HOSPITAL RANSOMWARE RESPONSE

A hospital is under ransomware attack. You are the incident-response team. Detect, contain, recover — before patient systems fail.

+ ADD TO DISCORD HOW IT PLAYS →

⏵ THE WORLD

What's this realm about?

Meridian Health has gone dark. A ransomware crew is inside the network, and you are on the incident-response team — an original character with a role, a console, and a crisis you did not choose. Detection, hunting, forensics, recovery, command, communications: pick your seat.

Over seventy-two hours you triage alerts, reconstruct the kill-chain, isolate infected segments, face the ransom demand, eradicate the adversary, and restore the hospital. The conflict is detection against evasion — and every decision costs something real.

TONEUrgent, focused, and consequential. The team are competent professionals working a crisis they did not choose, aware that patient care depends on the systems they are fighting to restore. The adversary is calculating and menacing, but the danger is operational — locked systems, stolen data, lost trust — never physical harm.

✎ IN THE CLASSROOM

What you'll learn.

Describe the phases of the NIST incident-response lifecycle — preparation, detection and analysis, containment, eradication and recovery, and post-incident activity — and apply them to a live incident.
Reconstruct a realistic ransomware kill-chain from phishing initial access through credential theft, privilege escalation, lateral movement, exfiltration, and encryption.
Evaluate containment, eradication, and recovery decisions, weighing security against the continuity of critical operations.
Analyze breach-notification and disclosure obligations for regulated data and the legal and ethical dimensions of a ransom demand.
Practice the team skills incident response demands — coordination, prioritization under pressure, evidence-based reasoning, and clear communication to leadership and regulators.

DESIGNED FOR

Cybersecurity Information Security Information Technology Incident Response & Digital Forensics CAE-Aligned Cyber Defense Programs Corporate Information Security Training

◆ THE PARTY

Choose your role.

The Incident Commander

Intermediate

The single point of command for the response — sets priorities, allocates the team, and owns communication to hospital leadership.

The SOC Analyst

Beginner

The first line of detection — monitors alerts, triages signal from noise, and raises the alarm that starts the response.

The Threat Hunter

Advanced

The proactive investigator who hunts the adversary across the environment, surfacing footholds that automated detection missed.

The Forensics Lead

Advanced

The investigator who reconstructs the attack timeline from evidence, establishing exactly how the adversary got in and how far they reached.

The Recovery Engineer

Intermediate

The hands-on engineer who isolates infected segments, rebuilds compromised systems, and restores the hospital from trusted backups.

The Comms & Legal Liaison

Intermediate

The team's voice to the outside world — managing breach notification, regulators, the press, and the hard question of the ransom.

⚑ THE PLAYERS

Factions in motion.

The Incident Response Team

The cross-functional team standing up the response — detection, hunting, forensics, recovery engineering, command, and communications. Their charge is to detect, scope, contain, eradicate, and recover from the intrusion while keeping the hospital safe for patients.. A clean, verified recovery and a hospital that can be trusted again.

Meridian Health Leadership

The hospital's executives, clinical leaders, and IT management. They carry responsibility for patient care and the organization's survival, and they want systems back fast — sometimes faster than a sound response allows. Allies of the team, but a source of pressure as well.. Continuity of patient care and the survival of the hospital.

The Ransomware Crew

The adversary — an organized, financially motivated intrusion crew operating a double-extortion ransomware playbook. Patient, methodical, and businesslike: they encrypt to disrupt and exfiltrate to coerce, and they negotiate like the criminal enterprise they are.. Extortion payment through disruption and the threat of disclosure.

External Stakeholders

The watchers outside the incident — healthcare regulators, law enforcement and cyber authorities, the press, and the patients whose data is at stake. They are owed honest, timely disclosure, and how the team handles them shapes the hospital's standing long after recovery.. Accountability, lawful disclosure, and the public interest.

Ready to Work the Incident?

Assemble an incident-response team of 2-6 players. The crisis unfolds on Discord — investigate, decide, and bring the hospital back online together.

+ ADD TO DISCORD BROWSE THE CATALOG