Skip to content

Chapter 23 Quiz: Ransomware Deep Dive

Test your knowledge of the ransomware ecosystem, kill chain, detection techniques, backup strategies, and incident response.

Questions

1. In the Ransomware-as-a-Service (RaaS) ecosystem, what is the specific role of an "Initial Access Broker" (IAB)?

  • A) The developer who writes and maintains the ransomware encryptor
  • B) A criminal specialist who compromises target organizations and sells authenticated network access (VPN credentials, RDP sessions, domain admin) to ransomware affiliates without deploying the payload themselves
  • C) The affiliate who deploys the ransomware and negotiates with victims
  • D) The hosting provider for the ransomware group's leak site
Answer

B — A criminal specialist who compromises target organizations and sells authenticated network access (VPN credentials, RDP sessions, domain admin) to ransomware affiliates without deploying the payload themselves

The IAB is a supply-chain role in the RaaS economy: they specialize in initial access (exploiting VPN vulnerabilities, phishing for credentials, brute-forcing RDP) and sell that access on criminal forums. Ransomware affiliates purchase this access and use it to deploy payloads, separating the intrusion skill set from the ransomware deployment skill set. This division of labor makes the ecosystem more efficient and harder to disrupt.

2. Threat intelligence reports indicate that ransomware actors typically have a "dwell time" of 5 to 21 days between initial access and ransomware detonation. What are attackers doing during this pre-encryption period?

  • A) Waiting for the victim's security team to detect and remediate the intrusion
  • B) Conducting reconnaissance, escalating privileges, moving laterally to maximize network spread, exfiltrating data for double extortion, and disabling backup systems — maximizing leverage before the destructive phase
  • C) Encrypting data slowly to avoid detection by file monitoring tools
  • D) Negotiating ransom amount with the victim before encryption
Answer

B — Conducting reconnaissance, escalating privileges, moving laterally to maximize network spread, exfiltrating data for double extortion, and disabling backup systems — maximizing leverage before the destructive phase

The pre-encryption dwell period is the defender's best detection window. Attackers use this time for domain reconnaissance (net group "domain admins"), credential dumping (Mimikatz/LSASS), lateral movement via PsExec or WMI, data staging and exfiltration, and backup destruction (VSS deletion, Veeam database wipes). Early detection during this phase can prevent encryption entirely.

3. A SOC analyst writes a KQL query to detect bulk file rename events. Which combination of telemetry and threshold makes this a useful ransomware pre-cursor detection?

  • A) Any single file rename event on a domain controller
  • B) FileCreated events on workstations exceeding 10 files per minute regardless of extension
  • C) DeviceFileEvents where ActionType == "FileRenamed" and the file count per device exceeds a threshold (e.g., 100 renames in 60 seconds) with extension changes matching known ransomware patterns (e.g., .locked, .encrypted, random 6-8 char extensions)
  • D) Any process writing to the C:\Windows\System32 directory
Answer

C — DeviceFileEvents where ActionType == "FileRenamed" and the file count per device exceeds a threshold (e.g., 100 renames in 60 seconds) with extension changes matching known ransomware patterns (e.g., .locked, .encrypted, random 6-8 char extensions)

Bulk file rename detection is a high-fidelity ransomware indicator when properly tuned. The key parameters are: high velocity (normal users rarely rename 100+ files in a minute), and extension changes (encrypted files typically get a new ransomware-specific extension appended or replacing the original). Tuning the threshold prevents false positives from legitimate mass-rename operations like build systems.

4. Volume Shadow Copy deletion via vssadmin delete shadows /all /quiet or wmic shadowcopy delete is treated as a critical pre-ransomware signal. Why is shadow copy deletion executed BEFORE encryption rather than after?

  • A) Shadow copies consume disk space that the ransomware encryptor needs
  • B) Deleting shadow copies before encryption removes the victim's ability to recover files using Windows built-in restore points — maximizing the victim's dependence on paying the ransom
  • C) The encryption process automatically deletes shadow copies as a side effect
  • D) Shadow copies interfere with the ransomware's file enumeration speed
Answer

B — Deleting shadow copies before encryption removes the victim's ability to recover files using Windows built-in restore points — maximizing the victim's dependence on paying the ransom

VSS (Volume Shadow Copy Service) provides Windows users with previous versions of files without needing external backups. Ransomware actors delete shadow copies before or during encryption specifically to eliminate this recovery option. Detecting vssadmin or wmic shadowcopy deletion commands — especially when executed at scale across multiple hosts — is one of the highest-confidence pre-encryption indicators available.

5. The double extortion model extends ransomware leverage beyond encryption. What is the specific mechanism of "triple extortion" that emerged in later ransomware evolutions?

  • A) Encrypting backups in addition to primary data
  • B) A third pressure layer targeting the victim's customers, partners, or regulators directly — threatening to notify them of the breach or sell their data unless the victim pays
  • C) Deploying three separate ransomware strains simultaneously
  • D) Adding a DDoS attack against the victim's website as a third pressure vector
Answer

D — Adding a DDoS attack against the victim's website as a third pressure vector

Triple extortion (pioneered by groups like Avaddon) adds a DDoS attack against the victim's public-facing infrastructure as a third simultaneous pressure channel, alongside encryption (preventing operations) and data leak threats (reputational/legal pressure). Some definitions also include directly contacting the victim's clients/partners, but DDoS as the third operational prong is the most commonly cited distinction.

6. The 3-2-1-1-0 backup rule is the recommended standard for ransomware-resilient backup architecture. What does each digit represent in order?

