Chapter 12 — Quiz
14 questions: 10 multiple choice, 2 true/false, 2 short answer. Answers and a scoring band at the bottom. Commit to an answer before you scroll.
Multiple choice
Q1. Modern ransomware uses a hybrid scheme — a fast symmetric cipher for the file body and an asymmetric cipher to wrap the key. In that design, which key never leaves the attacker's control?
- A) The per-file AES key (K_file)
- B) The RSA public key (PUB_master)
- C) The RSA private key (PRIV_master)
- D) The Salsa20 stream key
Q2. Why does most ransomware encrypt user files but leave the operating system bootable? - A) Encrypting the OS is cryptographically impossible. - B) So the victim can still read the ransom note and reach the payment portal — a functioning victim is a paying customer. - C) Windows protects system files from all encryption. - D) It is an accident; the malware simply runs out of time.
Q3. A ransomware family reads each original, writes the ciphertext to a new file, and then unlinks the original. On a traditional hard drive, what does this copy-encrypt-delete behavior leave you? - A) Nothing — the originals are securely wiped. - B) The original plaintext sitting in unallocated space until overwritten — often carvable. - C) A decryption key in the file's trailer. - D) The RSA private key in the page file.
Q4. Two STOP/Djvu victims are hit by the same variant. One has a personal ID ending in t1 (an offline ID); the other has an online ID. What is the difference in outcome?
- A) Both are fully decryptable with the free tool.
- B) Neither is decryptable; STOP/Djvu uses unbreakable per-file keys.
- C) The offline-ID victim is decryptable (the offline key is reused and known); the online-ID victim used a unique server-side key and is not.
- D) The online-ID victim is decryptable; the offline-ID victim is not.
Q5. You arrive at a still-running, infected machine. Before anything else you isolate it from the network but deliberately do not power it off. What is the primary preservation reason? - A) Powering off corrupts the file system. - B) Volatile memory may hold the live malware, its C2 connections, and — for some flawed families — the encryption keys, all of which vanish on power-off. - C) The machine must stay online to receive the decryptor. - D) Rebooting is required to list the shadow copies.
Q6. In a ransomware response, what do you acquire first, per the order of volatility? - A) The ransom note text file. - B) A full forensic disk image. - C) A volatile memory (RAM) image. - D) The backup catalog.
Q7. Of the five recovery options, which is described as "the only reliable solution"? - A) A known free decryptor from No More Ransom. - B) Volume Shadow Copy reconstruction. - C) Carving unencrypted originals from unallocated space. - D) Restoring from a clean, offline/immutable backup.
Q8. Finding vssadmin.exe delete shadows /all /quiet in Event ID 4688 tells you two things. Which pair?
- A) The backup succeeded, and the machine is clean.
- B) The attacker deleted the Volume Shadow Copies, and the command's timestamp closely approximates the attack's detonation time.
- C) The user ran a disk-cleanup tool, and no data was lost.
- D) Windows Update ran, and the logs rotated.
Q9. The 2017 NotPetya outbreak displayed a ransom note and payment address but showed victims a random "installation ID" that tracked nothing. What does that tell you? - A) It was a bargain — the key was cheap. - B) It was effectively a wiper: destruction disguised as ransomware, with no recovery at any price. - C) The encryption was weak and brute-forceable. - D) Paying would have produced a working decryptor.
Q10. Under the U.S. Treasury's OFAC advisory, paying a ransom to a sanctioned actor can carry civil penalties under a strict-liability standard. What does "strict liability" mean here? - A) You are liable only if you intended to fund a sanctioned entity. - B) You can be liable even if you did not know the recipient was sanctioned. - C) Liability applies only to the ransomware group, never the victim. - D) Liability is waived if you paid in Monero.
True/False
Q11. Given enough GPUs and time, a recovery vendor can brute-force correctly-implemented AES-256 and recover ransomware-encrypted files without the key. (True / False)
Q12. Carving a TRIM-enabled SSD after a copy-encrypt-delete ransomware attack usually returns almost nothing, because the controller likely zeroed the deleted blocks within seconds. (True / False)
Short answer
Q13. A firm completes a flawless restore from a clean offline backup — near-zero data loss. Explain in two or three sentences why this does not necessarily mean the incident is over.
