The 3am Page: Ransomware in Production

Incident Response · 8 steps

Briefing

You are the on-call IR lead for a 12,000-employee insurance firm. PagerDuty fires at 3:14am: file servers and at least two domain controllers are showing mass rename activity to a .lockedX extension. Backup jobs against the affected file shares are failing. The Tier 1 SOC analyst is on the bridge and has not yet started a formal incident.

You have authority to invoke the major-incident playbook, page the CISO, and coordinate with legal, comms, and the cyber insurance carrier. The clock is running. Every minute of additional encryption increases recovery scope.

This scenario simulates the first thirty minutes of an active ransomware incident. The Range will not run the full incident; it tests the decisions you make in the opening minutes that determine whether recovery is hours or weeks.

How AI Adversary mode works

Multi-day campaign. Each day you read overnight events, choose actions across detection, containment, recovery, and communication, then submit.

Scored on four dimensions out of 100. Compares to other Frontier subscribers. Credential issues at 75/100 default.

What you will practice

01Set the tone of an active major incident in the first five minutes
02Pick containment that does not destroy forensic evidence
03Coordinate the call tree to legal, insurance, and comms in the right order
04Recognize the difference between encryption attack and destructive attack early

Frontier tier required. AI Adversary mode runs a multi-day campaign with a live threat actor. Subscribe to Frontier to start this scenario.

Back to Range