SEC536: Adversarial AI - Penetration Testing AI Systems
SEC536Offensive Operations, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
FOR528: Ransomware and Cyber Extortion
FOR528Digital Forensics and Incident Response
- 3 Days (Instructor-Led)
- 27.5 Hours
Course authored by:
Ryan Chapman
Course authored by:Ryan Chapman
- 27.5 CPEs
Apply your credits to renew your certifications
- In-Person or Virtual
Attend a live, instructor-led class from a location near you or virtually from anywhere
- Intermediate Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 12 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Learn how to prevent, detect, and respond to ransomware and cyber extortion attacks via the only dedicated course crafted 100% from real-world ransomware actor tactics, techniques, and behaviors.
Featured Quote
Ryan makes sure the course content is up-to-date and gives us extra tools that are really helpful. Also, he keeps the class energetic and easy to follow, he's a great instructor.
Course Overview
Year after year, the number of reported ransomware and cyber extortion attacks continues to rise. These attacks can shut down operations, expose sensitive data, and force organizations to make critical decisions while systems are still offline. Security teams are expected to quickly determine how attackers gained access, which systems were affected, whether data was stolen, and if the environment is truly safe to restore.
FOR528: Ransomware and Cyber Extortion was redesigned to help responders handle these situations with confidence. This streamlined three-day course gives students practical hands-on experience investigating realistic ransomware and cyber extortion cases using the same attacker techniques, forensic artifacts, and investigative workflows seen in real-world incidents.
What You’ll Learn
- Investigate ransomware and cyber extortion attacks using current real-world cases and forensic artifacts.
- Distinguish between ransomware encryption events and extortion-only attacks to adapt your response.
- Decode attacker tools and scripts in hands-on labs, including obfuscated PowerShell, malware triage, and AI-enabled actor tradecraft.
- Practice the ransomware/extortion lifecycle in labs and an included extended-access CTF.
- Strengthen organizational readiness by connecting technical findings to leadership communication, legal needs, and recovery coordination.
- Recognize available telemetry depending on the maturity of your organization or that of your clients. The course includes two different scenarios: One replicating a default Windows environment with little visibility, and one replicating a well-tooled environment that provides greater visibility.
- Leave with practical ransomware response confidence after 3 focused days of live instruction plus extended CTF access.
Business Takeaways
- Bolster ransomware security defenses through prevention and detection tips tailored to both first party and consultant scenarios.
- Close the blind spots general IR training leaves behind, from hidden persistence to data exfiltration, extortion, and recovery validation.
- Recognize and investigate ransomware activity faster using the same tools and tradecraft adversaries deploy in the wild.
- Understand the full ransomware and extortion lifecycle to build a complete, actionable response plan in less time away from work.
- Validate recovery with confidence—ensuring persistence is removed, backups are trustworthy, and systems are safe to restore.
- Differentiate ransomware-related activity from other intrusions to focus efforts on the highest-impact threats.
- Identify what data was accessed or stolen to accurately assess business impact and support regulatory or legal response.
Meet Your Author
Ryan Chapman
Certified InstructorRyan Chapman has redefined ransomware defense through hands-on leadership in major incidents like Kaseya and by arming thousands with proactive threat hunting tactics now standard across the industry.
Read more about Ryan ChapmanCourse Syllabus
Explore the course syllabus below to view the full range of topics covered in FOR528: Ransomware and Cyber Extortion.
Section 1Ransomware Incident Response Fundamentals
Section 1 begins with a review of ransomware’s history, as we deep-dive into the roles, processes, communication methods, and activities related to these threats. After learning how we can apply incident response practices, we begin our deep-dive into the Windows-based forensic artifacts best suited to ransomware campaign analysis.
Topics covered
- Ransomware Evolution and History
- Incident Response Processes and Application to Ransomware
- Preparation and Scoping for Ransomware and Cyber Extortion
- Windows Forensic Artifacts and Collection
- Analysis At-Scale via TimeSketch
Labs
- Lab 1.1: Analysis of a RaaS Ecosystem (RAASNet) - Generate and testRansomware
- Lab 1.2: Acquiring and Analyzing Artifacts
- Lab 1.3: Analysis at Scale: Timesketch
Section 2Ransomware Modus Operandi
Section 2 begins our foray into the typical flows of ransomware and cyber extortion attacks. We begin with initial access and then move to tooling and execution. That takes us into persistence used in these cases, followed by an overview of Cobalt Strike. Section 2 labs have a malware analysis focus, integrating script deobfuscation into the mix.
