LockBit Scenario: Cedar Valley Medical Center Crisis
Scenario Details for IMs
Opening Presentation
“It’s Tuesday evening at Cedar Valley Medical Center, and the hospital is operating under surge conditions. The emergency department is packed with flu patients, the ICU is at capacity, and surgical teams are working overtime. Suddenly, every computer screen across the hospital displays ransom demands, and within minutes, executives receive direct contact from threat actors claiming to have stolen patient data and threatening public release. All systems are encrypted, operations have completely halted, and critical patients are at immediate risk.”
Initial Symptoms to Present:
- “All workstations displaying identical ransom messages with 72-hour countdown”
- “File servers completely encrypted with .lockbit extensions on all files”
- “Threat actors contacted CEO directly claiming to have stolen patient data”
- “Medical equipment losing connectivity to central monitoring systems”
Key Discovery Paths:
Detective Investigation Leads:
- Digital forensics reveal systematic data exfiltration occurred before encryption
- Ransom note analysis shows professional criminal operation with detailed knowledge of hospital operations
- Timeline analysis indicates attackers maintained access for weeks before activation
Protector System Analysis:
- Complete system encryption across all networks including medical devices
- Backup integrity assessment reveals some backups may also be compromised
- Network isolation protocols activated but damage already done
Tracker Network Investigation:
- Data exfiltration traffic analysis reveals terabytes of patient data stolen over several weeks
- Command and control communication shows professional ransomware-as-a-service operation
- Evidence of reconnaissance and target-specific attack customization
Communicator Stakeholder Interviews:
- Executive team must decide on ransom payment versus recovery and regulatory implications
- Medical staff report complete inability to access patient records affecting life-critical decisions
- Legal team explains HIPAA breach notification requirements and potential liability
Mid-Scenario Pressure Points:
- Hour 1: Emergency patient needs immediate surgery but cannot access medical history or allergy information
- Hour 2: Threat actors increase pressure by showing screenshots of stolen patient records
- Hour 3: News media reports potential data breach affecting hospital operations
- Hour 4: Law enforcement offers assistance but warns payment may fund further criminal activity
Evolution Triggers:
- If ransom payment is made, attackers may demand additional payments or still release data
- If payment is refused, stolen patient data begins appearing on criminal marketplaces
- If recovery takes longer than 72 hours, threat actors may launch DDoS attacks to prevent recovery
Resolution Pathways:
Technical Success Indicators:
- Team implements emergency paper-based patient care protocols while systems recover
- Backup systems verified clean and restoration process initiated with proper security controls
- Law enforcement coordination established for investigation and potential asset recovery
Business Success Indicators:
- Patient care maintained through manual backup procedures without compromising safety
- Regulatory compliance maintained with proper breach notifications and stakeholder communication
- Business continuity plan activated minimizing operational and financial impact
Learning Success Indicators:
- Team understands double extortion tactics and data theft implications
- Participants recognize importance of backup isolation and business continuity planning
- Group demonstrates crisis decision-making balancing technical, legal, and operational concerns
Common IM Facilitation Challenges:
If Payment Discussion Is Avoided:
“Your technical response is excellent, but the CEO just received another call from the attackers with screenshots of patient records. The board is asking for your recommendation on payment. What factors do you consider?”
If Data Theft Impact Is Underestimated:
“While you’re working on decryption, the legal team reports that HIPAA requires breach notification for all affected patients. How does stolen data change your response strategy?”
If Business Continuity Is Ignored:
“Your investigation is thorough, but Dr. Torres needs to know: can the emergency department safely operate without electronic systems, or should they divert patients to other hospitals?”