CTF: You've Got Ransomware — Can You Save the Business?

Difficulty: Intermediate | Time: 20–30 min | Linked product: IRP Template ($47)​‌‌​‌​​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​​‌‌​

The Setup

It's 2:17 AM on a Tuesday. Your phone lights up — three alerts from your monitoring tool in under four minutes. You're the IT manager for a 45-person Melbourne-based civil engineering consultancy. You roll out of bed and open your laptop.

The EDR dashboard shows lateral movement across your file server. Your NAS share — the one holding 11 years of project drawings, CAD files, and tender documents — is throwing thousands of file-rename events per second. The extensions are changing: .dwg.dwg.locked3. You recognise the pattern. This is LockBit 3.0. The threat intel matches: LockBit's AU affiliate group has been hitting professional services firms in Victoria and NSW for the past six weeks. ACSC Advisory ASD-2024-007 is already in your bookmarks.​‌‌​‌​​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​​‌‌​

You've got remote access. Your backups ran last night — you think. Your CEO is asleep. Your cyber insurance broker is in Brisbane. You have no documented incident response plan.

The clock is ticking. What do you do?

The Challenge

Answer each of the following five questions as if you're making the call right now. Write down your answers before reading the hints.

Question 1 — Containment or investigation first?

Your EDR is still showing active encryption. The ransomware process is live on FILE-SRV-01 and has mapped drives to three workstations. You can:

  • (A) Immediately isolate FILE-SRV-01 from the network
  • (B) Let it run while you gather forensic evidence — process hashes, network connections, IOCs
  • (C) Pull the physical ethernet cable on the NAS
  • (D) Wake your CEO before doing anything

Which do you do, in what order, and why?

Question 2 — The backup question

Your

backup tool reports the last successful job completed at 11:58 PM — 2.5 hours ago. But you notice the backup destination is a mapped network drive (Z:\Backups) on the same NAS segment. Encrypted files have already appeared in Z:\Backups\2025-archive\.

  • What has almost certainly happened to your backups?
  • What backup architecture would have prevented this?
  • Is there any path to recovery without paying the ransom?

Question 3 — Who do you notify, and when?

Your consultancy handles contracts for two Victorian government agencies. A breach affecting their project data likely triggers:

  • The Privacy Act 1988 (Cth) Notifiable Data Breach scheme
  • Possible contractual notification clauses (check your MSAs)
  • The ACSC's ASD Cyber Incident Reporting portal

You have four stakeholders: CEO, legal counsel, the two government clients, and your cyber insurer.

In what order do you notify them? Does the sequence matter legally? What's the 72-hour clock you need to be aware of?

Question 4 — Ransom negotiation or hard no?

The ransomware note demands AU$180,000 in Monero, with a 72-hour deadline before public data release on LockBit's leak site. You've confirmed that 6 GB of files were exfiltrated before encryption began (you can see the outbound spike in your firewall logs).

  • What are the legal considerations in Australia for paying a ransom to a sanctioned entity?
  • How do you verify whether the threat actor is on OFAC/DFAT sanctions lists before any payment discussion?
  • What does your insurer need to be told before you engage any third-party negotiator?

Question 5 — Post-incident: What goes in the report?

After 72 hours you've contained the incident, restored from a clean offline backup (found on a USB drive in the server room), and notified relevant parties. Your CEO asks you to draft an incident report for the board.

List the six mandatory sections an incident report to the board should contain, and identify which three are most commonly omitted by SMBs who've never had to write one before.

Hints

Hint 1 (Q1): The general rule in IR is contain first, investigate second — but the order matters enormously. Isolating the server stops the bleeding but may destroy volatile forensic artefacts in memory. The right answer involves a specific sequence that preserves both. Think about what lives in RAM that disappears the moment you yank a cable.

Hint 2 (Q2): The classic SMB backup failure mode is a backup destination that lives on the same network segment as the data it's protecting. LockBit specifically targets mapped drives — it's in the malware's configuration. "Air-gap" is not just a physical term. Think about what makes a backup genuinely immutable.

Hint 3 (Q3): The Privacy Act NDB scheme has a 30-day clock once you have "reasonable grounds to believe" a breach has occurred — not from confirmation, from reasonable belief. But government contract clauses often have shorter notification windows (sometimes 24 hours). Legal counsel comes before client notification. Insurer comes before you talk to any media.

Hint 4 (Q4): Australia's Autonomous Sanctions Act 2011 and DFAT's sanctions list are the relevant instruments, not just OFAC. As of 2025, the ACSC strongly advises against paying ransoms and has guidance on the legal grey zone. The key question isn't "can I pay" — it's "who is on the other end and have I checked."

