⚠ Lab Safety & Ethics
✔ No real ransomware is used in this lab.
✔ All encryption, malware, and attacks are simulated.
✔ This lab teaches detection, response, and prevention.
✔ Never deploy ransomware or test malware on real systems.
Lab 1: Initial Infection Vector
Objective: Identify how ransomware initially enters an environment.
Scenario
An employee reports their computer behaving slowly after opening an email attachment
titled Invoice_2026.pdf.exe.
Email Gateway Log:
Attachment: Invoice_2026.pdf.exe
Sender: billing@external-payments.com
SPF: FAIL
User opened attachment
Exercises
- Identify suspicious indicators in the attachment name.
- Explain how file extensions are abused.
- What security controls could have blocked this?
CTF Question:
What attack vector was used?
Flag: CTF{ATTACK_VECTOR}
Lab 2: Payload Execution (Simulation)
Objective: Understand ransomware execution behavior.
Simulated Process Activity
Process Monitor Output:
spawned process: invoice_2026.exe
created file: encryptor.tmp
modified registry: HKCU\Software\Microsoft\Windows\Run
network connection: 185.222.81.55:443
Exercises
- Why does ransomware modify startup registry keys?
- What does outbound encrypted traffic indicate?
- Which event should trigger an alert?
CTF Question:
What persistence technique is being used?
Flag: CTF{PERSISTENCE_METHOD}
Lab 3: Encryption Phase (Simulated)
Objective: Learn how ransomware impacts data availability.
File System Simulation
Before:
report.docx
budget.xlsx
clients.db
After:
report.docx.locked
budget.xlsx.locked
clients.db.locked
Exercises
- Why is encryption fast and automated?
- What file types are usually targeted first?
- Why are backups often deleted?
CTF Question:
What CIA triad principle is violated?
Flag: CTF{CIA_PROPERTY}
Lab 4: Ransom Note & Extortion
Objective: Analyze ransomware extortion techniques.
YOUR FILES HAVE BEEN ENCRYPTED
Send 2 BTC to the address below.
If payment is not received within 72 hours,
your files will be permanently destroyed.
Exercises
- Why is cryptocurrency used?
- What psychological pressure is applied?
- Should victims pay? Why or why not?
CTF Question:
What attack strategy is this?
Flag: CTF{EXTORTION_TYPE}
Lab 5: Incident Response
Objective: Respond effectively to a ransomware incident.
SOC Alert:
Multiple systems encrypting files
Outbound C2 traffic detected
Admin credentials compromised
Exercises
- What is the first containment step?
- Which systems must be isolated?
- Who must be notified internally?
CTF Question:
What response phase is this?
Flag: CTF{IR_PHASE}
Lab 6: Prevention & Hardening
Objective: Stop ransomware before it happens.
Exercises
- Explain the role of offline backups.
- How does application whitelisting help?
- Why is least privilege critical?
- What user training reduces infections?
Final Flag:
CTF{PREVENTION_BEATS_RECOVERY}