CTF Challenge #1: Can You Stop This Ransomware Attack Before It's Too Late?
Difficulty: Beginner–Intermediate | Reading time: 10 minutes | Product tie-in: Incident Response Plan Template ($47)
TL;DR
- A real-world ransomware scenario plays out step by step — your job is to identify what went wrong at each decision point
- Each stage has a multiple-choice question; the answers are at the bottom
- Getting these wrong in a real attack costs Australian SMBs an average of $71,600 in downtime alone [1]
- The correct response process is baked into lil.business's Incident Response Plan Template
The Scenario: Friday 4:47 PM at Meridian Accounting
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
It's a Friday afternoon. The team at Meridian Accounting — eight staff, one IT contractor on retainer — are wrapping up the week. Their Office Manager, Sandra, opens what looks like an ATO notification email: "Action required: Updated tax portal credentials."
She clicks. Nothing happens. She closes it and goes back to work.
Free Resource
Weekly Threat Briefing — Free
Curated threat intelligence for Australian SMBs. Active campaigns, new CVEs, and practical mitigations — every week, straight to your inbox.
Subscribe Free →By 5:12 PM, three workstations are encrypting. By 5:30 PM, the file server is gone.
The ransom note says: $45,000 AUD or lose everything.
You are the IT contractor. You get the call at 5:33 PM.
Stage 1: First Contact
Your phone rings. Sandra is panicking. She says: "Something's wrong with the computers. Files have weird extensions. I think we got a virus."
Challenge Question 1
What is your FIRST action?
A) Tell Sandra to restart all the affected computers to clear the infection
B) Tell Sandra to immediately unplug all affected machines from the network
C) Log in remotely to investigate before doing anything
D) Call the backup vendor to start a restore
[Answer at bottom — don't scroll yet!]
Stage 2: Containment Assessment
You remotely confirm ransomware. The variant is LockBit 3.0. Three workstations are fully encrypted. The file server shows active encryption in progress. The backup NAS is mounted as a network drive on the file server.
Challenge Question 2
Which systems do you isolate FIRST and WHY?
A) The three workstations — they are already fully encrypted
B) The file server — active encryption is still happening, and it has the backup NAS mounted
C) All systems simultaneously — the longer you wait the worse it gets
D) The backup NAS only — protect the backups above everything else
[Answer at bottom]
Stage 3: The Backup Problem
You discover the backup NAS was mounted as a network share on the file server. The ransomware has begun encrypting the backup share. You estimate 30% of backups are already gone.
Meridian's last confirmed-clean backup was taken on Sunday night (5 days ago).
Challenge Question 3
What do you do RIGHT NOW with the remaining 70% of backups?
A) Leave the NAS connected — disconnecting might corrupt the remaining files
B) Immediately physically disconnect the NAS from the network and power
C) Start restoring from the 70% that remains while the encryption continues
D) Call the ransom negotiator first — backups may be recoverable through decryption
[Answer at bottom]
Stage 4: Communication Decisions
It's now 6:15 PM. You have contained the spread. The Directors of Meridian are on the phone. One says: "Should we tell our clients? Should we tell the ATO? What do we do?"
According to the Australian Privacy Act 1988 (amended), if personal information is involved in a breach that is likely to result in serious harm, the business has a mandatory notification obligation [2].
Challenge Question 4
What notification steps apply here?
A) Tell no one — resolving quietly protects the business reputation
B) Notify the OAIC (Office of the Australian Information Commissioner) within 30 days if client data was accessed
C) Notify the OAIC within 30 days IF the breach is likely to result in serious harm to individuals whose data was affected
D) Only notify if clients actually complain
[Answer at bottom]
ISO 27001 SMB Starter Pack — $97
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →Stage 5: The Ransom Decision
The attackers have offered a "goodwill decryption" — one file decrypted for free to prove they have the key. The remaining 30% of backups cover most but not all client records. Paying the ransom would cost $45,000 AUD.
Challenge Question 5
What does the Australian Signals Directorate recommend about paying ransoms?
