Name, Command, Location, User |
Export-Csv C:\recovery\startup_items.csv
# WMI event subscriptions (common persistence)
Get-WmiObject -Namespace root\subscription -Class __EventFilter
Get-WmiObject -Namespace root\subscription -Class __EventConsumer
# Registry run keys
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
# Verify no unauthorized admin accounts
Get-LocalGroupMember -Group "Administrators"
Get-ADGroupMember -Identity "Domain Admins"
# Apply latest patches before connecting to production
Install-WindowsUpdate -AcceptAll -AutoReboot
```
### Step 6: Phased Network Reconnection
```
Phase 1: Reconnect identity infrastructure
- DCs online in production VLAN
- Validate replication and authentication
- Monitor for suspicious authentication patterns
Phase 2: Reconnect Tier 1 systems
- One system at a time
- Monitor EDR for 1 hour before proceeding to next
- Validate application functionality
Phase 3: Reconnect remaining systems
- Groups of 5-10 systems
- Continue monitoring for re-infection indicators
Throughout: SOC monitoring on high alert
- EDR in aggressive blocking mode
- All previous IOCs loaded in detection rules
- Canary files deployed on recovered systems
```
## Key Concepts
| Term | Definition |
|------|------------|
| **DSRM** | Directory Services Restore Mode: special boot mode for domain controllers that allows AD database restoration |
| **krbtgt Reset** | Resetting tRelated in General
modeling-omnistudio-epc-catalog
IncludedSalesforce Industries CME EPC product-modeling skill for Product2-based catalog creation. Use when creating EPC products, configuring product attributes, building offer bundles with Product Child Items, or reviewing EPC DataPack JSON metadata for product catalog changes. TRIGGER when: user creates or updates Product2 EPC records, AttributeAssignment payloads, AttributeMetadata/AttributeDefaultValues, Offer bundles, or ProductChildItem relationships. DO NOT TRIGGER when: designing OmniScripts/FlexCards/Integration Procedures (use building-omnistudio-omniscript, building-omnistudio-flexcard, or building-omnistudio-integration-procedure), implementing Apex business logic (use generating-apex), or troubleshooting deployment pipelines (use deploying-metadata).
relationship-science-coach
IncludedUse this skill for direct, practical adult relationship coaching: couples conflict, repair, trust, marriage, dating, flirting, attachment patterns, emotional connection, sex, desire differences, eroticism, kink negotiation, affection, love languages, breakups, and long-term passion. Draw on Gottman, EFT and Hold Me Tight, attachment science, modern sex research, Perel, Nagoski, Kerner, Schnarch, Love and Stosny, and flexible love-language tools. Be concrete and low-hedge. Redirect only for imminent danger, abuse, coercive control, minors, non-consent, self-harm, stalking, or medical/legal/psychiatric decisions.
building-sf-integrations
IncludedSalesforce integration architecture and runtime plumbing with 120-point scoring. Use this skill to set up Named Credentials, External Credentials, External Services, REST/SOAP callout patterns, Platform Events, and Change Data Capture. TRIGGER when: user sets up Named Credentials, External Services, REST/SOAP callouts, Platform Events, CDC, or touches .namedCredential-meta.xml files. DO NOT TRIGGER when: Connected App/OAuth config (use configuring-connected-apps), Apex-only logic (use generating-apex), or data import/export (use handling-sf-data).
venue-templates
IncludedAccess comprehensive LaTeX templates, formatting requirements, and submission guidelines for major scientific publication venues (Nature, Science, PLOS, IEEE, ACM), academic conferences (NeurIPS, ICML, CVPR, CHI), research posters, and grant proposals (NSF, NIH, DOE, DARPA). This skill should be used when preparing manuscripts for journal submission, conference papers, research posters, or grant proposals and need venue-specific formatting requirements and templates.
let-fate-decide
IncludedDraws the 12 Houses of the Zodiac Tarot spread to inject entropy into planning when prompts are vague, ambiguous, or casually delegated. Interprets the spread to guide next steps. Use when the user says 'let fate decide', 'YOLO', 'whatever', 'idk', or other nonchalant phrases, makes Yu-Gi-Oh references, or when you are about to arbitrarily pick between multiple reasonable approaches. Prefer over ask-questions-if-underspecified when the user's tone is casual or playful rather than precision-seeking.
net-ops
IncludedCross-platform network troubleshooting (Windows, macOS, Linux) via local or remote shell. Use for: DNS broken, can't resolve hostnames, nslookup/dig works but apps fail, NRPT, WFP, scutil, /etc/resolver, systemd-resolved, /etc/resolv.conf, NetworkManager, VPN DNS leak residue (ProtonVPN/Mullvad/WireGuard/AnyConnect), AV/firewall blocking DNS or DoH, Tailscale DNS interaction, intermittent connectivity, remote diagnostics over SSH.