Builds a structured ransomware incident response playbook aligned with the CISA StopRansomware Guide and NIST Cybersecurity Framework. Covers preparation, detection, containment, eradication, recovery, and post-incident phases with actionable checklists. Activates for requests involving ransomware response planning, CISA compliance, incident response playbook creation, or ransomware preparedness assessment.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionbuilding-ransomware-playbook-with-cisa-frameworkExecute the skills CLI command in your project's root directory to begin installation:
Fetches building-ransomware-playbook-with-cisa-framework from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate building-ransomware-playbook-with-cisa-framework. Access via /building-ransomware-playbook-with-cisa-framework in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | building-ransomware-playbook-with-cisa-framework |
| description | 'Builds a structured ransomware incident response playbook aligned with the CISA StopRansomware Guide and NIST Cybersecurity Framework. Covers preparation, detection, containment, eradication, recovery, and post-incident phases with actionable checklists. Activates for requests involving ransomware response planning, CISA compliance, incident response playbook creation, or ransomware preparedness assessment. ' |
| domain | cybersecurity |
| subdomain | ransomware-defense |
| tags | - ransomware - incident-response - CISA - playbook - compliance - NIST |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.DS-11 - RS.MA-01 - RC.RP-01 - PR.IR-01 |
Do not use as a substitute for legal counsel regarding ransom payment decisions, breach notification timelines, or regulatory obligations specific to your jurisdiction.
Establish ransomware-specific defenses before an incident:
CISA Preparation Checklist:
━━━━━━━━━━━━━━━━━━━━━━━━━━
[ ] Maintain offline, encrypted backups tested for restoration
[ ] Create and exercise a cyber incident response plan (IRP)
[ ] Implement network segmentation between IT and OT networks
[ ] Enable MFA on all remote access and privileged accounts
[ ] Deploy endpoint detection and response (EDR) on all endpoints
[ ] Disable or restrict RDP; require VPN for remote access
[ ] Maintain a software/hardware asset inventory
[ ] Apply patches within 48 hours for internet-facing systems
[ ] Configure email filtering and disable macro execution by default
[ ] Conduct regular phishing awareness training
[ ] Implement application allowlisting (AppLocker/WDAC)
[ ] Test backup restoration quarterly and document RTO/RPO
Identify ransomware indicators and assess scope:
Detection Indicators:
━━━━━━━━━━━━━━━━━━━━
- Mass file rename operations with new extensions (.locked, .encrypted)
- Ransom notes appearing in directories (README.txt, DECRYPT.html)
- Volume Shadow Copy deletion (vssadmin delete shadows)
- Abnormal CPU usage from encryption processes
- EDR/AV alerts for known ransomware signatures
- Network connections to known C2 infrastructure
- Unusual lateral movement via SMB or PsExec
- Sysmon Event ID 11 (file creation) spikes
Initial Analysis Steps (CISA):
1. Take system images and memory captures of affected devices
2. Identify patient zero and initial access vector
3. Determine the ransomware family (ID Ransomware, ransom note analysis)
4. Assess encryption scope: which systems, shares, and data are affected
5. Check if data exfiltration occurred (double extortion indicator)
Stop the spread and preserve evidence:
Immediate Containment (First 1-4 hours):
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Isolate affected systems from the network (disable NICs, VLAN quarantine)
2. If unable to disconnect, power down affected systems
3. Disable shared drives to prevent encryption spread
4. Reset credentials for compromised accounts (especially admin/service accounts)
5. Block known ransomware IOCs at firewall/proxy (C2 domains, IPs)
6. Preserve forensic evidence (memory dumps, disk images, logs)
7. Engage legal counsel and prepare breach notification if data exfiltrated
Extended Containment:
- Identify and patch the initial access vector (phishing, RDP, VPN vuln)
- Audit all Active Directory accounts for persistence (scheduled tasks, services)
- Check for backdoors or additional malware beyond the ransomware payload
Remove the threat and restore operations:
CISA Recovery Steps:
━━━━━━━━━━━━━━━━━━━
1. Rebuild affected systems from known-clean images (do NOT decrypt in place)
2. Restore data from offline backups (verify backup integrity first)
3. Reset ALL passwords including service accounts, krbtgt (twice, 12h apart)
4. Scan restored systems with updated AV/EDR before reconnecting to network
5. Re-enable services in priority order based on business criticality
6. Monitor restored systems intensively for 72 hours for reinfection
Recovery Priority Matrix:
P1 (0-4h): Domain controllers, DNS, authentication infrastructure
P2 (4-24h): Email, critical business applications, databases
P3 (1-3d): File servers, departmental applications
P4 (3-7d): Non-critical systems, development environments
Document lessons learned and improve defenses:
Post-Incident Report Template:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Executive summary: What happened, impact, resolution
2. Timeline: Detection to full recovery with timestamps
3. Root cause analysis: Initial access vector and propagation path
4. Scope: Number of systems, data volumes, business impact in hours/dollars
5. Response effectiveness: What worked, what failed, what was missing
6. Recommendations: Specific technical and procedural improvements
7. Compliance actions: Notification timeline, regulatory obligations met
8. Updated playbook: Revisions based on lessons learned
| Term | Definition |
|---|---|
| CISA StopRansomware Guide | Joint CISA/MS-ISAC/NSA/FBI guide providing ransomware prevention best practices and response checklists |
| RTO/RPO | Recovery Time Objective (max downtime) and Recovery Point Objective (max data loss); critical metrics for backup planning |
| Double Extortion | Ransomware tactic where attackers both encrypt data and threaten to publish stolen data unless paid |
| Patient Zero | The first system compromised in an incident; identifying it reveals the initial access vector |
| Tabletop Exercise | Simulated incident scenario walked through by the response team to validate the playbook without live systems |
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Solid pick for teams standardizing on skills: building-ransomware-playbook-with-cisa-framework is focused, and the summary matches what you get after install.
building-ransomware-playbook-with-cisa-framework reduced setup friction for our internal harness; good balance of opinion and flexibility.
Registry listing for building-ransomware-playbook-with-cisa-framework matched our evaluation — installs cleanly and behaves as described in the markdown.
building-ransomware-playbook-with-cisa-framework has been reliable in day-to-day use. Documentation quality is above average for community skills.
Useful defaults in building-ransomware-playbook-with-cisa-framework — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
We added building-ransomware-playbook-with-cisa-framework from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Keeps context tight: building-ransomware-playbook-with-cisa-framework is the kind of skill you can hand to a new teammate without a long onboarding doc.
building-ransomware-playbook-with-cisa-framework has been reliable in day-to-day use. Documentation quality is above average for community skills.
Registry listing for building-ransomware-playbook-with-cisa-framework matched our evaluation — installs cleanly and behaves as described in the markdown.
building-ransomware-playbook-with-cisa-framework reduced setup friction for our internal harness; good balance of opinion and flexibility.
showing 1-10 of 74