investigating-ransomware-attack-artifacts

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The playbook explicitly searches memory for AES key schedules and "RSA PRIVATE KEY" material and writes/searches those values into output files and reports, which would require handling and potentially outputting sensitive key material verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly queries public malware services and URLs (e.g., VirusTotal via check_hash_virustotal in scripts/agent.py and ID Ransomware / No More Ransom references in SKILL.md and references/api-reference.md), ingesting untrusted, user-submitted indicators that the agent parses and uses to identify variants and guide investigation actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt explicitly instructs use of sudo to insmod a kernel module and contains multiple privileged/system-modifying operations (vssadmin, copying to root paths, creating directories under /cases), which require elevated privileges and modify the host state.