Back to All Scenarios
PASSEDsecurity / ransomware_encryption
Ransomware Encryption Detected on File Server
A ransomware attack is actively encrypting files on the primary file server. Hundreds of files are being renamed with .encrypted extension. Multiple users report locked files. The attack originated from a phished employee workstation.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 13 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
Windows Server 2022 file server. 2TB of shared files. Employee clicked phishing link 20 minutes ago. Ransomware spreading via SMB. No endpoint detection active on the file server.
Injected Error Messages (2)
Anomalous file operations on FileServer-Corp — 1,247 files renamed to .encrypted in 5 minutes, mass file encryption detected, ransomware behavior pattern, immediate containment required
Backup server access attempt from compromised host — unauthorized SMB connection from 10.10.20.115 to backup storage, potential ransomware lateral movement to backup infrastructure
Neural Engine Root Cause Analysis
FileServer-Corp has been compromised by ransomware that has encrypted 1,247 files in 5 minutes, as evidenced by mass file renaming to .encrypted extension and characteristic behavioral patterns. This is an active security incident requiring immediate containment to prevent lateral movement and further data encryption. The SMB service at 10.10.100.50:445 is likely unavailable due to either the ransomware disrupting normal operations or emergency isolation procedures.
Remediation Plan
1. IMMEDIATE: Isolate FileServer-Corp from network to prevent lateral movement and further encryption. 2. Activate incident response team and follow ransomware response procedures. 3. Preserve forensic evidence and identify patient zero/attack vector. 4. Assess backup integrity and initiate restoration from clean backups if available. 5. Scan all connected systems for indicators of compromise. 6. Only reconnect to network after complete system rebuild/restoration and security validation.
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmncjfnrp010pobqer284dr2j