Hint 5 (Q5): Think about timeline, scope of impact, root cause, remediation steps, and lessons learned — those five most SMBs get. The one almost universally missing is the evidence chain of custody log, which matters enormously if law enforcement gets involved or insurance disputes arise.

Reveal: Full Answer to Question 1

The correct sequence for Q1:

  1. Before touching anything — open a fresh notepad (physical or digital) and timestamp every action from this point forward. This is your incident log. It will matter for insurance, for ACSC reporting, and potentially for litigation.

  2. Take memory snapshots if you can — if your EDR supports live memory acquisition (CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint all do), trigger a memory dump of FILE-SRV-01 before isolation. Ransomware encryption keys sometimes live in memory and are recoverable. This is a 2–3 minute step that can save tens of thousands of dollars.

  3. Isolate FILE-SRV-01 from the network — disable its NIC via your management interface or VLAN, do not physically unplug unless you have no remote option. Pulling the cable is option C in the question and it's actually reasonable if remote access is unavailable — better to lose volatile artefacts than to let encryption continue.

  4. Do not wake the CEO yet — assess the blast radius first. Waking your CEO with "we've been ransomwared" and no further information is counterproductive. Give yourself 15 minutes to understand scope before escalating.

  5. Check which other hosts have mapped drives to the NAS — these are your next isolation targets. LockBit will spread via mapped drives if processes are still running on workstations.

Why option B (let it run for forensics) is wrong: Every second of continued encryption is unrecoverable data loss. The forensic value of watching live encryption does not outweigh the operational damage. Capture what you can via EDR telemetry, then contain.

Why option D (wake the CEO first) is wrong: You are the incident commander until you have something actionable to report. "I found ransomware and immediately called you instead of containing it" is not a good look in a post-incident review.

Get the Full Answer Key

You've seen one answer in detail. The remaining four questions — covering backup architecture, legal notification timelines, sanctions compliance for ransom payment, and board reporting structure — are covered in full in the Incident Response Plan Template for SMBs.

The template includes:

  • Step-by-step IR playbook with decision trees for ransomware, data breach, and insider threat scenarios
  • Notification checklists covering ACSC, Privacy Act NDB, and common government contract clauses
  • Board report template with all six mandatory sections
  • Backup verification checklist (so you never find out your backups were encrypted during an incident)
  • Sanctions screening guidance for ransom payment decisions

Built for Australian SMBs. No consultant jargon. You can fill it in and have a working plan in under two hours.

Get the IRP Template for $47 → lil.business/products/incident-response-plan-template

Or buy via Polar: https://buy.polar.sh/polar_cl_G95ZMX6xnZpa7JuXj1AROgffKr1aL0JDmJ2KU1rHJ84

Scenario based on composite real-world LockBit 3.0 incidents reported to the ACSC in 2024–2025. Company details are fictionalised.

ELI10: Ransomware Gangs Are Adapting — Here's Why Your Backup Isn't Enough Anymore

TL;DR

  • Ransomware is like someone locking your filing cabinets and demanding payment for the key.
  • Businesses got smart — they started making copies of everything first. So now attackers also steal the files before locking them.
  • The average ransom demand is now over $1 million. 86% of businesses don't pay.
  • The businesses that survive do three things: keep backups criminals can't reach, know exactly how to restore, and watch for suspicious copying before the lock-up happens.

Imagine your business is a restaurant. All your recipes, customer contacts, supplier contracts — everything that keeps the doors open — lives in filing cabinets in the back office.

A ransomware attack is like someone sneaking in overnight, locking every single cabinet with their own padlocks, and leaving a note: "Pay us $1 million and we'll give you the keys."

For years, smart businesses fought back by making copies. Keep a backup of every file somewhere else — your own fireproof safe, an offsite storage unit, a cloud system only you can access. Problem solved, right? If they lock the cabinets, you just use your copies.

Ransomware criminals noticed. And they adapted.

What "Dual Extortion" Means (and Why It Changes Everything)

Now, before attackers lock your filing cabinets, they quietly make their own copies first. Every customer record, every financial document, every private contract — they copy it all out the back door before they lock up.

Then they leave two notes. Note one: "Pay us to unlock your cabinets." Note two: "If you don't pay, we'll post all your private files on the internet for anyone to see."

This is called dual extortion, and it now accounts for 70% of ransomware attacks [1]. Even if you can restore from your backup — even if you never need to pay the ransom — your private data might still end up exposed.