Topics covered
- Analysis At-Scale via Kibana
- Common Initial Access Methods in Ransomware
- TA Tooling and Execution Methods
- Persistence and Cobalt Strike
- Malware Analysis Including Malicious Script Deobfuscation
Labs
- Lab 2.1: Analysis At Scale: Kibana
- Lab 2.2: Finding the Infection VectorAnalyze Encoded PowerShell Payloads
- Lab 2.3: PowerShell Scripting: Foe, Not FriendDecode and Analyze CS Payloads
- Lab 2.4: Decoding Cobalt Strike Payloads
- BONUS Lab 2.5: Hunting RDP Activity
Section 3Advanced Ransomware Concepts
Section 3 continues our deep-dive into the phases of typical ransomware and cyber extortion attacks. In this section, we cover Privilege Escalation, Credential Access, and Lateral Movement, detailing associated tools and methods. We then cover common Active Directory attacks, finally leading into ransomware payload deployment and analysis.
Topics covered
- Privilege Escalation and Lateral Movement
- Active Directory Attacks in Ransomware
- Data Access and Exfiltration
- Hunting Ransomware Operators
Labs
- Lab 3.1: Identifying Lateral Movement via RDP and PsExec
- Lab 3.2: Hunting and Identifying Data Access and Potential Exfiltration
- Lab 3.3: Detecting the TA’s Toolbox – A hunting-focused lab
- BONUS Lab 3.4: Identifying Additional Lateral Movement
Section 4Included Extended-Access CTF: Ransomware Incident Response Challenge
The included extended-access CTF gives students a realistic ransomware investigation scenario to complete after the 3 instructor-led days, reinforcing the skills covered in class while preserving flexibility and focus.
Topics covered
- Extended-Access Digital Forensics Capture-the-Flag Event
- Review of Parsed Artifacts and Log Data
- Identify Tools and Processes from a full end-to-end ransomware campaign
Things You Need To Know
Relevant Job Roles
Cyber Incident Responder Training, Salary, and Career Path
European Cybersecurity Skills FrameworkMonitor the organisation’s cybersecurity state, handle incidents during cyber-attacks and assure the continued operations of ICT systems.
Explore learning pathInsider Threat Analysis
NICE: Protection and DefenseResponsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.
Explore learning pathCybercrime Investigation (CRIM)
Skills Framework for the Information AgeCollection, preservation, and analysis of digital evidence to trace cybercrime and support prosecution efforts. Technical artefacts are translated into admissible findings in collaboration with legal and law enforcement teams.
Explore learning pathDigital Forensics (OPM 212)
NICE: Protection and DefenseResponsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.
Explore learning pathCybercrime Investigator Training, Salary, and Career Path (OPM 221)
NICE: InvestigationCybercrime Investigators navigate dark web forums, trace cybercriminal activity, and conduct covert investigations. They follow forensic and legal standards to gather evidence and respond to cybercrimes.
Explore learning pathMilitary Operations / Law Enforcement Agents
Digital Forensics and Incident ResponseExecute digital forensic operations under demanding conditions, rapidly extracting critical intelligence from diverse devices. Leverage advanced threat hunting and malware analysis skills to neutralize sophisticated cyber adversaries.
Explore learning pathMedia Exploitation Analyst
Digital Forensics and Incident ResponseThis expert applies digital forensic skills to a plethora of media that encompasses an investigation. If investigating computer crime excites you, and you want to make a career of recovering file systems that have been hacked, damaged or used in a crime, this may be the path for you. In this position, you will assist in the forensic examinations of computers and media from a variety of sources, in view of developing forensically sound evidence.
Explore learning pathIntrusion Detection/SOC Analysts
Digital Forensics and Incident ResponseAnalyze network and endpoint data to swiftly detect threats, conduct forensic investigations, and proactively hunt adversaries across diverse platforms including cloud, mobile, and enterprise systems.
Explore learning pathCourse Schedule and Pricing
Have Questions?Contact Us
Group and Private Pricing
Enroll your team as a group or arrange a private session for your organization. We’ll help you choose the format that fits your goals.
Location & instructorDate & TimeCourse priceRegistration Options
- Location & instructor
SANS DFIR Summit & Training 2026
Arlington, VA, US & Virtual (live)
Instructed byDate & TimeFetching schedule..Course price$5,250 USD*Prices exclude applicable local taxes - Date & TimeFetching schedule..Course price¥765,000 JPY*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..Course price€4,935 EUR*Prices exclude applicable local taxesRegistration Options
Showing 3 of 3
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 3The course presented real-life scenarios and detection mechanisms to enhance your organization's security posture to detect and prevent ransomware before it can cause damage to your operations.
- Slide 2 of 3The course is pack filled with highly valuable information that will take your company to the next level of being prepared for ransomware.
- Slide 3 of 3The content is engaging, and has shown me plenty of new open-source tools.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources