)
)
)
)
){kind=logo}
Ransomware Investigations
May 29 – June 1 (Pre-Conference)
In this 4-day intensive course, students learn to treat a ransomware intrusion as a digital crime scene—tracking data exfiltration, profiling the actor’s infrastructure, and following the financial breadcrumbs to determine who is behind the attack, what they stole, and how the operation unfolded end-to-end.
Bridging the gap between traditional digital forensics and the specialized tradecraft required to investigate Ransomware-as-a-Service (RaaS) cartels, the course moves beyond standard malware triage and into full-scope, human-operated intrusion analysis. In a cloud-based cyber range, investigators will dissect realistic RaaS campaigns and simulate the complete lifecycle of a live operation—from initial access and privilege escalation to lateral movement, staging, exfiltration, encryption, and monetization.
Students will master the analysis of critical Windows artifacts—including ShimCache, AmCache, SRUM, and Event Logs—to build an unshakeable timeline of events, validate attacker activity, and connect host-level proof to network and operational behaviors. The curriculum also emphasizes tracing cryptocurrency-based ransom and laundering flows, enabling investigators to correlate technical findings with infrastructure and financial indicators to support attribution, reporting, and actionable response.
