Back to Templates
This workflow provides real-time detection of ransomware encryption patterns using Claude AI, with automated system isolation and incident response.
How it works
- File System Monitoring - Continuously monitors file operations (create, modify, rename, delete) across critical directories
- Behavior Pattern Collection - Aggregates file operation metrics in 30-second windows (entropy changes, extension changes, I/O velocity)
- AI Threat Analysis - Claude AI analyzes patterns against known ransomware behaviors (mass encryption, shadow copy deletion, etc.)
- Threat Scoring & Classification - Assigns threat scores (0-100) and classifies attack types (crypto-locker, wiper, etc.)
- Auto-Isolation Decision - Determines if immediate network isolation is required based on confidence thresholds
- System Quarantine - Executes automated isolation: disable network adapters, block shares, kill suspicious processes
- Forensic Snapshot - Captures system state, process tree, network connections, and file operation logs
- Incident Response Alert - Notifies SOC team with detailed threat intelligence and recommended actions
- Evidence Preservation - Stores forensic data and AI analysis in SIEM for investigation
Detection Capabilities
- Entropy Analysis: Detects high-entropy file creation (encrypted data signature)
- Extension Scanning: Identifies suspicious extension changes (.docx → .locked, .encrypted, .crypted)
- I/O Velocity: Flags abnormal file modification rates (>100 files/min)
- Shadow Copy Deletion: Detects vssadmin.exe / wmic.exe shadow copy deletion attempts
- Ransom Note Detection: Identifies README.txt, HOW_TO_DECRYPT.html creation patterns
- Lateral Movement: Monitors SMB/RDP connection spikes from infected hosts
- Process Behavior: Analyzes suspicious parent-child process relationships
Setup Steps
- Import workflow into n8n
- Configure credentials:
- Anthropic API - Claude AI for threat analysis
- Windows Event Collector / Sysmon - File system event source
- EDR API (CrowdStrike/Defender/SentinelOne) - For isolation commands
- SIEM API (Splunk/Elastic) - For log forwarding
- Slack/PagerDuty - For SOC alerts
- Install file system watcher on monitored endpoints (sysmon, osquery, or auditd)
- Configure isolation thresholds (default: threat_score >= 75)
- Test isolation procedure in sandbox environment
- Activate workflow
Sample Detection Event
{
"hostname": "DESKTOP-WKS-042",
"username": "jdoe",
"timestamp": "2025-02-25T14:23:17Z",
"detection_window_seconds": 30,
"file_operations": {
"files_modified": 247,
"files_renamed": 189,
"files_created": 58,
"files_deleted": 31,
"avg_entropy_increase": 7.89,
"suspicious_extensions": [".locked", ".crypted", ".encrypted"],
"ransom_notes_created": ["README_DECRYPT.txt", "HOW_TO_RECOVER.html"]
},
"process_activity": {
"high_io_processes": [
{"name": "explorer.exe", "pid": 4782, "io_rate": "523 ops/sec"},
{"name": "svchost.exe", "pid": 2194, "io_rate": "412 ops/sec"}
],
"suspicious_commands": [
"vssadmin.exe delete shadows /all /quiet",
"wmic shadowcopy delete",
"bcdedit /set {default} recoveryenabled no"
]
},
"network_activity": {
"c2_connections": [
{"ip": "185.220.101.32", "port": 443, "country": "RU"},
{"ip": "194.165.16.85", "port": 8443, "country": "NL"}
],
"lateral_movement": [
{"target": "FILE-SERVER-01", "protocol": "SMB", "status": "success"},
{"target": "DB-SERVER-03", "protocol": "RDP", "status": "failed"}
]
}
}
Threat Intelligence Sources
- MITRE ATT&CK Framework (T1486 - Data Encrypted for Impact, T1490 - Inhibit System Recovery)
- Known ransomware families: LockBit, BlackCat/ALPHV, Royal, Play, Cl0p
- File extension IOCs from ransomware tracking feeds
- Behavioral signatures from recent campaigns
Compliance & Forensics
- Chain of Custody: All isolation actions logged with timestamps and justifications
- NIST CSF Alignment: DE.CM-7 (Monitoring for unauthorized activity), RS.MI-3 (Incident containment)
- Evidence Integrity: Forensic snapshots include cryptographic hashes for court admissibility
- Post-Incident Review: AI analysis archived for threat hunting and pattern improvement