incident-response-trainer
Mock scenarios · Rule-based grading
CatalogOverviewSnapshot
← Back to catalog
Cybersecurityextremely-hardMulti-Stage Ransomware (Double Extortion)Critical asset
Scenario

Staged exfiltration for days, then a partial encryption trigger and a leak-threat note — backups may be tampered, scope still unknown

A extremely-hard Cybersecurity scenario on Multi-Stage Ransomware (Double Extortion).

Practice this scenario

Start a graded attempt against this scenario. Your response is scored by the same deterministic rubric used across the catalog. Email and evidence content stay hidden until you start.

Launches this exact scenario. One of 5 templates in this Track + Difficulty pool.

catalog id · ransomware-double-extortion-exfil-first

Training alignment

What this scenario practices, mapped to recognized frameworks.

Educational mapping only. Not a compliance attestation.

What this trains
  • Double-extortion containment ordering
  • Backup-integrity-aware recovery decisioning
MITRE ATT&CKmitre-attack
  • Data Encrypted for Impact · ImpactT1486 · TA0040
    MappedHigh confidence

    Trains response to the encryption stage of a double-extortion incident.

  • Exfiltration Over Web Service · ExfiltrationT1567 · TA0010
    MappedHigh confidence

    Trains scoping of staged exfiltration that preceded encryption.

MITRE D3FENDmitre-d3fend
  • File AnalysisD3-FA
    MappedHigh confidence

    Trains evidence handling for encrypted files and the ransom note.

  • Network Traffic AnalysisD3-NTA
    MappedMedium confidence

    Trains egress analysis that reveals the pre-encryption exfil.

NIST CSF 2.0nist-csf-2
  • Recovery Planning · RecoverRC.RP · RC
    MappedHigh confidence

    Trains restore-from-verified-backup decisioning under tamper risk.

  • Mitigation · RespondRS.MI · RS
    MappedHigh confidence

    Trains containment of ongoing encryption plus exfil.

NIST SP 800-61r3nist-sp-800-61r3
  • IR lifecycle phaseContainment, Eradication & Recovery
    MappedHigh confidence

    Trains the evidence-before-restore ordering this incident centers on.

  • IR lifecycle phaseDetection & Analysis
    MappedHigh confidence

    Trains scoping of exactly what was exfiltrated for notification.

CISA Cybersecurity Performance Goalscisa-cpg
  • System Backups2.O
    MappedHigh confidence

    Trains the immutable-backup baseline that makes safe recovery possible.

  • Incident Response Plans2.P
    MappedHigh confidence

    Trains the IR-plan baseline for double-extortion handling.

CIS Controls v8cis-controls
  • Data RecoveryControl 11
    MappedHigh confidence

    Trains integrity-verified recovery from a possibly-tampered backup set.

  • Data ProtectionControl 3
    MappedHigh confidence

    Trains the data-protection lens on the confirmed exfiltration.