Live-fire emulations expose blind spots and sharpen detections
Picture this: you’re part of a security operations team and you’ve fine-tuned your SIEM to perfection, yet one clever phishing email still slips through and unleashes ransomware across your network. Sound familiar? That’s why live-fire simulations are so crucial. In this guide to running a ransomware attack simulation for red and blue teams, you’ll learn how to plan, execute, and review realistic attack scenarios that expose hidden gaps and sharpen your detection and response capabilities. We’ll walk through setting objectives, emulating every stage of the kill chain, and capturing key metrics so you can measure success and refine your playbook. Ready to level up your ransomware readiness?
Objective design
Goals – pre-encryption detection MTTR reduction executive comms scoring
Before you fire up any tools, you need clear objectives. A well-designed ransomware simulation starts with setting measurable goals that align with your overall security strategy. Here are a few targets you might aim for:
- Catch malicious activity before encryption begins (pre-encryption detection)
- Reduce mean time to detect (MTTD) and mean time to respond (MTTR)
- Test executive communication templates under pressure
- Minimize false positives so analysts focus on real threats
- Score your tabletop exercises and operational readiness drills
Having solid benchmarks lets you track progress and demonstrate improvements to stakeholders.
Scope – segments accounts tooling safety rails
Next, define a clear simulation scope to avoid collateral damage and keep both red and blue teams focused:
- Network segments: choose one or two subnets or VLANs for safe testing
- User accounts: designate which service or user groups the red team may impersonate
- Tooling and infrastructure: list in-scope servers, endpoints, and test domains
- Safety rails: implement kill switches, manual approval gates, and isolation policies
- Time window: agree on start and end times that minimize business impact
A well-scoped exercise keeps your simulation realistic without risking production systems.
Initial access emulation
Phishing payloads credential harvest drive-by kits (T1566)
Initial access is often the weakest link. To test your defences, simulate common entry vectors:
- Spear phishing campaigns with malicious links or attachments (T1566)
- Credential harvesting pages that mimic corporate login portals
- Drive-by download kits exploiting unpatched browsers or plugins
These methods help you evaluate email filters, web proxies, and user training under real-world attack conditions.
Tools – Gophish Metasploit custom loaders
Equip your red team with the right tools for initial access:
- Gophish, an open source phishing framework for crafting and tracking campaigns
- Metasploit modules to deploy custom payloads and measure exploit success
- Custom loader scripts for stealthier, modular delivery and evasion testing
- URL shorteners or cloaking services to bypass basic web filters
Keep payloads on isolated testing domains and monitor delivery metrics in real time to ensure safety.
Lateral movement and privEsc
AD pathing token theft and service abuse (T1550 T1548)
Once inside, attackers pivot laterally and escalate privileges. Simulate these techniques to test your detection coverage:
- Active Directory pathing to find high-value targets
- Token theft from memory or cache (T1550)
- Service account abuse and scheduled task hijacking (T1548)
Emulating these steps reveals gaps in authentication monitoring and privilege-change alerts.
Tools – BloodHound Mimikatz SharpHound PsExec
Here are some common options for lateral movement and privilege escalation:
- BloodHound for mapping AD relationships and attack paths
- SharpHound to stealthily gather AD data
- Mimikatz to dump credentials and tokens from LSASS memory
- PsExec or WinRM for remote command execution
Ensure your blue team is collecting process creation events, authentication logs, and suspicious service modifications.
Exfiltration and encryption staging
rclone 7-Zip PowerShell loops and throttling (T1041 T1486)
The final stretch of a ransomware attack involves data exfiltration and file encryption. Emulate these phases to test defences:
- Uploading sensitive data with rclone to cloud storage (T1041)
- Compressing staged files using 7-Zip for faster transfers
- Automating staging and locking directories via PowerShell loops
- Throttling network traffic to blend in with normal patterns
These tactics let you validate DLP policies, network monitoring, and endpoint detection.
Blue team – DLP API logs KQL hunts containment drills
While the red team runs exfiltration and encryption scripts, the blue team should:
- Tune Data Loss Prevention (DLP) rules for abnormal upload patterns
- Enable API logging in cloud platforms to catch rclone-style transfers
- Write Kusto Query Language (KQL) hunts in Azure Sentinel or your SIEM for unusual PowerShell commands
- Activate containment playbooks that isolate infected hosts
- Conduct live drills to test incident response under time pressure
Running these steps side by side ensures your defenders can detect and stop data theft before encryption takes hold.
After-action
Metrics – MTTD MTTR dwell time false positives lessons learned
Once the exercise wraps up, it’s time to measure performance and capture insights:
- Mean time to detect (MTTD): how quickly you spotted the attacker
- Mean time to respond (MTTR): how fast you contained or eradicated the threat
- Dwell time: total window of unauthorized access
- False positive rate: percentage of alerts that didn’t lead to real incidents
- Lessons learned: gaps uncovered, unexpected blind spots, and new hypotheses
Compile these into an after-action report with both executive summaries and detailed appendices. That way you can justify future investments in technology and training.
Remediation and retest schedule
A clear remediation plan keeps improvements on track. Consider a four-week cycle:
- Patch and harden systems based on identified vulnerabilities
- Update detection rules and alert thresholds to cover missed techniques
- Run targeted threat hunts for the latest TTPs
- Conduct a focused retest on the highest-risk scenarios
Keeping a steady cadence ensures each gap is closed, and never gives attackers a chance to exploit the same weakness twice.
Simulation checklist
Scope defined and safe
Confirm you have:
- Documented network segments, accounts, and test domains
- Approved safety rails and kill-switch procedures
- A clear timeline to minimize business disruption
Red TTPs mapped to ATT&CK
Make sure:
- Each red team tactic and technique is linked to the MITRE ATT&CK matrix
- You’ve used a tool like Attack Navigator to visualize coverage
- No critical technique is left untested
Blue hunts and measures
Verify that your blue defenders have:
- SIEM dashboards and alert rules preloaded
- KQL or equivalent hunt queries ready
- Playbooks and runbooks for each simulated scenario
Gaps remediated and retested
Ensure:
- Every identified gap has an assigned owner and timeline
- Patches and rule updates are scheduled
- A retest date is set to confirm fixes
Need a deeper readiness checklist? Check out our ransomware readiness checklist 2025 edition.
Conclusion
Continuous emulation keeps defenses honest
Ransomware threats evolve fast, and your defences need to stay one step ahead. Regular live-fire simulations push both red and blue teams to learn, adapt, and close gaps before real attackers strike. Treat each exercise as a building block in your long-term security strategy.
Cybertorch MDR ingests red-team telemetry to strengthen live detections against ransomware
Ready to supercharge your ransomware simulations? Cybertorch MDR automatically ingests red-team telemetry from every exercise, enriches your detection rules, and streamlines incident response. Book a demo to see how you can turn simulation data into real-time defense improvements.