Ransomware Simulation: Testing Perimeter Defense with Hardened Repositories

A cyberdrill case study on simulating a LockBit Black attack, perimeter breach, and proving the resilience of an immutable backup architecture.

In the modern digital era, the question for any organization is no longer "Will we be cyberattacked?" but rather "When will it happen, and how prepared are we to face it?". To test the readiness of IT Infrastructure and Security teams, conducting tactical cyberattack simulations — or Cyberdrills — is an essential practice.

In this article, we will perform a deep-dive analysis of a tactical cyberdrill scenario: How an attacker successfully breached a perimeter firewall, moved laterally, executed LockBit Black Ransomware on the Active Directory (AD) Server, and how the defense and recovery strategies were executed using an Immutable Backup architecture.

1. Topology Architecture and Simulation Environment

Before diving into the attack timeline, let's break down the network architecture targeted in this simulation:

• Outer Perimeter: Protected by a FortiGate 90D firewall with a WAN interface connected to the internet and a LAN IP.
• Core Infrastructure: All internal traffic is managed by the Core Switch.
• AD Server : Acts as the primary domain controller and file share server
• User PC: An endpoint workstation.
• Backup Infrastructure: Backup management using Veeam Backup
• Storage Repository: Utilizing TrueNAS (NAS)
• Protection Method: To counter ransomware, the repository is configured with an Immutable Backup method. The storage from TrueNAS is connected via the iSCSI protocol to a Linux Ubuntu server acting as a Hardened Repository. With this method, backup data cannot be modified or deleted by any user (including administrators) during the specified retention period.

2. The Cyber Attack Kill Chain (Attack Timeline)

Based on the cyberdrill scenario, the attacker carried out a systematic attack through 12 specific stages:

Phase 1: Perimeter Breach & Backdoor Creation

1. Information Gathering: The attacker scans the organization's public IP address to find open ports.
2. Vulnerability Identification: The attacker identifies the FortiGate Firewall's public IP and detects that Port 443 (HTTPS Web GUI) is exposed to the WAN.
3. Firewall Brute-Force: Leveraging the exposed Web GUI login page, the attacker launches a brute-force attack, assuming a default admin account exists on the firewall.
4. Access Granted: Due to a weak password policy, the attacker successfully gains access to the firewall's admin account via the GUI.
5. Planting a Backdoor: To maintain persistence, the attacker creates a new local account on the firewall with a deceptive name: admin.backup.
6. Testing Access: The attacker logs out of the main account and successfully logs back in using the newly created admin.backup backdoor account.

Phase 2: Lateral Movement & Loose Policies

1. Modifying Firewall Policy: To facilitate deeper network penetration, the attacker alters the firewall rules. A new policy is added: WAN to LAN with an "Any to Any" rule (Action: ACCEPT). Dangerous ports like RDP are now wide open to the internet.
2. Internal Reconnaissance: With perimeter restrictions effectively removed, the attacker scans the internal network and discovers a critical target: the AD Server.
3. RDP Brute-Force: The attacker launches a second brute-force attack, this time targeting the RDP protocol on the AD Server to guess the administrator credentials.
4. AD Server Compromise: The attack succeeds. The attacker gains full control of the AD Server via the RDP protocol.

Phase 3: Ransomware Execution (Impact)

1. Malware Deployment: The attacker copies and executes the ransomware binary onto the compromised server.
2. LockBit Black Execution: The ransomware runs. Within seconds, all vital files on the AD server are encrypted. The desktop background turns black with a chilling message: LockBit Black — All your important files are stolen and encrypted! and ransom instructions are dropped in a file named PrxjKQaFo.README.txt.

3. Forensic Analysis: What Do the Logs Reveal?

During the post-incident review session of this cyberdrill, the Blue Team examined log files to identify Indicators of Compromise (IoCs):

• Firewall Logs (FortiGate): A barrage of login failure logs (Administrator admin login failed from https…) occurs repeatedly within a short timeframe before a success status finally appears. Additionally, configuration modification activities are explicitly logged: Add user.local.admin.backup and the modification of rule changed to ACCEPT for all services.
• Windows Event Viewer Logs (AD Server): The AD Server's Security log records a massive spike in Event ID 4625 (An account failed to log on), pointing directly to the RDP Brute Force activity originating from the source IP attacker, followed immediately by Event ID 4624 (An account was successfully logged on) when the attacker finally breached the system.

4. Recovery Strategy: Why Immutable Backup Saved the Day

In a real-world scenario, an encrypted Active Directory brings company operations to a grinding halt. Attackers typically target backup servers next to ensure the victim has no choice but to pay the ransom.

However, in our infrastructure design, this ransomware attack was completely thwarted during the recovery phase thanks to modern security engineering:

1. iSCSI Isolation & Hardened Linux Repository: Even though the attacker created an "any-any" network rule, the backup data was stored within a TrueNAS volume mounted via iSCSI to an isolated, hardened Linux Ubuntu server. The compromised Windows AD account lacked any administrative or lateral access rights to this Linux environment.
2. Proven Immutability: The LockBit Black ransomware attempted to delete or encrypt the backup files via network shares but failed completely. Because of the Immutable flag, the Linux OS (working in tandem with Veeam) rejected any instructions to modify or delete .vbk and .vib files as long as the retention policy remained active.
3. Rapid Restore Process: The infrastructure team could immediately format and reinstall the OS on the infected AD server, then execute a Full VM Recovery or Bare-Metal Recovery using the latest clean restore point directly from the Veeam Backup Server.

5. Lessons Learned & Security Recommendations

This cyberdrill provides invaluable lessons to strengthen both perimeter and internal defenses:

1. Never Expose Management Ports to the Public: FortiGate GUI ports (443/80) or SSH (22) must never be accessible directly from the WAN. Use a secure VPN (SSL-VPN with Multi-Factor Authentication) if administrators need remote firewall management.
2. Implement Multi-Factor Authentication (MFA): Had the admin login on the firewall or the RDP access on the AD Server been protected by MFA, the attacker's brute-force attempts would have been stopped dead in their tracks, even after guessing the passwords.
3. Enforce the Principle of Least Privilege in Firewall Policies: Avoid using broad "Any-Any" rules from WAN to LAN. Restrict ports, source IPs (whitelisting), and destinations strictly based on business needs.
4. Maintain a 3–2–1–1–0 Backup Strategy:

• 3 copies of data.
• 2 different types of media.
• 1 offsite copy.
• 1 Offline / Immutable copy (such as the TrueNAS + Ubuntu Linux Hardened Repo architecture used here).
• 0 errors during automated backup verification.

Conclusion

Ransomware like LockBit Black moves incredibly fast, exploiting the smallest oversight in your perimeter defense. Through this cyberdrill simulation, we learn that a defense-in-depth approach coupled with a ransomware-proof (Immutable) backup infrastructure serves as the ultimate last line of defense that dictates whether an organization's data lives or dies.

Stay safe, stay secure!

💼 Looking to secure your organization? > If your organization needs assistance in designing or executing a tailored cyberdrill simulation like this, feel free to reach out to me. Let's collaborate to strengthen your company's infrastructure defense!

How is the backup strategy in your organization? Have you implemented Immutable Backup to counter ransomware? Let me know your thoughts in the comments below!