Ransomware is a type of malicious activity aiming to prevent users from accessing their data by encrypting it. For the purposes of analysis of the behaviour of the crypto viruses, objectively collected data is required. Getting metrics from a virtual machine would be resembling the original behaviour of the ransomware on a physical device. Observing, measuring, collecting and extracting data on a physical device during and after encryption is challenging, since all the data would be corrupted once the encryption process is complete. By utilizing two user profiles, members of the local admin group and custom access control lists on certain recourse, a lab laptop is infected with five different samples of ransomware crypto viruses that do not require connection to the command and control server in order to function as intended. A of HDD metrics is successfully collected and extracted.