Sec 302: Preparing, Detecting And Responding To Ransomware Attack

Sec 302: Preparing, Detecting And Responding To Ransomware Attack


A comprehensive training on how to prepare your organization to deal with the effect of a ransomware attack.

About Course SEC302  Preparing, Detecting and Responding to Ransomware Attack (4 Days) 

Ransomware is the single most serious cyber threat that organizations face today. The financial implications of cybercriminal acts are substantial, as are the monetary damages. Ransomware groups are demanding and receiving millions of dollars in ransom payments. Organizations that are unable to pay the ransom costs are left in the dark. Even if they have paid, they may still have to cope with the consequences of a data breach.

Regardless of the hazards provided by various threat actors, Ransomware may be successfully managed, and the risks of a successful assault are substantially decreased.

This four-day jam-packed technical hands-on training is intended to assist professionals understand the problem of ransomware, what they can do to mitigate it, and how they can leverage current tools and resources to prepare for an attack.

Intellfence-Cybersecurity Awareness Training Module

The Training Expectations:

Participants will be able to assess the risk posed by ransomware threat actors to their company and establish an incident response strategy to reduce the impact of an attack. The applicant will understand what mitigations to implement and how to implement them. Furthermore, each participant will be very familiar with the toolkits used by the attackers and can identify and neutralizing them.  Assembling their own tools to access, monitor, respond to, and restore operations when they are attacked.

Day 1: Introduction to Ransomware

Day one is an introduction to ransomware and a thorough overview of the various ransomware groups and their tactics. We look at the tooling this group uses and how effective they are. This will help prepare the students for the various practical exercises that will take place in the next three days.  

On the last day of training, we will go through various ransomware scenarios and how to deal with them technically. We’ll also take a look at some common mistakes that lead to organizations’ data being encrypted by these malicious programs.

Learn about Human Operated Ransomware (HumOR) and why it works so well. What are the points of entrance into your organization? How does this play a role in ransomware attacks?

Learn about Human Operated Ransomware (HumOR) and why it is so effective. We will show you the entry points into your organization for ransomware. Learn about the various types of malware and tools used by ransomware threat actors and how to detect them. What are the different strategies for protecting your organization’s data from being exfiltrated by these malicious actors?

Hackers have many different tools that they use to gain access and exfiltrate data from their networks. The most common types of attacks are phishing, malware (including ransomware), attacking a vulnerable system such as unpatched systems or those with open ports, social engineering, and brute force login attempts.

Day 2: Preparing to Respond to Ransomware

The first day includes an introduction to ransomware as well as a comprehensive discussion of the main ransomware organizations and their methods. We shall examine the tools that these organizations use and how effective they are. This will assist students in preparing for the numerous practical activities that will take place over the next three days.

We will go through numerous ransomware situations and how to deal with them technically. We will also look at some of the most prevalent errors that cause businesses’ data to be encrypted by malicious applications.

Hackers employ a variety of methods to gain access to and exfiltrate data from networks. Phishing, malware (including ransomware), targeting a weak system such as an unpatched system or one with unprotected ports, social engineering, and brute force login attempts are the most prevalent forms of assaults. Learn about the many types of malware and tools used by ransomware threat actors, as well as how to spot them. What are the various techniques for preventing dangerous applications from infecting your organization’s data?

We will investigate an integrated solution that includes anti-malware, sandboxing, and other controls aimed at controlling ransomware and other threats. We will explore an integrated solution that incorporates anti-malware, sandboxing, and other controls focused on containing ransomware and other malware. The students will learn how to:

  • Develop a ransomware mitigating plan.
  • Develop a holistic improvement of security using the tools you already have.
  • Secure all operating systems, networks, and end users?
  • Defend the endpoints devices and users
  • Use next Generation Anti-virus/Anti-malware
  • Set up a back works and restore system that works.

Email Security

  • Reduce the risk of ransomware by improving the security of your email system
  • Reduce the chance of email domain spoofing and prevent phishing attacks
  • Implement email encryption/digital signature to stop the impersonation of company staffs.
  • Have solutions in place to detect and eliminate potential attack via email.

Day 3: Monitor and Detect Ransomware Attacks

Threat actors using ransomware are not particularly covert in their activities. In a Human Operated Ransomware, a threat actor infiltrates the network and snoops about for weeks or months, learning everything it can about the organization and its network. They then begin exfiltrating data from the network before beginning data encryption. This type of behavior is highly loud, and it may be identified with adequate network monitoring and appropriate remedial action.

The second day is devoted to teaching students how to build up a system and network monitoring capabilities for detecting ransomware assaults in real time. The students will learn how to recognize attack signatures and how to respond while under assault.

Learn how to utilize network traffic capturing tools to collect and read network traffic and search for ransomware signatures.

Discover how to use SIEM, UEBA, and SOAR technologies to log, track, monitor, and respond to ransomware attacks.

Day 4: Respond, clean up and Restore after a Ransomware Attack

What should you do in the event of an attack? An assault consists of several phases. It is critical to take the appropriate action at every given stage to halt the invader. The student will learn how to execute the response that was planned during the preparation phase. The main steps are as follows:

  • Respond to the attack and end it.
  • Restore or rebuild systems from their present configuration, depending on how far the infection process has progressed.
  • Repair the system by reinstalling it and replacing any damaged components.
  • Restore data from a previous point in time.

The Audience

This is a highly technical training for IT and Security Professional

  • IT engineers
  • Information Security engineers
  • Threat Hunters
  • System Administrators
  • Security Engineers
  • Incident Response Managers

How To Attend

This is a technical 4-day training dealing solely on Ransomware.
From September 2021 we will start this training.
For more information or a quote, please contact us at:

SEC 201: Stop Ransomware and Phishing Attacks before they happen

SEC 201: Stop Ransomware and Phishing Attacks before they happen

SEC 201: Advanced Security: Stop Phishing & Ransomware Attack


Course Duration: 2 days

Learn How To Stop Phishing & Ransomware And Recover From Attack.

Course Introduction

Ransomware is no longer a threat, but rather a clear and present risk to businesses of all sizes. Ransomware assaults have increased in the last two years. The ransom requested has risen as well. Many major organizations with sophisticated IT infrastructure and a significant number of skilled security personnel have also been infiltrated and forced to pay millions of dollars in ransom.

This demonstrates that, regardless of how robust your IT infrastructure is, ransomware can be directed at anybody or any organization. The major reasons for this are that most attacks employ phishing to get the payload inside organizations, and every organization uses email.

This two-day in-depth course is intended to educate organizations with information on ransomware and to assist them in preparing for a ransomware assault. It will assist organizations in knowing what to do when they are attacked and responding correctly and quickly to the assault.

This course goes beyond the standard advice given to organizations; it is intended to teach administrators and security engineers how to create greater protection by examining the many attack routes and learning how to reduce the risk provided by each.

Training Content

Ransomware Infection Vectors

  • What are the most frequent infection vectors utilized by attackers, and how can you counter them?
  • The Most Common Exploit Kits Used by Attackers and Why They Work
  • What can you do about these tools, and how can you prevent them from entering your network?
  • The Command and Callback (C&C) and Compromise Indicators
  • How to Detect a Ransomware Infection on Your Network

Ransomware Incident Response Plan:

  • The Lifecycle of an Incident Response
  • Making a strategy for incident response in the event of a ransomware attack.
  • Creating a ransomware response policy – pay or not pay the ransom
  • What are the first crucial measures you must-do if you are attacked?
  • Understanding the Compromise Incident Response Indicators:
    Containment and detection
  • How to Spot an Attack in Its Early Stages
  • Learn how to stop a ransomware assault.
  • Eradication and Recovery of Incidents
  • How to Recover from a Ransomware Infected Computer
  • Recovering Local and Network Files
  • Tools and resources for combating ransomware

Email Security

  • Improve the security of your email system to reduce the danger of ransomware.
  • Reduce the possibility of email domain spoofing and phishing attempts.
  • Implement email encryption and digital signatures to prevent impersonation of business employees.
  • Have systems in place to identify and remove possible email-based threats.

