detecting-ransomware-encryption-behavior

Installation
SKILL.md

Detecting Ransomware Encryption Behavior

When to Use

  • Building or tuning a behavioral detection layer for ransomware that catches unknown/zero-day variants
  • Monitoring file servers and endpoints for mass encryption activity that evades signature-based detection
  • Implementing entropy-based detection to identify when files are being replaced with encrypted (high-entropy) content
  • Analyzing suspicious process behavior patterns: rapid sequential file opens, writes, renames, and deletes
  • Validating EDR detection rules against actual ransomware encryption patterns during red team exercises

Do not use entropy analysis alone as the only detection signal. Compressed files (ZIP, JPEG, MP4) naturally have high entropy and will cause false positives. Always combine entropy with behavioral signals like I/O rate and file rename patterns.

Prerequisites

Installs
33
GitHub Stars
24.2K
First Seen
Mar 29, 2026
detecting-ransomware-encryption-behavior — mukul975/anthropic-cybersecurity-skills