Q14. State, in two or three sentences, why you image the affected disk (and capture memory) before attempting any recovery — and what a recovery-only "just carve back the files" approach risks destroying.
---
Answer key
Q1 — C. The RSA private key (PRIV_master) never leaves the attacker; the public key is shipped in the malware, the per-file AES key is sealed by the public key and wiped from memory, and only the attacker's private key can unwrap it. That is the entire reason the lock holds.
Q2 — B. The design is coldly commercial: a bricked machine cannot display the note or reach the payment portal, so functioning ransomware leaves you just enough working computer to become a customer. It skips the OS, boot files, and page file on purpose.
Q3 — B. Copy-encrypt-delete unlinks the original, leaving its plaintext in unallocated space until overwritten — theme one, deleted ≠ destroyed — which is often carvable on an HDD (much less so on a TRIM SSD). In-place overwrite, by contrast, genuinely destroys the plaintext.
Q4 — C. When the malware could not reach its C2 server it fell back on a hardcoded offline key reused across victims (personal ID ends in t1), which becomes known and is decryptable; an online ID means a unique server-side key the attacker alone holds, which is not decryptable. Same malware, opposite fates, decided by a network accident.
Q5 — B. "Isolate but do not power off" preserves volatile memory, which may hold the live malware process, active C2 connections, and — for certain flawed families — the symmetric keys themselves, recoverable with memory forensics. A hasty shutdown can throw away the one clear copy of the key the machine ever held.
Q6 — C. Volatile memory is the most fleeting evidence and is captured first; for ransomware it carries a special payoff because the keys may be in RAM. Document and collect the on-screen state next, then acquire the disk image.
Q7 — D. A clean, offline/immutable backup turns the whole incident into a routine wipe-and-restore with no key and no payment — the only reliable recovery method. Every other option is a way of salvaging fragments when this one was unavailable.
Q8 — B. Essentially every serious human-operated strain deletes the shadow copies at detonation to close the Previous-Versions door, so the 4688 entry both confirms the deletion and time-stamps the attack's detonation to a close approximation.
Q9 — B. The random, meaningless installation ID means even the attacker could not map a payment to a key, so there was no recovery for anyone at any price — NotPetya was a destructive cyberweapon wearing ransomware's clothes. This is why precise family identification must precede any recovery attempt.
Q10 — B. Strict liability means a payer can face civil penalties even without knowledge that the recipient was sanctioned; OFAC names cooperation with law enforcement, timely self-reporting, and strong cybersecurity controls as mitigating factors, which is one more reason preservation and reporting are not optional. Counsel must be involved before any payment is contemplated.
Q11 — False. You cannot brute-force correctly-implemented AES-256; it is computationally infeasible (the heat-death-of-the-universe kind). Recovery never comes from beating the math — only from copies the attacker missed, mistakes the attacker made, or keys someone else holds.
Q12 — True. TRIM tells the controller the deleted blocks are free, and garbage collection typically zeroes them within seconds of the unlink — before you ever power the machine off — so carving a ransomware-hit SSD usually returns almost nothing, while the same incident on an HDD can return thousands of files.
Q13 — Model answer. Modern human-operated ransomware usually steals data before encrypting it (double extortion), so the criminals still hold a copy regardless of how perfectly you restore. The exfiltration likely makes this a reportable data breach with its own legal clocks, and paying "for deletion" buys only an unverifiable promise — restoring the files does not un-steal them.
Q14 — Model answer. A ransomware incident is presumptively bound for an insurance claim, breach-notification filing, lawsuit, or law-enforcement case, so you image first (original is sacred), hash it, and keep chain of custody — then do all recovery on copies. A recovery-only carve may return some files while wiping the proof of how the breach happened and what was stolen — exactly what your insurer, regulators, and lawyers will demand, and what a wipe makes irreversible.
Scoring: 13–14 correct — you can run an incident; you understand both the math and the law. 10–12 — solid; re-read the hybrid-encryption model and the five-options ordering. 7–9 — you have the vocabulary but not the boundaries; revisit "Preserve before you destroy" and the OFAC/double-extortion sections before advising anyone on paying. Below 7 — re-read the chapter, especially the prevention section, before any client conversation; in ransomware the cost of getting it wrong is measured in a client's livelihood.