Developing Ransomware Countermeasures

  • Improve the security of your email system to reduce the danger of ransomware.
  • Reduce the possibility of email domain spoofing and phishing attempts.
  • To prevent impersonation of corporate employees, use email encryption/digital signatures.
  • Have systems in place to identify and remove possible email-based threats.
  • Finally, we will look at some of the finest anti-ransomware techniques.
  • What risk-mitigation measures do you have in place?
  • What role do insurance companies play in the fight against ransomware?
  • Learn to implement the best strategies for safeguarding your company against ransomware.
Who Should Attend?

This course is intended for professionals who are responsible for planning, protecting, and responding to ransomware events inside their organization. It is intended for anybody interested in learning more about ransomware and how to mitigate it in the organization, as well as those who are responsible and accountable for the security of information systems:

  • IT managers
  • Chief Information Security Officers (CISO)
  • Information Security professionals
  • System Administrators
  • Security Engineers
  • Incident Response Managers
  • Operational Managers
  • Risk Managers

How To Attend

This is a 2-day training. To attend, please contact use at:

How dark is the DarkSide Ransomware Group

How dark is the DarkSide Ransomware Group

In the last decade, there has been an exponential increase in cyberattacks on companies all around the world. Till now no other security attack has been as serious as a Ransomware attack. This is because it denies the computer owner the ability to make further use of the computer systems. In some cases, it has resulted in the loss of life because critical medical systems were attacked and could not be brought back live on time. One of the most potent Ransomware groups is the Darkside. In this blog post, I will explore this group and the mode of operation.

What is the “Darkside” Hackers group?

The group has been called “one of the largest and most notorious” ransomware groups. Like other forms of cybercrime, its activities are fuelled by money. Its members, they claim, are not directly affiliated with any government or intelligence agency, but they rely solely on ransom payments to fund their operations.

They use a sophisticated business model know as Ransomware-as-a-Service (RaaS). This enables them to recruit other hackers to help them carry out lots of attacks. Darkside team also has an extensive network of affiliates who can distribute their malware globally through spam campaigns or targeted spear-phishing attacks.

The Ransomware-as-a-Service (RaaS) Model

Interested parties who are not necessarily hackers are recruited and given access to the hacking tools via simple, yet powerful web services to carry out their attacks in almost a point-and-click system. These new recruits are called affiliates and work for the main group. When an attack is successful and the payment is made, the loot will be shared based on the group’s revenue-sharing model.

This is a very effective business model as they even have a “free trial” of their malware to encourage easy adaptation. They also provide tutorials on how people can create and deploy ransomware themselves using the same tools they make available.

In just one month this year over $17.5 million worth of Bitcoin was deposited in a Crypto wallet linked to the hackers.

    • According to the group they have the following revenue sharing model:
    • Dynamic rate of 75% to 90%.
    • A stable rate of 80%.

They also have a trial and more attractive offer for new users:

    • 90% for the first two payouts when you switch to us from any other affiliate program if you had three ransom payments in the last month; each of them needs to be over 2M (and each needs to be verified).
    • 90% for the first two payouts when you switch to us from any other affiliate program.

The group has publicly stated that they prefer to target organizations that can afford large ransoms instead of hospitals, schools, non-profits, and governments. Ransoms demanded by the group have ranged from US$200K to US $20M. The Darkside seems to be experts in hacking oil pipelines and can bypass security measures with ransomware to extort large sums of money.

How the “Darkside” Group Works

DarkSide is believed to be based in Russia, but it is not sponsored by the government. They claimed on their website that members are not allowed to attack the computers of people in Russia, Ukraine, Georgia, or Belarus. Other computers out of reach are those from:

    • Healthcare (only: clinics, hospitals, and palliative care organizations, retirement homes, companies that develop COVID-19 vaccines or take part (to a significant extent, as a part of the supply chain) in supplying them).
    • Funeral services (morgues, crematoria, and funeral parlors).
    • Education (universities, schools).
    • Public sector (municipal services, any public agencies).
    • Non-profit organizations (charitable foundations and associations)

Experts state that the group is one of the many for-profit ransomware groups that have proliferated and thrived in Russia.

