Back to All Scenarios
PASSEDsecurity / ransomware_lateral_movement
Ransomware Lateral Movement via SMB
Ransomware (LockBit 3.0 variant) is detected spreading laterally via SMB (port 445) from a compromised workstation. The malware is encrypting shared drives and attempting to reach backup servers. 3 file servers already affected. EDR alerts are firing but automated containment is not configured.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 57 linked | |
| Cascade Escalation | Yes | Yes | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
200-user network. Patient zero: workstation 10.10.20.115. SMB lateral movement to file servers. LockBit 3.0 encryption pattern. EDR (SentinelOne) detecting but not blocking. Backup server on same VLAN as file servers.
Injected Error Messages (4)
SentinelOne CRITICAL threat detected — LockBit 3.0 ransomware lateral movement, source: 10.10.20.115, SMB spreading to 10.10.100.50/51/52, threat classification: Ransomware, confidence: HIGH, automated containment: DISABLED, 3 endpoints actively encrypting, IOC: lockbit3.exe SHA256:a]b2c3...
FileServer-01 mass file encryption — 4,247 files renamed to .lockbit3 extension in 3 minutes, volume shadow copies deleted (vssadmin delete shadows /all), ransom note dropped: README-lockbit3.txt, SMB share '\\FS01\shared' compromised, encryption rate accelerating
FileServer-02 under active attack — ransomware payload delivered via SMB from 10.10.20.115, PsExec lateral movement detected, local admin credentials used, encryption starting on D:\ data volume, 12,000 files at risk, no network isolation in place
Backup server SMB access attempt from compromised host — unauthorized connection from 10.10.20.115 to Veeam backup repository share, attempting to delete backup files, backup chain at risk of destruction, no network segmentation between file servers and backup infrastructure
Neural Engine Root Cause Analysis
This is an active LockBit 3.0 ransomware attack, not a monitoring system failure. The EDR console at 10.10.100.90 is likely offline because it has been compromised or taken down by the ransomware. The attack originated from 10.10.20.115 and is actively spreading via SMB to multiple endpoints (10.10.100.50-52), with 3 systems currently encrypting files. The 18 correlated incidents indicate widespread system compromise across the infrastructure.
Remediation Plan
IMMEDIATE ACTIONS REQUIRED: 1) Activate incident response team and cybersecurity personnel 2) Isolate affected networks/VLANs containing 10.10.20.115 and 10.10.100.50-52 3) Disconnect internet access to prevent data exfiltration 4) Contact law enforcement and cyber insurance provider 5) Begin forensic imaging of affected systems 6) Restore EDR console from clean backup on isolated network 7) Deploy manual containment procedures since automated containment is disabled 8) Assess backup integrity and initiate recovery procedures for encrypted systems
Tested: 2026-03-30Monitors: 4 | Incidents: 4Test ID: cmncjnnis02z1obqe086wbf73