A) Pay if the cost of downtime exceeds the ransom
B) Never pay — there is no guarantee of recovery and payment funds future attacks
C) Pay only if you can verify the attacker's decryption key works first
D) Payment decisions are left entirely to the business — ASD takes no position
[Answer at bottom]
The Answers
Answer 1: B — Isolate from the network FIRST
Restarting spreads the malware to any connected drives. Remote access gives the attacker more time. Restoring before containment means restoring into an active infection. Network isolation is the single most important first action in any ransomware event — and it must happen in seconds, not minutes.
Key principle: Contain before you investigate.
Answer 2: B — The file server FIRST
The file server has active encryption in progress AND the backup NAS mounted. Isolating it stops the active spread AND protects the remaining backups. The three workstations are already gone — stopping new encryption on the server saves the most data.
Key principle: Prioritise active over already-compromised.
Answer 3: B — Physically disconnect the NAS immediately
Every second the NAS stays connected, more backups are encrypted. A corrupted backup you interrupted is better than a fully encrypted one you let complete. Pull the power and the network cable at the same time.
Key principle: An imperfect backup now beats a perfect backup you no longer have.
Answer 4: C — Notify the OAIC within 30 days IF serious harm is likely
Australia's Notifiable Data Breaches (NDB) scheme under the Privacy Act requires notification to both the OAIC and affected individuals when a data breach is "likely to result in serious harm." This is not optional, and "hoping it stays quiet" is not a legal defence [2].
Key principle: Know your mandatory notification obligations before an incident happens.
Answer 5: B — ASD recommends not paying
The Australian Signals Directorate's Ransomware Emergency Response guidance explicitly states that paying ransoms is not recommended: there is no guarantee of recovery, 17% of businesses that pay never receive a working decryption key [3], and payment directly funds the criminal ecosystem.
Key principle: Decide your ransom policy NOW, in a written document, before you're in the heat of an incident.
How Did You Score?
5/5 — You're ready. Your business probably has a documented IR plan already. If not, you're relying on memory under pressure.
3–4/5 — You understand the principles but a few gaps under real pressure. Worth formalising.
0–2/5 — This is the gap attackers exploit. Not a knowledge problem — it's a documentation and preparation problem.
Why Getting This Right Requires a Written Plan
Every single answer above should already be written down, approved by management, and tested before an incident happens. The reason most SMBs get this wrong isn't because they lack the knowledge — it's because nobody wrote it down, nobody trained on it, and nobody tested it.
The lil.business Incident Response Plan Template for SMBs gives you the exact structure: pre-built response playbooks for ransomware, data breach, and account compromise, with checklists for containment, notification, and recovery. Built specifically for Australian businesses, with NDB scheme compliance and ASD guidance baked in.
$47 — Get the Incident Response Plan Template
FAQ
The most common first mistake is restarting infected machines or logging in remotely without isolating the network first. Both actions actively spread the ransomware to connected drives and shares. The correct first step is always network isolation — physically unplugging affected machines from the network before doing anything else.
Under Australia's Notifiable Data Breaches (NDB) scheme, you must notify the OAIC and affected individuals if the breach involves personal information and is likely to result in serious harm. Ransomware attacks that encrypt or exfiltrate client records typically trigger this obligation. Failure to notify when required carries civil penalties.
The Australian Signals Directorate recommends against paying ransoms in all cases. Payment does not guarantee recovery — and roughly 17% of paying victims receive no working decryption key. The better long-term investment is an incident response plan and tested offline backups.
A purpose-built IR template adapted to Australian regulatory requirements can be implemented in a day. Starting from scratch typically takes 2–4 weeks. The lil.business Incident Response Plan Template is designed to be customised in a few hours.
References
[1] CyberCX, "Australia's Cyber Security Landscape 2025," CyberCX, 2025. [Online]. Available: https://www.cybercx.com.au/research
[2] Office of the Australian Information Commissioner, "Notifiable Data Breaches Scheme," OAIC, 2024. [Online]. Available: https://www.oaic.gov.au/privacy/notifiable-data-breaches
[3] Sophos, "The State of Ransomware 2025," Sophos, 2025. [Online]. Available: https://www.sophos.com/en-us/content/state-of-ransomware
[4] Australian Signals Directorate, "Ransomware: What You Need to Know," ASD, 2024. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/acs/ransomware
[5] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
Ready to have this plan documented and ready to go? The lil.business Incident Response Plan Template for SMBs gives you the exact playbook — $47, instant download.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.