Waifu University Ransomware - ALPHV

Lab Scenario / Description

Waifu University's cyber team has called you after their IT teams reported a number of servers with files that aren't opening and have a strange extension.

On your scoping call, the victim also said they had identified a ransom note stating their data has been stolen. When asked about any earlier signs, the victim mentioned some strange, failed login activity early in March 2024 in their EntraID, but wasn't of concern at the time.

Ransomware will typically avoid system files to not cause crashes in the system, which also happens to be where a lot of forensic evidence is! You have been provided triage images of the hosts and log exports from the relevant systems.

The Waifu University team took triage collections from the affected hosts using the account WAIFU\kscanlan6 at approximately 2024-03-07 05:00:00 UTC. Consider activity after this point related to the response.

Lab Objectives / Questions

[x] Scope the incident
[x] Locate the ransom note and perform threat actor attribution
[x] Identify all indicators of compromise for containment
[x] Produce a report, detailing the findings

Analyst Name: Mike L

Analyst Tag: https://x.com/mikecybersec

Analysis Date: October 13th, 2025

Investigation Scope & Network Topology

There are six “on-premises” devices have been identified inside ‘CC-VNET’, the network is split by DMZ (10.0.0.0/24) and Prod Network (192.168.0.0/24). The DMZ houses the following:

CC-VPN-01
CC-VDG-01

A ‘Jumpbox’ (CC-JMP-01) sits between the two networks, facilitating access to the following:

CC-SQL-01
CC-DC-01

An ELK Server can be accessed from both networks:

CC-ELK-01

Additionally, EntraID has pass through authentication via Domain Controller.

Microsoft Entra pass-through authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta

Typical network flow

Users will initially connect to the network via the VPN appliance (CC-VPN-01) utilising SAML authentication, there is only one route from the VPN appliance which is to the Virtual Desktop Gateway (CC-VDG-01) providing KASM. From here, users can RDP into the Jumpbox and then across into the Prod Network to either the SQL server (CC-SQL-01) or the Domain Controller (CC-DC-01).

Network topology provided by Waifu University.

<aside> 💡

Note if you can’t see the timeline items below, click the arrows on the timeline browser to show March 3rd 2024 → March 7th 2024.

</aside>

Table of Contents