In this 4-day intensive course, students learn to treat a ransomware intrusion as a digital crime scene tracking data exfiltration, profiling the actor’s infrastructure, and following the financial breadcrumbs to determine who is behind the attack, what they stole, and how the operation unfolded from end to end.
Students will master analysis of critical Windows artifacts ShimCache, AmCache, SRUM, Event Logs, Prefetch, Registry hives, network telemetry to build defensible timelines, validate attacker activity, and connect host-level findings with network, infrastructure, and financial indicators. A dedicated module on cryptocurrency tracing teaches students to follow ransom payments and laundering flows to support attribution, reporting, and response.
Write your awesome label here.
By the end of this course, you will be able to:
Technical & Analytical Skills:
Reconstruct the full kill chain of a human-operated ransomware campaign.
Reconstruct the full kill chain of a human-operated ransomware campaign.
Analyze host-based artifacts (ShimCache, AmCache, SRUM, Event Logs, Prefetch, Registry, LNK) to derive attacker behaviors.
Identify data staging, exfiltration, and encryption workflows used by modern RaaS affiliates.
Attribute infrastructure elements such as C2 servers, cloud storage, and TOR services.
Perform cryptocurrency tracing to follow ransom demands, payments, and laundering patterns.
Operational Skills:
Build coherent, defensible investigative timelines.
Correlate network, host, infrastructure, and financial evidence.
Produce actionable investigative reports for executives, legal teams, and law enforcement.
Understand monetization models, affiliate ecosystems, and RaaS supply chains.
Tools & Platforms:
Students will gain hands-on experience with:
Cyber range SIEM and EDR tools (Splunk/Elastic/Sentinel-style environments)
Memory and disk forensics tools (Velociraptor, KAPE, EricZimmerman tools)
Blockchain explorers and tracing tools (TRM)
OSINT and infrastructure profiling tooling
Cybervance Vertex learning hub integrations (if applicable)
