Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training, Courses, and Resources
Can't find what you are looking for?

Let us help.

Contact us
Community Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

AI Risk & Readiness

Explore expert-driven guidance, training, and tools to help defend against AI-powered threats and adopt AI securely.

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk With an Expert
Talk With an Expert

FOR528: Ransomware and Cyber Extortion

FOR528Digital Forensics and Incident Response
  • 4 Days (Instructor-Led)
  • 24 Hours (Self-Paced)
Course authored by:
Ryan Chapman
Ryan Chapman
Register NowCourse Preview
FOR528: Ransomware and Cyber Extortion
Course authored by:
Ryan Chapman
Ryan Chapman
Register NowCourse Preview
  • 24 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 13 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

Analyze real-world attacks and gain the hands-on training you need to respond to ransomware or cyber extortion incidents.

Featured Quote

Ryan makes sure the course content is up-to-date and gives us extra tools that are really helpful. Also, he keeps the class energetic and easy to follow, he's a great instructor.
Sofia FernandezFluidra

Course Overview

FOR528: Ransomware and Cyber Extortion isn’t just hands-on — it’s frontline. Built entirely from real ransomware and extortion cases, this course prepares responders to face the attacks organizations fear most. You won’t just study ransomware in theory — you’ll investigate it the way it actually happens, using authentic artifacts and adversary tradecraft pulled from live incidents. You’ll even build and run live ransomware in a controlled lab to see how it behaves and examine leaked source code to understand how encryption really works. From initial intrusion through exfiltration and encryption, you’ll practice the full response lifecycle and tie technical findings into organizational recovery and communication.

What You’ll Learn

  • Investigate ransomware and cyber extortion attacks using real-world cases and forensic artifacts.
  • Identify the blind spots most IR playbooks miss: persistence, exfiltration, and extortion without encryption.
  • Distinguish between ransomware encryption events and extortion-only attacks to adapt your response.
  • Decode attacker tools and scripts in hands-on labs — including obfuscated PowerShell and malware triage.
  • Practice the full ransomware/extortion lifecycle, from intrusion to organizational recovery, in labs and a full-day CTF.
  • Strengthen organizational readiness by connecting technical findings to leadership communication, legal needs, and recovery coordination.
  • Recognize available telemetry depending on the maturity of your organization or that of your clients. The course includes two different scenarios: One replicating within a default Windows environment with little visibility, and one replicating a well-tooled environment that provides greater visibility.
  • Leave with the confidence to handle ransomware and extortion incidents under pressure, using the same methods frontline responders rely on.

Business Takeaways

  • Close the blind spots general IR training leaves behind — from hidden persistence to data exfiltration and extortion.
  • Recognize and investigate ransomware activity fast, via review of the same tools adversaries deploy in the wild.
  • Understand the full ransomware and extortion lifecycle to build a complete, actionable response plan.
  • Strengthen organizational readiness by practicing both technical containment and business-critical coordination during recovery.
  • Validate recovery with confidence — ensuring persistence is removed, backups are trustworthy, and systems are safe to restore.
  • Differentiate ransomware-related activity from other intrusions to focus efforts on the highest-impact threats.
  • Identify what data was accessed or stolen to accurately assess business impact and support regulatory or legal response.

Meet Your Author

Ryan Chapman
Ryan Chapman

Ryan Chapman

Certified Instructor

Ryan Chapman has redefined ransomware defense through hands-on leadership in major incidents like Kaseya and by arming thousands with proactive threat hunting tactics now standard across the industry.

Read more about Ryan Chapman

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in FOR528: Ransomware and Cyber Extortion.

Section 1Ransomware Incident Response Fundamentals

Section 1 begins with a review of ransomware’s history, as we deep-dive into the roles, processes, communication methods, and activities related to these threats. After learning how we can apply incident response practices, we begin our deep-dive into the Windows-based forensic artifacts best suited to ransomware campaign analysis.

Topics covered

  • Ransomware Evolution and History
  • Forensic Artifact Collection
  • Incident Response Processes and Application to Ransomware
  • Windows Forensic Artifacts
  • Analysis At-Scale via TimeSketch

Labs

  • Generate a Ransomware Encryptor Payload
  • Review Forensic Artifacts and Parse Data
  • Hunt Data Within TimeSketch Interface

Section 2Ransomware Modus Operandi

Ransomware incidents often follow familiar patterns. In Section 2, you'll learn to detect these recurring tactics, techniques, and procedures (TTPs) through hands-on labs and analysis.

