Ransomware Simulation: What to Expect

Think of a ransomware simulation as a fire drill with smoke and sirens, not just a checklist. The goal is to watch how your people, tools, and processes react when an intruder moves from a single compromised account toward your most valuable data.

Setting the stage

Start by agreeing on how the story begins: maybe a phishing email, a vulnerable external service, or a compromised supplier. Decide how encryption will be simulated - decoy file shares, selective encryption, and a clear kill switch that anyone can pull. Choose which teams stay blind for realism and which get to monitor every move for learning.

Initial foothold and staging

With rules in place, attempt entry. Phishing payloads should exercise AMSI and EDR, while you watch for MFA gaps and token theft from cookies or refresh tokens. If you probe exposed services, you look for credential reuse, brittle middleware, and weak session handling. Payloads live in user space first to see how long they survive and whether persistence tricks - run keys, scheduled tasks, WMI, startup folders - are noticed.

Climbing the ladder

Privilege escalation is where the plot thickens. In Active Directory, Kerberoasting, AS-REP roasting, shadow groups, gMSA misuse, and ADCS misconfigurations are classic moves. On endpoints, vulnerable drivers, token swapping, UAC bypasses, and DPAPI or LSA secrets become stepping stones. If your estate touches the cloud, stolen tokens might replay against Entra ID while Conditional Access policies prove whether they are gatekeepers or paper walls.

Moving sideways

Lateral movement across SMB, WinRM, RDP, WMI, and PSRemoting tests segmentation in real time. Do jump hosts and NSG rules hold? Does EDR spot LOLBins or signed binary proxy execution? On Linux, SSH agent hijack or sudo token abuse reveals similar truths. Each pivot tells you whether your network is a maze or a hallway.

Data theft and impact without the pain

Once inside, the exercise targets business-critical shares, databases, and SaaS stores with decoy data to measure DLP and egress alerts. Encryption is simulated on decoy shares, and attempts to delete shadow copies or tamper with backup catalogs expose how resilient your recovery really is. Dual-extortion staging directories and outbound channels test whether you notice exfiltration as much as disruption.

Measuring the response

Track how long it takes to detect (MTTD), to contain (MTTC), and to recover (MTTR). Note which controls fired - EDR rules, SIEM alerts, UEBA, network IDS, honeypots - and how teams communicated under pressure. Forensics should leave a clean trail: logs, memory captures, and timelines that make sense after the fact.

Recovery and the next chapter

End by restoring from immutable or air-gapped backups with a stopwatch, then rotate passwords, revoke tokens, and rotate keys. Strip local admin reuse, tighten GPOs, and deploy privileged access workstations if needed. A good simulation leaves you with a prioritized backlog across identity hygiene, segmentation, EDR tuning, and backup isolation - and a replay script you can rerun until the fire drill feels routine.