performing-ransomware-response
Installation
SKILL.md
Performing Ransomware Response
When to Use
- Ransomware has been detected executing or file encryption is actively occurring
- Users report inability to open files with unfamiliar extensions appended
- A ransom note is discovered on one or more systems
- EDR detects mass file modification patterns consistent with encryption behavior
- Threat intelligence warns of an imminent ransomware campaign targeting the organization
Do not use for general malware incidents that do not involve file encryption or extortion; use malware incident response procedures instead.