How to do it: Ransomware

Code-first incident cards showing warning signs, containment actions, backup recovery, and the tools defenders use during response.

Incident response Rendered preview Defense first
Back to demo
Safe learning mode: this page avoids harmful ransomware steps and focuses on response, isolation, recovery, and resilience planning.

Card 1 — early warning signs

Show the first clues: strange file renames, encryption notices, and endpoint alerts.

Preview + Code
endpoint alert console
[alert] many files renamed in seconds [alert] suspicious encryption activity [info] ransom note detected on desktop lesson: respond immediately

Detection rule example

Use the code pane to show how defenders spot mass-change behavior.

# Pseudocode for suspicious file activity
if renamed_files_per_minute > 500:
    trigger_alert("possible ransomware activity")
    isolate_host = True

# Goal: stop spread early.

Card 2 — isolate and contain

The first operational move is containment: cut network paths, freeze shares, and protect clean backups.

Preview + Code
response shell
$ isolate-host workstation-14 network disconnected $ disable-shares --critical containment completed

Safe response commands

These are defensive actions teams can automate during an incident.

# Linux examples for containment
sudo nmcli networking off
sudo systemctl stop smb

# Windows examples
# Disable network adapter and isolate the endpoint in EDR

# Rule: preserve evidence while stopping spread.

Card 3 — recovery tools and backup restore

Teach the tools defenders rely on after containment: immutable backups, snapshots, and rebuild workflows.

Preview + Code
Offline backup
Disconnected copies that cannot be encrypted from the infected host.
Snapshot restore
Rapid rollback to a known-good state.
EDR / SIEM tools help trace where the incident spread.
restore from clean backups

Backup verification example

Keep the lesson centered on recovery readiness.

# Backup health checklist
backup_last_tested = "2026-04-10"
backup_type = "offline + immutable"
restore_time_objective = 4
restore_point_objective = 1

# If backups are not tested, they are only a hope.

Card 4 — the tools that reduce leverage

Finish with the prevention stack: patching, EDR, segmentation, MFA, and least privilege.

Preview + Code
EDR
Detects suspicious encryption and isolates endpoints.
Patch management
Closes common initial access paths.
Immutable backup
Removes attacker leverage during recovery.
Unpatched systems
Remain the easiest doorway.

Defense checklist

Close the page with the settings and practices that actually matter.

# Recommended security posture
edr = "enabled"
network_segmentation = "strict"
mfa = "required"
least_privilege = "enforced"
offline_backups = "tested regularly"
patch_window_days = 7

# Best outcome: contain fast, restore clean, learn, and harden.