Blue Team – Recovering from Ransomware

February 13, 2025

Question

Within the Blue Team game play, how do I remove ransomware if it is already present and active? More importantly, how do I prevent it from being installed in the first place?

Versions:

  • All Versions

Answer

Ransomware is malware usually designed to lock data using encryption techniques. In the game it works mostly like normal malware, but there are a few key differences:

  • Cleaning an asset on which ransomware has been activated will not remove the ransomware infection. It will also not restore the Profit and Loss penalty for the data being locked.
  • Ransomware, when activated, is designed to lock files in a manner which is impossible to reverse, unless you pay the ransom or get the encryption key. You could also restore backups of the copies of the files.

There are a few actions which you can use to remove active ransomware in the game, including:

  • Restore From Backup – If you have created earlier backups on those specific assets, the most efficient way to remove the compromise and ransomware would be to restore them. This comes with a slight risk of restoring a state in which an asset has already been compromised. Restoring very old backups might also come with significant Profit and Loss meter cost.
  • Replace Asset – Replacing an asset entirely is a 100% effective way to remove the compromise and ransomware. It comes with a direct cost to cybersecurity budget and comes with a slight Profit and Loss meter cost for every asset that is replaced, however.
  • Crack Ransomware Key – This action requires the Blue Team to implement security skills training before it can be used. Chances for success are RARE, however it might be worth using as a last resort. If the action succeeds, it will remove the ransomware attack, but it won’t remove the underlying compromise. You can use threat hunting or implement endpoint protection on the affected assets to try to detect it and be able to remove it.
  • Pay Ransom – While this action might seem like something that can quickly fix the issue, using it is NOT RECOMMENDED. Using this action will come with a moderate Profit & Loss cost. The Red Team will also receive one Red Team resource point which will boost their capabilities for the rest of the game. This action also won’t remove the underlying compromise, much like the “Crack Ransomware Key” action.

Ransomware Prevention

When it comes to ransomware prevention, it mostly comes down to compromise prevention. As they say, you can’t get what you can’t catch. Implementing the SIEM, IDS sensors and endpoint protection on assets that are susceptible to ransomware can help achieve that.

Copyright © 2025 by Derezzed Inc. D/B/A ThreatGEN. All rights reserved.

Search Posts

Recent Posts

Categories