All SkillsGet Started Free
Implementing Ransomware Kill Switch Detection
Detects and exploits ransomware kill switch mechanisms including mutex-based execution guards, domain-based kill switches, and registry-based termination checks. Implements proactive mutex vaccination and kill switch domain monitoring to prevent ransomware from executing. Activates for requests involving ransomware kill switch analysis, mutex vaccination, WannaCry-style domain kill switches, or malware execution guard detection.
MCP get_skill({ skillId: "implementing-ransomware-kill-switch-detection-ff9a321d" })Use this skill with your agent
Create a free account and connect via MCP
# Implementing Ransomware Kill Switch Detection
## When to Use
- Analyzing a ransomware sample to determine if it contains a kill switch mechanism (mutex, domain, registry)
- Deploying proactive mutex vaccination across endpoints to prevent known ransomware families from executing
- Monitoring DNS for kill switch domain lookups that indicate ransomware attempting to check before encrypting
- During incident response to quickly determine if a ransomware variant can be stopped by activating its kill switch
- Building detection signatures for ransomware mutex creation events using Sysmon or EDR telemetry
**Do not use** kill switch vaccination as a primary defense. Not all ransomware families implement kill switches, and those that do may remove them in newer versions. This is a supplementary detection and prevention layer.
## Prerequisites
- Python 3.8+ with `ctypes` (Windows) for mutex creation and enumeration
- Sysmon installed with Event ID 1 (process creation) and Event ID 17/18 (pipe/mutex events) configured
- Access to malware analysis sandbox for identifying kill switch mechanisms in samples
- DNS monitoring capability for detecting kill switch domain resolution attempts
- Familiarity with Windows internals: mutexes (mutants), kernel objects, named pipes
- Reference database of known ransomware mutexes (github.com/albertzsigovits/malware-mutex)
## Workflow
### Step 1: Identify Kill Switch Mechanisms in Ransomware
Analyze samples for common kill switch patterns:
```
Kill Switch Types Found in Ransomware:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. MUTEX-BASED (most common):
- Ransomware creates a named mutex at startup
- If mutex already exists → another instance is running → exit
- Defense: Pre-create the mutex to prevent execution
- Examples:
WannaCry: Global\MsWinZonesCacheCounterMutexA
Conti: kasKDJSAFJauisiudUASIIQWUA82
REvil: Global\{GUID-based-on-machine}
Ryuk: Global\YOURPRODUCT_MUTEX
2. DOMAIN-BASED:
- Ransomware resolves a hardcoded domain before executing
- If domain resolves → security sandbox detected → exit
- Defense: Register/sinkhole the domain to activate kill switch
- Examples:
WannaCry v1: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
WannaCry v1: fferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
3. REGISTRY-BASED:
- Check for specific registry key/value before executing#mukul-cybersecurity-skills#security#cybersecurity#incident#responsepythonsysmonwindowsdns-monitoringmalware-sandbox