Darkside was first noticed in August 2020. They have a professional-looking website and tries to have a Robinhood image. The group claims that they donated some ransom money to charity, and they only target organizations that can afford large ransoms.

The Colonial Pipeline Hack

The Darkside seems to be fun of hacking oil pipelines and is able to bypass security measures with ease due to their expertise, making them a big threat for authorities worldwide. They have hit large oil pipelines at least four times from December 2020 to date. They make use of one of their most potent weapons: The Ryuk.

Ryuk is one of the most recent types of ransomware, and it has proved effective in locking down computers across the world. With Ryuk they can target large organizations with the ability to pay large some of Ransom.

Successful Activities of the “Darkside”.

August 2020:

DarkSide introduces its ransomware.

October 2020:

DarkSide donates US$20,000 stolen from victims to charity.

November 2020:

DarkSide establishes its RaaS model.

November 2020

DarkSide launches its content delivery network (CDN) for storing and delivering compromised data.

March 2021

DarkSide releases version 2.0 of their ransomware with several important updates to make it more sophisticated.

March 2021

They hit the IT managed services provider CompuCom

May 2021
DarkSide launched an attack on the Colonial Pipeline. After the attack, Darkside said that they were not a political organization and would start to check where their targets are.

Attack Method

Darkside has a method of a quick escalation. The longer it takes a victim to comply with the demand the more troubles they get.

Step One: The Ransom Phase

This is the initial delivery phase. In this phase, the ransomware encrypts the files and leaves a ransom note behind while the attackers seat back and wait for payment.

Step two: The Double Extortion Phase.

This is the step the attackers start threatening the victim to release to the public the data it stole if the money is not paid on time. In some cases, additional money is demanded to prevent the public distribution of the stolen data.

This was what happened in the case of Toshiba Tec Corp., a unit of Toshiba Corp, more than 740 gigabytes of information were compromised, and included personal data of personnel such as copies of passports.

The group also likes to hedge their bets by shorting the shares of the companies they hack in the stock market and profiting from the temporary fall of the value of the shares.

The first published case of double extortion happened in November 2019. Allied Universal, a large American security company, was the victim. When Allied refused to pay the demand of 300 Bitcoins the attackers upped the game and threatened to release sensitive information exfiltrated from the company.

To prove they were not kidding, the attackers published some of the files they stole which included contracts, medical records, and encryption certificates.

Step Three: Triple Extortion Phase

In this phase, the victims are threatened with Distributed Denial of Service Attack (DDoS) if they do not pay the ransom. In this phase, if a victim pays up for the first time, then he or she is likely to be targeted by the hackers again and extorted of more money to keep their data safe.

This happened to the German company Brenntag this May 2021, when their systems were hit by ransomware. A DDoS attack took down their IT infrastructure and encrypted data. They ended up paying $4.4 million ransom in Bitcoin to Darkside and still suffered significant downtime.

Step Four: The Final Extortion Phase

If the victim still has not paid then they will get a further escalation. This time they will start getting calls to comply. Sometimes, the clients of the victim will be included at this point to turn up the heat.

Step Five: The Release Phase

After getting paid, hackers will release the data they encrypted by providing the victim with the encryption key to unlock the files. This stage also includes publicizing that a victim has been hacked, so victims cannot deny what happened and know how much money was extorted from them.

Ransomware is one of the most potent security attacks in history. It could result in a loss of life if it takes down critical medical systems. There have been over 2 million ransomware incidents, which means that this attack can happen to anyone!  Therefore, it’s important for every company to take steps towards preventing and mitigating these types of cyberattacks as soon as possible.

If you want help with training your staff and creating awareness on these types of cyberattack please contact us via email at