Topics covered

  • Analysis At-Scale via Kibana
  • Malware Infection vs. Credential Harvesting
  • Malicious Attachments and Links
  • Identifying Malicious RDP Activity
  • Scripting

Labs

  • Identify Successful Phishing Attacks
  • Analyze Encoded PowerShell Payloads
  • Decode and Analyze CS Payloads
  • Hunt Malicious RDP Activity

Section 3Advanced Ransomware Concepts

Section 3 covers Privilege Escalation, Credential Access, and Lateral Movement, detailing tools ransomware actors use to escalate privileges, access credentials, and dump processes. You’ll explore lateral movement methods like RDP, SMB (PsExec), and WinRM.

Topics covered

  • Privilege Escalation and Credential Access
  • Lateral Movement Techniques
  • Exploiting Active Directory (AD)
  • Data Access and Exfiltration Methods
  • Hunting Ransomware Operators

Labs

  • Identify Lateral Movement via RDP and PsExec
  • Hunt and Identify Data Access and Potential Exfiltration
  • Use PSTools and Renamed Executables
  • Identify Additional Lateral Movement

Section 4Ransomware Incident Response Challenge

Our CTF challenge consists of 50 questions pertaining to a specially crafted attack scenario against our victim organization.

Topics covered

  • Digital Forensics Capture the Flag Event
  • Review Parsed Artifact and Log Data
  • Identify Tools and Processes in Scenario

Labs

  • Full Day of Analyzing Forensic Artifacts
  • Use SANS ranges.io Platform

Things You Need To Know

Relevant Job Roles

Cyber Incident Responder

European Cybersecurity Skills Framework

Monitor the organisation’s cybersecurity state, handle incidents during cyber-attacks and assure the continued operations of ICT systems.

Explore learning path

Insider Threat Analysis

NICE: Protection and Defense

Responsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.

Explore learning path

Digital Forensics (OPM 212)

NICE: Protection and Defense

Responsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.

Explore learning path

Cybercrime Investigation (OPM 221)

NICE: Investigation

Responsible for investigating cyberspace intrusion incidents and crimes. Applies tactics, techniques, and procedures for a full range of investigative tools and processes and appropriately balances the benefits of prosecution versus intelligence gathering.

Explore learning path

Military Operations / Law Enforcement Agents

Digital Forensics and Incident Response

Execute digital forensic operations under demanding conditions, rapidly extracting critical intelligence from diverse devices. Leverage advanced threat hunting and malware analysis skills to neutralize sophisticated cyber adversaries.

Explore learning path

Intrusion Detection/SOC Analysts

Digital Forensics and Incident Response

Analyze network and endpoint data to swiftly detect threats, conduct forensic investigations, and proactively hunt adversaries across diverse platforms including cloud, mobile, and enterprise systems.

Explore learning path

Incident Response

SCyWF: Protection And Defense

This role investigates, analyzes and responds to cyber incidents. Find the SANS courses that map to the Incident Response SCyWF Work Role.

Explore learning path

Intrusion Detection / (SOC) Analyst

Cyber Defense

Security Operations Center (SOC) analysts work alongside security engineers and SOC managers to implement prevention, detection, monitoring, and active response. Working closely with incident response teams, a SOC analyst will address security issues when detected, quickly and effectively. With an eye for detail and anomalies, these analysts see things most others miss.

Explore learning path

Cybersecurity Analyst/Engineer

Cyber Defense

As this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.

Explore learning path

Digital Forensics Investigator

European Cybersecurity Skills Framework

Ensure the cybercriminal investigation reveals all digital evidence to prove the malicious activity.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchasing Options?Contact Us

OnDemand Bundle

When purchasing a live, instructor-led course, add 4 months of online access. View price in the info icons below.

SANS Skills Quest by NetWars Core Edition

Add 6 months of hands-on skills practice.  Add to your cart when purchasing your course.

Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by
    Ryan Chapman
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $5,250 USD*Prices exclude applicable local taxes
    Registration Options
    Self-Paced
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by
    Mari DeGrazia
    Date & Time
    Fetching schedule..View event details
    Course price
    $5,250 USD*Prices exclude applicable local taxes
    Registration Options
    Virtual
  • Location & instructor

    Virtual (live)

    Instructed by
    Terrance Maguire
    Date & Time
    Fetching schedule..View event details
    Course price
    €4,935 EUR*Prices exclude applicable local taxes
    Registration Options
    Virtual
Showing 3 of 3

Learn Alongside Leading Cybersecurity Professionals From Around The World

  • Slide 1 of 3
    The course presented real-life scenarios and detection mechanisms to enhance your organization's security posture to detect and prevent ransomware before it can cause damage to your operations.
    Eric B.Fluidra
  • Slide 2 of 3
    The course is pack filled with highly valuable information that will take your company to the next level of being prepared for ransomware.
    Nicolas B.Publix
  • Slide 3 of 3
    The content is engaging, and has shown me plenty of new open-source tools.
    Jason T.Triskele Labs
Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources