CTF: You've Got Ransomware — Can You Save the Business?
Difficulty: Intermediate | Time: 20–30 min | Linked product: IRP Template ($47)
The Setup
It's 2:17 AM on a Tuesday. Your phone lights up — three alerts from your monitoring tool in under four minutes. You're the IT manager for a 45-person Melbourne-based civil engineering consultancy. You roll out of bed and open your laptop.
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
The EDR dashboard shows lateral movement across your file server. Your NAS share — the one holding 11 years of project drawings, CAD files, and tender documents — is throwing thousands of file-rename events per second. The extensions are changing: .dwg → .dwg.locked3. You recognise the pattern. This is LockBit 3.0. The threat intel matches: LockBit's AU affiliate group has been hitting professional services firms in Victoria and NSW for the past six weeks. ACSC Advisory ASD-2024-007 is already in your bookmarks.
You've got remote access. Your backups ran last night — you think. Your CEO is asleep. Your cyber insurance broker is in Brisbane. You have no documented incident response plan.
The clock is ticking. What do you do?
The Challenge
Answer each of the following five questions as if you're making the call right now. Write down your answers before reading the hints.
Question 1 — Containment or investigation first?
Your EDR is still showing active encryption. The ransomware process is live on FILE-SRV-01 and has mapped drives to three workstations. You can:
- (A) Immediately isolate
FILE-SRV-01from the network - (B) Let it run while you gather forensic evidence — process hashes, network connections, IOCs
- (C) Pull the physical ethernet cable on the NAS
- (D) Wake your CEO before doing anything
Which do you do, in what order, and why?
Question 2 — The backup question
Your
Free Resource
Weekly Threat Briefing — Free
Curated threat intelligence for SMBs. Active campaigns, new CVEs, and practical mitigations — every week, straight to your inbox.
Subscribe Free →Z:\Backups) on the same NAS segment. Encrypted files have already appeared in Z:\Backups\2025-archive\.
- What has almost certainly happened to your backups?
- What backup architecture would have prevented this?
- Is there any path to recovery without paying the ransom?
Question 3 — Who do you notify, and when?
Your consultancy handles contracts for two Victorian government agencies. A breach affecting their project data likely triggers:
- The Privacy Act 1988 (Cth) Notifiable Data Breach scheme
- Possible contractual notification clauses (check your MSAs)
- The ACSC's ASD Cyber Incident Reporting portal
You have four stakeholders: CEO, legal counsel, the two government clients, and your cyber insurer.
In what order do you notify them? Does the sequence matter legally? What's the 72-hour clock you need to be aware of?
Question 4 — Ransom negotiation or hard no?
The ransomware note demands AU$180,000 in Monero, with a 72-hour deadline before public data release on LockBit's leak site. You've confirmed that 6 GB of files were exfiltrated before encryption began (you can see the outbound spike in your firewall logs).
- What are the legal considerations in Australia for paying a ransom to a sanctioned entity?
- How do you verify whether the threat actor is on OFAC/DFAT sanctions lists before any payment discussion?
- What does your insurer need to be told before you engage any third-party negotiator?
Question 5 — Post-incident: What goes in the report?
After 72 hours you've contained the incident, restored from a clean offline backup (found on a USB drive in the server room), and notified relevant parties. Your CEO asks you to draft an incident report for the board.
List the six mandatory sections an incident report to the board should contain, and identify which three are most commonly omitted by SMBs who've never had to write one before.
ISO 27001 SMB Starter Pack — $97
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →Hints
Hint 1 (Q1): The general rule in IR is contain first, investigate second — but the order matters enormously. Isolating the server stops the bleeding but may destroy volatile forensic artefacts in memory. The right answer involves a specific sequence that preserves both. Think about what lives in RAM that disappears the moment you yank a cable.
Hint 2 (Q2): The classic SMB backup failure mode is a backup destination that lives on the same network segment as the data it's protecting. LockBit specifically targets mapped drives — it's in the malware's configuration. "Air-gap" is not just a physical term. Think about what makes a backup genuinely immutable.
Hint 3 (Q3): The Privacy Act NDB scheme has a 30-day clock once you have "reasonable grounds to believe" a breach has occurred — not from confirmation, from reasonable belief. But government contract clauses often have shorter notification windows (sometimes 24 hours). Legal counsel comes before client notification. Insurer comes before you talk to any media.
Hint 4 (Q4): Australia's Autonomous Sanctions Act 2011 and DFAT's sanctions list are the relevant instruments, not just OFAC. As of 2025, the ACSC strongly advises against paying ransoms and has guidance on the legal grey zone. The key question isn't "can I pay" — it's "who is on the other end and have I checked."
Hint 5 (Q5): Think about timeline, scope of impact, root cause, remediation steps, and lessons learned — those five most SMBs get. The one almost universally missing is the evidence chain of custody log, which matters enormously if law enforcement gets involved or insurance disputes arise.
Reveal: Full Answer to Question 1
The correct sequence for Q1:
Before touching anything — open a fresh notepad (physical or digital) and timestamp every action from this point forward. This is your incident log. It will matter for insurance, for ACSC reporting, and potentially for litigation.
Take memory snapshots if you can — if your EDR supports live memory acquisition (CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint all do), trigger a memory dump of
FILE-SRV-01before isolation. Ransomware encryption keys sometimes live in memory and are recoverable. This is a 2–3 minute step that can save tens of thousands of dollars.Isolate
FILE-SRV-01from the network — disable its NIC via your management interface or VLAN, do not physically unplug unless you have no remote option. Pulling the cable is option C in the question and it's actually reasonable if remote access is unavailable — better to lose volatile artefacts than to let encryption continue.Do not wake the CEO yet — assess the blast radius first. Waking your CEO with "we've been ransomwared" and no further information is counterproductive. Give yourself 15 minutes to understand scope before escalating.
Check which other hosts have mapped drives to the NAS — these are your next isolation targets. LockBit will spread via mapped drives if processes are still running on workstations.
Why option B (let it run for forensics) is wrong: Every second of continued encryption is unrecoverable data loss. The forensic value of watching live encryption does not outweigh the operational damage. Capture what you can via EDR telemetry, then contain.
Why option D (wake the CEO first) is wrong: You are the incident commander until you have something actionable to report. "I found ransomware and immediately called you instead of containing it" is not a good look in a post-incident review.
Get the Full Answer Key
You've seen one answer in detail. The remaining four questions — covering backup architecture, legal notification timelines, sanctions compliance for ransom payment, and board reporting structure — are covered in full in the Incident Response Plan Template for SMBs.
The template includes:
- Step-by-step IR playbook with decision trees for ransomware, data breach, and insider threat scenarios
- Notification checklists covering ACSC, Privacy Act NDB, and common government contract clauses
- Board report template with all six mandatory sections
- Backup verification checklist (so you never find out your backups were encrypted during an incident)
- Sanctions screening guidance for ransom payment decisions
Built for Australian SMBs. No consultant jargon. You can fill it in and have a working plan in under two hours.
Get the IRP Template for $47 → lil.business/products/incident-response-plan-template
Or buy via Polar: https://buy.polar.sh/polar_cl_G95ZMX6xnZpa7JuXj1AROgffKr1aL0JDmJ2KU1rHJ84
Scenario based on composite real-world LockBit 3.0 incidents reported to the ACSC in 2024–2025. Company details are fictionalised.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.