The Real Numbers (Translated)

  • The average ransom demand in 2025 was over $1 million [1]. That went up 47% in a single year.
  • 86 out of 100 businesses that got hit refused to pay [1]. Good call.
  • For the 14% who did pay, negotiators helped get the demand reduced by about 65% — but they still paid an average of $355,000 [1].
  • Retailers saw a 58% jump in ransomware attacks in the middle of 2025. Manufacturers saw a 61% jump [2].

The good news: the amount of damage ransomware causes is actually going down — 19% lower on average than the year before [1]. That's because backup strategies are working. Businesses are recovering without paying. The criminals get nothing.

The 3 Things That Actually Protect You

Think of these as three locks on three different doors.

Lock 1: Backups Criminals Can't Reach Your backup copy needs to live somewhere that an attacker — even one who has already taken over your entire computer system — simply cannot get to. That means separate login credentials, a separate system, and ideally a "write once, read many" storage system where files can be added but never deleted or changed. It's like keeping a copy of your filing cabinet contents in a vault only you can open, with no connection to your main office.

Lock 2: A Tested Recovery Plan Having a copy means nothing if you don't know how to use it under pressure. Write down, step by step, exactly how your business would get back online if every computer was suddenly unusable. Then practice it. The businesses that recover quickly have done this. The ones that struggle haven't.

Lock 3: Watching for the "Copy Before the Lock" Move Because attackers now steal data before they encrypt it, you need to watch for unusual copying or large file transfers happening on your systems — especially outside business hours. Most business email and cloud storage tools have free alert settings for this. Turn them on.

The Other Big Threat: Business Email Scams

Ransomware gets the headlines, but Business Email Compromise is actually the most common cyber insurance claim — 31% of all incidents [1]. This is where someone gets into your email, or pretends to be your accountant or boss, and convinces someone in your business to transfer money somewhere fraudulent.

The average loss is $27,000 per incident [1]. The prevention is simple: for any payment change request that arrives by email, call the person directly to confirm. No exceptions. That one phone call prevents most of these attacks.

What to Do This Week

  1. Check your backup setup: Can a hacker who already has your passwords access your backups? If yes, fix that first.
  2. Write a recovery runbook: If everything broke today, how would you get back up? Write the steps down.
  3. Turn on file transfer alerts: In Microsoft 365 or Google Workspace, turn on alerts for large downloads or unusual sharing activity.
  4. Add a phone confirmation rule: Any payment change request by email must be confirmed by phone. No exceptions.

Your business is already more resilient than it was two years ago — the data proves it. These four steps make that resilience last.

FAQ

Both. The frequency of attacks is flat and the average damage is down 19% — which means backup strategies are working. But attackers have adapted by also stealing data before encrypting it (dual extortion), so the nature of the threat has changed even if the raw financial damage is dropping [1].

Cloud backup services start at under $20/month for small businesses. Microsoft 365 Business includes backup options. The cost of doing nothing is $262,000 on average — and that's the better outcome [1]. This is one of the highest-ROI investments a small business can make.

No — 86% of businesses don't pay and most recover successfully [1]. The key is having backups in place before an attack. Without backups, you're in a much harder position. With them, you restore and move on.

BEC is when attackers either hack into a business email account or convincingly impersonate someone — usually a boss, vendor, or bank — to trick employees into making fraudulent payments. The single best prevention is a verbal confirmation policy: any payment instruction received by email must be confirmed by phone before action is taken [1].

References

[1] Coalition, "2025 Cyber Claims Report," Coalition, 2026. [Online]. Available: https://www.coalitioninc.com/blog/coalition-cyber-claims-report-2025

[2] CyberProof, "CyberProof 2026 Global Threat Intelligence Report," CyberProof, 2026. [Online]. Available: https://www.cyberproof.com/cyberproof-2026-global-threat-intelligence-report/

[3] Help Net Security, "Backup strategies are working, and ransomware gangs are responding with data theft," Help Net Security, March 6, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/06/cyber-claims-report-ransomware-gangs-data-theft/

[4] Cybersecurity and Infrastructure Security Agency, "Malicious Domain Blocking and Reporting (MDBR)," CISA, 2026. [Online]. Available: https://www.cisa.gov/resources-tools/services/malicious-domain-blocking-and-reporting-mdbr

[5] eSecurity Planet, "CyberProof 2026 Report Warns of Rising Identity and AI Cyberattacks," eSecurity Planet, March 6, 2026. [Online]. Available: https://www.esecurityplanet.com/threats/cyberproof-2026-report-warns-of-rising-identity-and-ai-cyberattacks/

Want someone to check if your backup setup would actually survive a ransomware attack? That's exactly what lilMONSTER does. Book a free 30-minute consultation →

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation