Ransomware

analyzing-ransomware-network-indicators helps analyze Zeek conn.log and NetFlow to spot C2 beaconing, TOR exits, exfiltration, and suspicious DNS for Security Audit and incident response.

analyzing-ransomware-payment-wallets is a read-only blockchain-forensics skill for tracing ransomware payment wallets, following fund movement, and clustering related addresses for Security Audit and incident response. Use it when you have a BTC address, tx hash, or suspected wallet and need evidence-backed attribution support.

analyzing-ransomware-encryption-mechanisms skill for malware analysis, focused on identifying ransomware encryption, key handling, and decryption feasibility. Use it to inspect AES, RSA, ChaCha20, hybrid schemes, and implementation flaws that may support recovery.

analyzing-ransomware-leak-site-intelligence helps monitor ransomware data leak sites, extract victim and group signals, and produce structured threat intelligence for incident response, sector risk review, and adversary tracking.

detecting-ransomware-encryption-behavior helps defenders spot ransomware-style encryption using entropy analysis, file I/O monitoring, and behavioral heuristics. It is suited for incident response, SOC tuning, and red-team validation when you need to detect mass file changes, rename bursts, and suspicious process activity quickly.

The deploying-ransomware-canary-files skill helps security teams deploy decoy files in critical directories and monitor read, modify, rename, or delete events for early ransomware warning. Use it for Security Audit workflows, lightweight detection, and alerting via Slack, email, or syslog without replacing EDR or backups.

building-soc-playbook-for-ransomware skill for SOC teams that need a structured ransomware response playbook. It covers detection triggers, containment, eradication, recovery, and audit-ready procedures aligned to NIST SP 800-61 and MITRE ATT&CK. Use it for practical playbook creation, tabletop exercises, and Security Audit support.