Active Threat

Recovery over ransom.

ThreatSimulatorApr 202610 min read

Ransomware is not just a virus. It is a business disruption event. It can stop operations, block access to customer records, delay payments, damage trust, and force decisions while criminals apply pressure. The aim is to make sure that if it happens, your business can respond calmly and recover properly.

Simulated lock screen

FILES LOCKED
This demo shows the pressure mechanic. Real incidents are messier.
Local docs
encrypted
Shared drives
at risk
Backups
unknown
Attacker access
not contained

Choose a position above.

How ransomware gets in

Phishing emails

The message looks like an invoice, password reset, shared document, delivery issue, or urgent request. The goal is to get someone to open a file, click a link, approve a login, or hand over credentials.

Exposed remote access

Unprotected RDP, VPN portals, and remote admin tools are attractive targets, especially without MFA and monitoring.

Known vulnerabilities

If the fix exists but has not been applied, attackers will not wait politely. Internet-facing systems should be patched first.

Stolen credentials

Credentials from previous breaches, info-stealers, or social engineering. A stolen Microsoft 365 password can be enough to open the next door.

Supply chain

The attacker does not need to breach you directly. Compromising a supplier with access to your systems achieves the same result.

Protection layers

Layer 01
Backups. Regular, automatic, encrypted, isolated, and tested. A backup that has never been restored is a hope, not a plan.
Layer 02
MFA and identity. Protect email, cloud storage, admin accounts, VPN, finance systems, and backup platforms.
Layer 03
Patching. Prioritise OS, browsers, firewalls, VPNs, servers, backup platforms, and anything internet-facing.
Layer 04
Email protection. SPF, DKIM, DMARC, malware scanning, link protection, impersonation detection, and phishing reporting.
Layer 05
Endpoint monitoring. Watch for mass file changes, suspicious encryption, credential dumping, attacker tooling, and lateral movement.
Layer 06
Admin control. Keep admin access limited, separate from daily accounts, protected with MFA, logged, and reviewed.
Layer 07
Network separation. Separate staff devices, servers, guest WiFi, printers, IoT, backups, and management interfaces.

Readiness check

0%
  • Backups are isolated, encrypted, and tested quarterly
  • MFA is on email, admin, VPN, and finance systems
  • Internet-facing systems are patched within 14 days
  • Email has SPF, DKIM, DMARC, and phishing reporting
  • Endpoints are monitored for suspicious behaviour
  • Admin accounts are separate from daily-use accounts
  • A one-page incident response plan exists and has been tested
  • Staff know what ransomware looks like and who to call

GHOSTLINE covers every layer.

TRACE monitors endpoints. INBOX blocks phishing. VEIL catches lateral movement. ARCHIVE preserves evidence. WATCH reports to the board.

Request access