Security Awareness Training

Ransomware Readiness

Ransomware is responsible for 88% of all breaches at small and midsize organizations. This training prepares you to recognize how ransomware arrives, what to do in the first critical minutes, and how to protect systems before an attack happens.

88%
Of SMB breaches involve ransomware
$5.08M
Average cost of a ransomware breach in 2025
5 days
Median time from intrusion to encryption

Government and small business are primary targets

In the first half of 2025, ransomware incidents affecting government bodies increased 65%. The city of St. Paul, Minnesota was hit by the Interlock ransomware gang, which stole 43 GB of data and disabled water bill payments. School districts, water utilities, county courts, and sheriff's offices have all been attacked.

Training time: Approximately 20–25 minutes
Includes: Attack simulations, incident response timeline, and scored assessment

Module 1

What Is Ransomware?

Ransomware is malicious software that encrypts your files and systems, making them unusable until a ransom is paid—usually in cryptocurrency. Modern ransomware groups also steal your data first and threaten to publish it publicly if you don't pay (double extortion).

What a ransomware attack looks like

YOUR FILES HAVE BEEN ENCRYPTED
⚠︎
ALL YOUR FILES ARE ENCRYPTED
All of your files have been encrypted with military-grade encryption. Your documents, databases, backups, and network shares are no longer accessible. Do not attempt to recover files yourself or they will be permanently destroyed.
To decrypt your files, you must purchase our decryption tool. The price will double after the timer expires.
71:48:23
Send 3.5 BTC to the following address:
bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh

Double extortion is now the standard

Attackers don't just encrypt your data—they steal it first. Even if you have backups, they threaten to publish sensitive constituent records, employee data, or financial information unless you pay. This makes recovery more complex than simply restoring from backup.

What ransomware targets

File servers and databases

Shared drives, financial records, permit systems, case management databases, and document repositories.

Email and communication

Email servers, calendaring systems, and messaging platforms. When these go down, operations halt.

Operational systems

Payment portals, water treatment controls, public safety dispatch, court systems, and citizen-facing services.

Backups

Sophisticated attackers specifically target backup systems to prevent recovery. If backups are connected to the network, they get encrypted too.

Module 2

How Ransomware Reaches You

Understanding the entry points is your first line of defense. These are the four most common ways ransomware gets into an organization:

1

Phishing emails (18% of attacks)

An email with a malicious attachment or link. The attachment may look like a PDF invoice, a Word document, or a zip file. When opened, it executes code that downloads the ransomware payload.

Inbox
From:County Clerk Office <clerk@county-records-portal.net>
RE: Updated permit application - please review

Hi,

Please review the attached updated permit application. Changes are highlighted in yellow. Let me know if you have questions.

Permit_Application_REVISED.docm (142 KB)
2

Compromised credentials and VPN access (48% of attacks)

Attackers buy stolen usernames and passwords on the dark web or harvest them through phishing. They log in through your VPN, remote desktop, or web portal as if they were a legitimate employee. In Q3 2025, compromised VPN credentials accounted for nearly half of all ransomware attacks.

3

Exploited vulnerabilities (32% of attacks)

Unpatched software—especially VPNs, firewalls, email servers, and web applications—can be exploited remotely. Attackers scan the internet for known vulnerabilities and exploit them within hours of public disclosure.

4

Exposed Remote Desktop (RDP)

Remote Desktop Protocol left open to the internet is like leaving a door unlocked. Attackers brute-force weak passwords or use stolen credentials to gain direct access to servers and workstations.

Module 3

The Ransomware Attack Chain

A ransomware attack unfolds over days. Understanding each stage helps you recognize and interrupt the attack before encryption begins.

1

Initial Access (Day 0)

The attacker gets in through a phishing email, stolen credentials, or an exploited vulnerability. They establish a foothold on one machine.

2

Discovery (Days 1–2)

The attacker maps your network, identifies servers, locates databases, and finds backup systems. They harvest additional credentials and test their access.

