Working remotely has resulted in increased usage of virtual private networks (VPNs), but a lack of experience means that many businesses are not equipped to find and fix security vulnerabilities attacked by malicious hackers. Cyber-attacks targeting vulnerabilities in VPNs are on the rise, particularly ransomware. Therefore, many organizations are trying to protect their networks. Although there are several cybersecurity frameworks and best practices for ransomware, research article case studies on VPN ransomware protection are rarely presented. Thus, there is a need for real case studies to increase cyber security experiences. Thus, this paper introduces three case studies based on qualitative research and a real case study. For the real case study, the network diagram, event log, digital evidence, and digital forensic timeline were presented. For attack analysis, Microsoft ransomware attack framework and MITRE-attack code were used since there is an Active Directory (AD) in case studies. Case analyses were compared for knowledge of cyber security.