In this lab, analysts are tasked with investigating a targeted ransomware intrusion that demonstrates a high level of sophistication and stealth. The scenario unfolds around a Windows environment where a malicious RAR file was downloaded through the Microsoft Edge browser, leading to the execution of ransomware known to leverage the Fog malware family. This attack chain not only showcases typical user deception tactics—such as misleading file names and hidden PowerShell commands—but also highlights advanced post-exploitation techniques, including Bring Your Own Vulnerable Driver (BYOVD) and kernel-level privilege escalation via a known vulnerable Intel driver (CVE-2015-2291).
Learners will step through the forensic process using browser artifacts, PowerShell execution traces, Registry analysis, and NTFS metadata. They will uncover how the attacker maintained persistence using the Windows Startup folder, exfiltrated payloads over a non-standard HTTP port, and encrypted files across the system—appending a custom .flocked extension. Furthermore, by examining Sysmon logs, file hashes, and extracted malware configurations, investigators will tie the attack to the Fog ransomware strain, uncovering the .onion ransom communication channel left behind in the ransom notes.
This lab serves as a comprehensive walkthrough of modern ransomware tactics, techn