Skip to content
All Skills

Implementing Ransomware Kill Switch Detection

Detects and exploits ransomware kill switch mechanisms including mutex-based execution guards, domain-based kill switches, and registry-based termination checks. Implements proactive mutex vaccination and kill switch domain monitoring to prevent ransomware from executing. Activates for requests involving ransomware kill switch analysis, mutex vaccination, WannaCry-style domain kill switches, or malware execution guard detection.

Security & Compliance|v1|Updated 7/2/2026|GitHub source
MCP get_skill({ skillId: "implementing-ransomware-kill-switch-detection-ff9a321d" })

Use this skill with your agent

Create a free account and connect via MCP

Get Started Free
# Implementing Ransomware Kill Switch Detection

## When to Use

- Analyzing a ransomware sample to determine if it contains a kill switch mechanism (mutex, domain, registry)
- Deploying proactive mutex vaccination across endpoints to prevent known ransomware families from executing
- Monitoring DNS for kill switch domain lookups that indicate ransomware attempting to check before encrypting
- During incident response to quickly determine if a ransomware variant can be stopped by activating its kill switch
- Building detection signatures for ransomware mutex creation events using Sysmon or EDR telemetry

**Do not use** kill switch vaccination as a primary defense. Not all ransomware families implement kill switches, and those that do may remove them in newer versions. This is a supplementary detection and prevention layer.

## Prerequisites

- Python 3.8+ with `ctypes` (Windows) for mutex creation and enumeration
- Sysmon installed with Event ID 1 (process creation) and Event ID 17/18 (pipe/mutex events) configured
- Access to malware analysis sandbox for identifying kill switch mechanisms in samples
- DNS monitoring capability for detecting kill switch domain resolution attempts
- Familiarity with Windows internals: mutexes (mutants), kernel objects, named pipes
- Reference database of known ransomware mutexes (github.com/albertzsigovits/malware-mutex)

## Workflow

### Step 1: Identify Kill Switch Mechanisms in Ransomware

Analyze samples for common kill switch patterns:

```
Kill Switch Types Found in Ransomware:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. MUTEX-BASED (most common):
   - Ransomware creates a named mutex at startup
   - If mutex already exists → another instance is running → exit
   - Defense: Pre-create the mutex to prevent execution
   - Examples:
     WannaCry:     Global\MsWinZonesCacheCounterMutexA
     Conti:        kasKDJSAFJauisiudUASIIQWUA82
     REvil:        Global\{GUID-based-on-machine}
     Ryuk:         Global\YOURPRODUCT_MUTEX

2. DOMAIN-BASED:
   - Ransomware resolves a hardcoded domain before executing
   - If domain resolves → security sandbox detected → exit
   - Defense: Register/sinkhole the domain to activate kill switch
   - Examples:
     WannaCry v1:  iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
     WannaCry v1:  fferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

3. REGISTRY-BASED:
   - Check for specific registry key/value before executing

Continue reading

Sign up for a free account to view the full skill content

Login / Register
#mukul-cybersecurity-skills#security#cybersecurity#incident#responsepythonsysmonwindowsdns-monitoringmalware-sandbox
Implementing Ransomware Kill Switch Detection - AgentArmory Skill — AgentArmory