  • A) 3 backup types, 2 encryption layers, 1 offsite copy, 1 immutable copy, 0 unencrypted copies
  • B) 3 copies of data, on 2 different media types, with 1 offsite copy, 1 air-gapped or immutable copy, and 0 errors verified by tested restores
  • C) 3 daily backups, 2 weekly backups, 1 monthly backup, 1 yearly archive, 0 unverified backups
  • D) 3 geographic regions, 2 cloud providers, 1 on-premises copy, 1 tape backup, 0 internet-connected backups
Answer

B — 3 copies of data, on 2 different media types, with 1 offsite copy, 1 air-gapped or immutable copy, and 0 errors verified by tested restores

The 3-2-1-1-0 rule extends the classic 3-2-1 rule with two critical ransomware-era additions: the fourth "1" requires one backup to be air-gapped or immutable (physically or logically disconnected so ransomware cannot encrypt or delete it), and the "0" requires zero backup errors — verified through regular restore testing, not just write-completion confirmations.

7. AWS S3 Object Lock in WORM (Write Once Read Many) mode with "Compliance" retention is described as ransomware-resistant. What specifically prevents a compromised AWS account with full S3 permissions from deleting locked objects?

  • A) AWS KMS automatically re-encrypts locked objects with a new key
  • B) In Compliance mode, even the root AWS account and AWS itself cannot delete or modify locked objects until the retention period expires — the lock is enforced at the S3 service layer
  • C) Object Lock requires a physical hardware key to override
  • D) Locked objects are automatically replicated to a separate AWS region
Answer

B — In Compliance mode, even the root AWS account and AWS itself cannot delete or modify locked objects until the retention period expires — the lock is enforced at the S3 service layer

S3 Object Lock Compliance mode is the strongest WORM guarantee in AWS: unlike Governance mode (which can be overridden by privileged users), Compliance mode is absolute — no AWS user, including root, can delete or shorten the retention period of a locked object. This makes it genuinely ransomware-resistant for backup data, as even a fully compromised AWS account cannot delete the locked backups.

8. Before paying a ransomware demand, legal counsel recommends checking OFAC (Office of Foreign Assets Control) sanctions lists. What is the specific legal risk that makes this check necessary?

  • A) Paying ransom is illegal in all jurisdictions regardless of the recipient
  • B) Several ransomware groups (e.g., Evil Corp/DRIDEX operators) are designated on the OFAC SDN list — making ransom payments to them a potential federal sanctions violation that could expose the victim organization to significant fines
  • C) OFAC requires organizations to report all cybersecurity incidents over $1 million
  • D) Insurance companies require OFAC clearance before approving cyber insurance claims
Answer

B — Several ransomware groups (e.g., Evil Corp/DRIDEX operators) are designated on the OFAC SDN list — making ransom payments to them a potential federal sanctions violation that could expose the victim organization to significant fines

OFAC designated Evil Corp and its leaders in 2019, making payments to groups affiliated with them potential violations of the International Emergency Economic Powers Act. This created a legal minefield: a victim company paying ransom without OFAC screening could face civil or criminal penalties. This is why incident response retainers now routinely include sanctions lawyers who check threat actor attribution before any payment decision.

9. Following ransomware response where a domain controller was compromised, incident responders recommend a "dual krbtgt reset" procedure. What does this protect against and what is the correct sequence?

  • A) Resetting krbtgt prevents the attacker from using cached NTLM hashes; reset once during containment
  • B) Resetting krbtgt twice (with a 10-hour wait or forced replication between resets) invalidates all existing Kerberos tickets including any Golden Tickets the attacker may have forged — the double reset ensures the old hash is fully cycled out across all domain controllers
  • C) The krbtgt reset resets all domain user passwords simultaneously
  • D) Resetting krbtgt forces all workstations to re-join the domain
Answer

B — Resetting krbtgt twice (with a 10-hour wait or forced replication between resets) invalidates all existing Kerberos tickets including any Golden Tickets the attacker may have forged — the double reset ensures the old hash is fully cycled out across all domain controllers

A Golden Ticket attack (Mimikatz kerberos::golden) forges Kerberos tickets using the krbtgt account's NTLM hash, creating tickets valid for 10+ years regardless of password resets. Resetting krbtgt once invalidates current tickets but the previous password hash remains cached in AD. The second reset (after replication) removes the previous hash, fully invalidating any forged tickets an attacker retained.

10. LockBit, ALPHV (BlackCat), and Cl0p represent different generations of ransomware groups. What technical characteristic distinguishes ALPHV/BlackCat from most other major ransomware families?

  • A) BlackCat uses symmetric encryption only, making decryption faster
  • B) BlackCat was written in Rust — a memory-safe language — allowing efficient cross-platform execution on Windows, Linux, and VMware ESXi without recompilation
  • C) BlackCat operates exclusively through RDP exploitation for initial access
  • D) BlackCat does not use a leak site and relies solely on encryption for leverage
Answer

B — BlackCat was written in Rust — a memory-safe language — allowing efficient cross-platform execution on Windows, Linux, and VMware ESXi without recompilation

ALPHV/BlackCat's use of Rust was notable when it emerged in 2021: Rust's cross-compilation capabilities allowed a single codebase to target Windows, Linux, and ESXi hypervisors (a particularly valuable target as ESXi hosts multiple VMs). The choice of Rust also made reverse engineering more difficult for analysts accustomed to C/C++ malware, and provided memory safety that reduced crashes during encryption operations.

Scoring

Score Performance
9–10 Expert — Ransomware ecosystem and response concepts fully internalized
7–8 Proficient — Ready to lead ransomware incident response
5–6 Developing — Review Chapter 23 kill chain phases and backup resilience sections
<5 Foundational — Re-read Chapter 23 before proceeding

Return to Chapter 23 | Next: Chapter 24