Agent skill

implementing-ransomware-kill-switch-detection

Detects and exploits ransomware kill switch mechanisms including mutex-based execution guards, domain-based kill switches, and registry-based termination checks. Implements proactive mutex vaccination and kill switch domain monitoring to prevent ransomware from executing. Activates for requests involving ransomware kill switch analysis, mutex vaccination, WannaCry-style domain kill switches, or malware execution guard detection.

View SKILL.md on GitHub Repository
Stars 4,300
Forks 470

Install this agent skill to your Project

npx add-skill https://github.com/mukul975/Anthropic-Cybersecurity-Skills/tree/main/skills/implementing-ransomware-kill-switch-detection

SKILL.md

Implementing Ransomware Kill Switch Detection

When to Use

  • Analyzing a ransomware sample to determine if it contains a kill switch mechanism (mutex, domain, registry)
  • Deploying proactive mutex vaccination across endpoints to prevent known ransomware families from executing
  • Monitoring DNS for kill switch domain lookups that indicate ransomware attempting to check before encrypting
  • During incident response to quickly determine if a ransomware variant can be stopped by activating its kill switch
  • Building detection signatures for ransomware mutex creation events using Sysmon or EDR telemetry

Do not use kill switch vaccination as a primary defense. Not all ransomware families implement kill switches, and those that do may remove them in newer versions. This is a supplementary detection and prevention layer.

Prerequisites

  • Python 3.8+ with ctypes (Windows) for mutex creation and enumeration
  • Sysmon installed with Event ID 1 (process creation) and Event ID 17/18 (pipe/mutex events) configured
  • Access to malware analysis sandbox for identifying kill switch mechanisms in samples
  • DNS monitoring capability for detecting kill switch domain resolution attempts
  • Familiarity with Windows internals: mutexes (mutants), kernel objects, named pipes
  • Reference database of known ransomware mutexes (github.com/albertzsigovits/malware-mutex)

Workflow

Step 1: Identify Kill Switch Mechanisms in Ransomware

Analyze samples for common kill switch patterns:

Kill Switch Types Found in Ransomware:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. MUTEX-BASED (most common):
   - Ransomware creates a named mutex at startup
   - If mutex already exists → another instance is running → exit
   - Defense: Pre-create the mutex to prevent execution
   - Examples:
     WannaCry:     Global\MsWinZonesCacheCounterMutexA
     Conti:        kasKDJSAFJauisiudUASIIQWUA82
     REvil:        Global\{GUID-based-on-machine}
     Ryuk:         Global\YOURPRODUCT_MUTEX

2. DOMAIN-BASED:
   - Ransomware resolves a hardcoded domain before executing
   - If domain resolves → security sandbox detected → exit
   - Defense: Register/sinkhole the domain to activate kill switch
   - Examples:
     WannaCry v1:  iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
     WannaCry v1:  fferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

3. REGISTRY-BASED:
   - Check for specific registry key/value before executing
   - If key exists → exit (anti-analysis or kill switch)
   - Defense: Create the registry key proactively

4. FILE-BASED:
   - Check for existence of specific file or directory
   - If marker file exists → exit
   - Defense: Create the marker file on all endpoints

5. LANGUAGE-BASED:
   - Check system language/keyboard layout
   - Exit if Russian/CIS country keyboard detected
   - Common in Eastern European ransomware groups

Step 2: Deploy Mutex Vaccination

Pre-create known ransomware mutexes on endpoints to prevent execution:

python
# Windows mutex vaccination using ctypes
import ctypes
from ctypes import wintypes

kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)

def create_mutex(name):
    """Create a named mutex to vaccinate against ransomware."""
    handle = kernel32.CreateMutexW(None, False, name)
    error = ctypes.get_last_error()
    if handle == 0:
        return False, f"Failed to create mutex: error {error}"
    if error == 183:  # ERROR_ALREADY_EXISTS
        return True, f"Mutex already exists (already vaccinated): {name}"
    return True, f"Mutex created successfully: {name}"

KNOWN_RANSOMWARE_MUTEXES = [
    "Global\\MsWinZonesCacheCounterMutexA",        # WannaCry
    "Global\\kasKDJSAFJauisiudUASIIQWUA82",        # Conti
    "Global\\YOURPRODUCT_MUTEX",                     # Ryuk variant
    "Global\\JhbGjhBsSQjz",                         # Maze
    "Global\\sdjfhksjdhfsd",                         # Generic ransomware
]