3

Privilege Escalation (Days 2–3)

They escalate from a regular user to a domain administrator, giving them control over the entire network, including servers, domain controllers, and security tools.

4

Data Exfiltration (Days 3–4)

Before encrypting anything, they steal sensitive data—financial records, employee PII, constituent information, legal documents—for double extortion leverage.

5

Encryption and Ransom (Day 5)

The attacker disables security tools, deletes accessible backups, and deploys ransomware across every system they can reach. The ransom note appears. Operations stop.

The median time from intrusion to encryption dropped to 5 days in 2025

Some groups move even faster—within hours. This means that early detection of unusual activity is critical. Signs like unexpected admin account creation, large file transfers at odd hours, or disabled security tools should trigger an immediate investigation.

Module 4

Recognize the Warning Signs

Ransomware attacks leave traces before encryption begins. Here is what to watch for and what to do if you see these signs.

Signs something is wrong

  • Files won't open or have strange new extensions (.locked, .encrypted, .ryuk)
  • Programs crash repeatedly or run abnormally slowly
  • A ransom note appears on your desktop or as a text/HTML file in your folders
  • You can't access shared drives or network resources that were working before
  • Your antivirus is disabled and you didn't disable it
  • Unusual pop-ups or error messages that you've never seen before
  • Your password stops working on systems you normally access
  • Colleagues report the same problems simultaneously

Pre-encryption warning signs (for IT-aware staff)

  • New administrator accounts appearing that nobody created
  • Large volumes of data being transferred to external locations at odd hours
  • Security software or logging tools being disabled
  • Unfamiliar remote access tools installed (AnyDesk, TeamViewer, Cobalt Strike)
  • PowerShell or command-line activity on machines that don't normally use it
:(
Your device ran into a problem
If you see a blue screen, ransom note, or your files suddenly have new extensions—do not ignore it, do not restart, and do not try to fix it yourself. Follow the response steps in the next module.
Module 5

The First 60 Minutes

What you do in the first hour of a ransomware incident determines whether the damage stays contained or spreads across your entire organization.

Your job is to contain and report. Not to fix.

You do not need to be a technical expert. You need to act quickly, follow these steps, and get the right people involved.

0–5 min

Disconnect immediately

Unplug your Ethernet cable. Turn off Wi-Fi. If you are on VPN, disconnect. Do not shut down or restart—this may destroy forensic evidence needed for recovery. Disconnecting stops the ransomware from spreading to other machines.

5–10 min

Call IT / Security

Call your IT department or security team by phone—do not email, as email servers may be compromised. If you cannot reach IT, call your supervisor. Report exactly what you saw: ransom note, file changes, error messages, and the time you first noticed.

10–15 min

Alert nearby colleagues

Verbally alert people near you. If they see the same symptoms, they should also disconnect immediately. The faster affected machines are isolated, the less the ransomware spreads.

15–30 min

Document everything

If safe to do so, take photos of ransom notes or error messages with your phone. Write down the exact time you first noticed the problem, what you were doing, and any emails or files you opened recently.

30–60 min

Follow IT instructions

Your IT team will begin containment procedures. Follow their instructions exactly. Do not attempt to decrypt files, run antivirus scans, or restore from backups on your own—these actions can make recovery harder.

What NOT to do

  • Do not pay the ransom—There is no guarantee you will get your data back, and payment funds future attacks
  • Do not shut down or restart—This destroys memory evidence needed for investigation
  • Do not try to negotiate with the attackers on your own
  • Do not connect USB drives to the affected machine—they may become encrypted too
  • Do not delete the ransom note—It contains information needed for investigation
Module 6

Prevention: What You Can Do

Every employee's role in prevention

  • Don't open unexpected attachments—Verify with the sender before opening .docm, .xlsm, .zip, or .exe files
  • Report suspicious emails to IT immediately—you may be the first person to see a new attack
  • Use strong, unique passwords for every system—and enable multi-factor authentication (MFA) wherever available
  • Lock your workstation when you leave your desk (Win+L on Windows, Ctrl+Cmd+Q on Mac)
  • Keep software updated—Install updates when prompted; don't postpone them for weeks
  • Don't use personal USB drives on work computers without IT approval
  • Know your backup procedures—Save critical work to approved locations (network drives, approved cloud storage)
  • Don't install unauthorized software—Free tools from the internet can carry ransomware

For IT administrators and managers

Backup strategy

Follow the 3-2-1-1-0 rule: 3 copies, 2 media types, 1 offsite, 1 offline/immutable, 0 errors in recovery testing. Test restores quarterly.

Patch management

Prioritize patching VPNs, firewalls, and email servers. Monitor the CISA Known Exploited Vulnerabilities catalog and patch within 48 hours.

MFA everywhere

Enable phishing-resistant MFA on all external-facing services, VPN, email, and privileged accounts. Compromised credentials with MFA are 99% less effective.

Segment the network

Isolate critical systems so that if one segment is compromised, the ransomware cannot reach everything. Separate IT from OT networks.

Knowledge Assessment

Test Your Knowledge

Answer all 8 questions. You need at least 6 correct (75%) to pass.

1 What is the most common way ransomware enters an organization in 2025?

AThrough USB drives left in parking lots
BThrough compromised VPN credentials and exploited vulnerabilities
CThrough physical break-ins to server rooms
DThrough social media messages

2 You see a ransom note on your desktop. What should you do first?

AShut down your computer immediately
BDisconnect from the network and call IT by phone
CTry to delete the ransom note and run antivirus
DReply to the ransom note to negotiate

3 Why should you NOT shut down your computer during a ransomware attack?

ABecause the ransom increases if you restart
BBecause shutting down destroys forensic evidence in memory needed for investigation
CBecause the encryption will get worse after reboot
DBecause the attacker will know you found the ransomware

4 What is "double extortion" in ransomware attacks?

AThe ransom amount doubles every hour
BTwo different ransomware groups attack simultaneously
CAttackers both encrypt your data and threaten to publish stolen data if you don't pay
DThe attacker encrypts your data twice with different keys

5 You receive an email with an unexpected .docm attachment from a known contact. What should you do?

AOpen it since you know the sender
BVerify with the sender through a separate channel before opening
CForward it to a colleague to open first
DSave it to your desktop and scan it later

6 Should you pay the ransom?

AYes, if the amount is less than the cost of recovery
BYes, it guarantees you get your data back
CNo. Payment does not guarantee recovery and funds future criminal activity
DOnly if your cyber insurance covers it

7 What is the best way to protect against ransomware encrypting your backups?

AStore backups on the same server as the original data
BBack up to a USB drive connected to your workstation
CMaintain offline or immutable backups that cannot be modified by an attacker on the network
DBackups are unnecessary if you have antivirus software

8 Which single measure would prevent the most ransomware attacks?

AInstalling a more expensive firewall
BEnabling multi-factor authentication on all remote access and email
CBlocking all email attachments
DDisconnecting from the internet entirely
Training Complete

Certificate of Completion

Circle 6 Systems
Ransomware Readiness
Certificate of Completion

This certifies that

Your Name

has successfully completed the Ransomware Readiness
Awareness Training with a score of --.

Quick Reference Card

FIRST 5 MINUTES: Disconnect from the network (unplug Ethernet, disable Wi-Fi). Do NOT shut down. Call IT by phone immediately.
SIGNS OF ATTACK: Files won't open or have new extensions. Ransom note on screen. Shared drives unavailable. Antivirus disabled. Password stops working.
DO NOT: Pay the ransom. Shut down the computer. Try to fix it yourself. Connect USB drives. Delete the ransom note.
PREVENT IT: Don't open unexpected attachments. Use MFA. Keep software updated. Report suspicious emails. Save work to approved backup locations.
REPORT TO: IT department (by phone) • CISA: report@cisa.gov • FBI IC3: ic3.gov • Your organization's incident response team

Developed using threat intelligence from CISA, Sophos, Fortinet, BlackFog, and the FBI IC3.

© 2026 Circle 6 Systems. All rights reserved.  |  contact@circle6systems.com