implementing-ransomware-kill-switch-detection

Installation
SKILL.md

Implementing Ransomware Kill Switch Detection

When to Use

  • Analyzing a ransomware sample to determine if it contains a kill switch mechanism (mutex, domain, registry)
  • Deploying proactive mutex vaccination across endpoints to prevent known ransomware families from executing
  • Monitoring DNS for kill switch domain lookups that indicate ransomware attempting to check before encrypting
  • During incident response to quickly determine if a ransomware variant can be stopped by activating its kill switch
  • Building detection signatures for ransomware mutex creation events using Sysmon or EDR telemetry

Do not use kill switch vaccination as a primary defense. Not all ransomware families implement kill switches, and those that do may remove them in newer versions. This is a supplementary detection and prevention layer.

Prerequisites

Installs
19
GitHub Stars
24.2K
First Seen
Mar 29, 2026
implementing-ransomware-kill-switch-detection — mukul975/anthropic-cybersecurity-skills