Step 3: Monitor for Mutex Creation Events

Use Sysmon to detect when ransomware creates its characteristic mutexes:

xml
<!-- Sysmon configuration for mutex monitoring -->
<Sysmon schemaversion="4.90">
  <EventFiltering>
    <!-- Event ID 1: Process creation with mutex indicators -->
    <ProcessCreate onmatch="include">
      <CommandLine condition="contains">mutex</CommandLine>
      <CommandLine condition="contains">CreateMutex</CommandLine>
    </ProcessCreate>
  </EventFiltering>
</Sysmon>

Detection via Event Logs:
━━━━━━━━━━━━━━━━━━━━━━━━
Windows Security Log:
  Event ID 4688: Process creation (enable command line logging)

Sysmon:
  Event ID 1:  Process create (includes command line and hashes)
  Event ID 17: Pipe created (named pipes, similar to mutexes)

PowerShell detection:
  Event ID 4104: Script block logging (detect mutex creation in scripts)

Velociraptor artifact:
  Windows.Detection.Mutants - Enumerates all named mutant objects

Step 4: Monitor DNS for Kill Switch Domains

Detect ransomware domain-based kill switch resolution attempts:

DNS Monitoring for Kill Switch Domains:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Monitor DNS queries for known kill switch domains
2. High-entropy domain names (>4.0 entropy in domain label) may indicate
   ransomware kill switch domains or DGA-generated C2 domains
3. Queries to newly registered domains from endpoints that typically
   only access well-established domains

Indicators:
  - Domain with no prior resolution history
  - Domain registered in last 24-72 hours
  - High character entropy in domain name
  - Resolution attempt followed by either mass encryption (kill switch failed)
    or process termination (kill switch activated)

Step 5: Enumerate Active Mutexes for Incident Response

During an active incident, scan endpoints for ransomware-associated mutexes:

powershell
# PowerShell: List all named mutant objects using Sysinternals Handle
# handle.exe -a -p <PID> | findstr "Mutant"

# Velociraptor query for mutex hunting:
# SELECT * FROM glob(globs="\\BaseNamedObjects\\*") WHERE Name =~ "mutex_pattern"

# Python-based enumeration (requires pywin32):
# import win32event
# handle = win32event.OpenMutex(0x00100000, False, "Global\\MutexName")

Verification

  • Verify mutex vaccination by attempting to create the same mutex (should get ERROR_ALREADY_EXISTS)
  • Test that vaccinated mutexes survive system reboot (they do not; re-apply at startup via scheduled task)
  • Confirm DNS monitoring detects test queries for known kill switch domains
  • Validate Sysmon event generation for mutex creation by running a test script
  • Check that vaccination does not interfere with legitimate applications using similar mutex names
  • Test against actual ransomware samples in an isolated sandbox to confirm kill switch activation

Key Concepts

Term Definition
Mutex (Mutant) A Windows kernel synchronization object used to ensure only one instance of a program runs; ransomware uses named mutexes to prevent re-infection
Kill Switch A mechanism in ransomware that causes it to terminate without encrypting if a specific condition is met (mutex exists, domain resolves, file present)
Mutex Vaccination Proactively creating named mutexes on endpoints that match known ransomware mutex names, preventing the ransomware from executing
Domain Sinkhole Registering or redirecting a malicious domain to a controlled server; used to activate domain-based kill switches
DGA (Domain Generation Algorithm) Algorithm used by malware to generate pseudo-random domain names for C2 communication, sometimes incorporating kill switch checks

Tools & Systems

  • Sysmon: Microsoft system monitor providing Event ID 17/18 for named pipe and mutex creation monitoring
  • Velociraptor: Endpoint visibility tool with built-in artifacts for enumerating mutant (mutex) objects on Windows
  • Sysinternals Handle: Command-line tool for listing open handles including named mutexes per process
  • malware-mutex (GitHub): Community-maintained database of mutexes used by known malware families
  • ANY.RUN: Interactive malware sandbox that reports mutex creation during dynamic analysis
  • PassiveDNS: DNS monitoring infrastructure for detecting kill switch domain resolution attempts

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

mukul975/Anthropic-Cybersecurity-Skills

mapping-mitre-attack-techniques

Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.

4,300 470
Explore
mukul975/Anthropic-Cybersecurity-Skills

hunting-for-spearphishing-indicators

Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.

4,300 470
Explore
mukul975/Anthropic-Cybersecurity-Skills

analyzing-malicious-url-with-urlscan

URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat

4,300 470
Explore
mukul975/Anthropic-Cybersecurity-Skills

implementing-zero-standing-privilege-with-cyberark

Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.

4,300 470
Explore
mukul975/Anthropic-Cybersecurity-Skills

implementing-pam-for-database-access

Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia

4,300 470
Explore
mukul975/Anthropic-Cybersecurity-Skills

detecting-t1003-credential-dumping-with-edr

Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.

4,300 470
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results