Range Scenario · operations · 50 min
The 3am Page: Ransomware in Production
This cybersecurity training scenario simulates a working incident. PagerDuty wakes you at 3:14am. Domain controllers are showing mass file rename activity, backup jobs are failing, and the on-call engineer is panicking. You have minutes to set the right tone, the right call tree, and the right first move. Run the incident.
Scenario briefing
You are the on-call IR lead for a 12,000-employee insurance firm. PagerDuty fires at 3:14am: file servers and at least two domain controllers are showing mass rename activity to a .lockedX extension. Backup jobs against the affected file shares are failing. The Tier 1 SOC analyst is on the bridge and has not yet started a formal incident.
You have authority to invoke the major-incident playbook, page the CISO, and coordinate with legal, comms, and the cyber insurance carrier. The clock is running. Every minute of additional encryption increases recovery scope.
This scenario simulates the first thirty minutes of an active ransomware incident. The Range will not run the full incident; it tests the decisions you make in the opening minutes that determine whether recovery is hours or weeks.
What you will practice
- Set the tone of an active major incident in the first five minutes
- Pick containment that does not destroy forensic evidence
- Coordinate the call tree to legal, insurance, and comms in the right order
- Recognize the difference between encryption attack and destructive attack early
How this scenario is scored
The scenario has 8 ordered steps. Most steps are exact-match (a MITRE ATT&CK technique ID, a tool name, or a yes/no decision) or multiple choice. Free-text steps queue for manual review and do not affect the auto-final-score in the MVP.
Each step has a max score of 100 points. Hints deduct points up front, listed before you reveal them. Your final score is the sum across steps. Range Elo updates on completion based on scenario difficulty (Elite) and your final score percentage.
Frequently asked questions
Why does the first half-hour matter so much in ransomware?
Modern ransomware operators move from initial access to encryption fast. By the time PagerDuty fires, the attacker is mid-encryption. Every minute of delayed containment adds servers and shares to the recovery scope. The first half-hour either contains the blast radius to one segment or hands the operator the entire estate.
Should the IR lead call legal, insurance, or both first?
Both, in parallel. Legal is the privileged channel and should drive who else gets pulled in. Cyber insurance carriers often have panel forensic and legal providers and may require notification within hours for coverage to apply. Most mature programs have a single major-incident hotline that pages both at once.
Why is paying the ransom not the IR lead's call?
Ransom decisions involve legal exposure (OFAC sanctions on certain operators), insurance coverage, board governance, and business impact economics. The IR lead's job is to give leadership clean options. The decision belongs to the CEO and board with counsel, not to the technical responder.
Course content is for educational purposes only and does not constitute professional advice. All claims are supported by cited peer-reviewed academic research. DecipherU does not teach or reproduce any proprietary sales methodology. Verify all referenced sources independently.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.