Large Group Artifacts: LockBit – Hospital Emergency Crisis
Team-specific evidence cards for Multi-Team Coordination format (12-15+ players). Print all cards, sort by team and tier, and keep face-down until the release point for each round. One set per team – do not mix teams.
Organization: Cedar Valley Medical Center (US)
Tier 1 – Initial Indicators
Release at start of Round 1
Alpha x2 – Bravo x2 – Charlie x2
Type: Email header analysis + EDR process tree Source: SOC alert queue, host CLIN-WS-114, 18:14–18:16 UTC
From: alerts@it-security.example [198.51.100.42]
Subject: Urgent account verification required
Reply-To: access-update@secure-portal.example
Received: from mail.secure-portal.example ([198.51.100.42])
by cvmc-mail01.cedarvalley.local; 2026-03-06 18:13:47 UTC
X-Spam-Score: 0.2 | Attachment: AccountVerification.docm (68KB)
EDR Alert -- CLIN-WS-114 -- 18:16 UTC
User: clinician.a | Parent: outlook.exe
Process tree:
outlook.exe
└── WINWORD.exe (AccountVerification.docm)
└── powershell.exe -WindowStyle Hidden -EncodedCommand [base64]
└── [network connection: 203.0.113.42:443 -- immediate]
└── powershell.exe [second stage, downloaded]
└── CLIN-WS-201 (SMB lateral -- 18:22 UTC)
└── ADMIN-WS-009 (SMB lateral -- 18:27 UTC)
Document macro executed without user prompt (AutoOpen).
C2 connection established within 4 seconds of document open.Sender IP: 198.51.100.42. Reply-To domain: secure-portal.example. From address domain: it-security.example. TI status at time of delivery: no prior hits. clinician.a role: frontline ED clinician, no IT administration.
Analysis direction: Sender/reply-to mismatch + encoded hidden command + instant C2 contact = staged remote execution triggered by the document macro. clinician.a was targeted specifically – the email mimics a Cedar Valley IT security notification, requiring local knowledge of CVMC branding.
Type: EDR mass alert cluster Source: SOC SIEM correlation, 18:47–18:49 UTC (33 hosts)
18:47:02 CLIN-FS-001 vssadmin.exe Delete Shadows /All [success]
18:47:03 CLIN-FS-001 icacls.exe /grant Everyone:F /T [permission reset]
18:47:04 CLIN-FS-001 powershell.exe start-process LockBit4.exe
18:47:06 ADMIN-FS-003 vssadmin.exe Delete Shadows /All [success]
18:47:07 ADMIN-FS-003 powershell.exe start-process LockBit4.exe
18:47:09 CLIN-WS-114 vssadmin.exe Delete Shadows /All [success]
18:47:10 CLIN-WS-114 powershell.exe start-process LockBit4.exe
18:47:10 CLIN-WS-201 vssadmin.exe Delete Shadows /All [success]
18:47:11 CLIN-WS-201 powershell.exe start-process LockBit4.exe
18:47:12 ADMIN-WS-009 vssadmin.exe Delete Shadows /All [success]
18:47:12 ADMIN-WS-009 powershell.exe start-process LockBit4.exe
18:47:14 [27 additional hosts -- same sequence, completing by 18:47:31 UTC]
First encrypted files detected: 18:47:23 UTC
EDR agent stopped responding: 18:48:12 UTC (agents encrypted)
SIEM last received telemetry: 18:49:07 UTC
Shadow copies: NONE remain on any affected systemvssadmin.exe Delete Shadows /All ran on every affected host before encryption began. Result: success on all. EDR agent stopped responding at 18:48:12 UTC. SIEM last received telemetry at 18:49:07 UTC. 33 hosts detonated within 90 seconds. Shadow copies: none remain on any affected system.
Analysis direction: Simultaneous coordinated detonation = pre-staged payload distributed before tonight via GPO (confirmed in Bravo’s lateral movement card). Attacker had domain admin access before this moment. 33 hosts in 90 seconds is only possible via domain-wide GPO distribution from a compromised DC.
Type: Perimeter firewall log – 21-day lookback Source: Edge firewall query, all traffic from CLIN-WS-114
2026-02-14 18:16 UTC CLIN-WS-114 → 203.0.113.42:443 2.1KB (initial callback)
2026-02-14 18:22 UTC 203.0.113.42 → CLIN-WS-114 847KB (stage-2 payload)
2026-02-14 18:28 UTC CLIN-WS-114 → 203.0.113.42:443 0.4KB (first beacon)
2026-02-15 00:28 UTC CLIN-WS-114 → 203.0.113.42:443 0.4KB (beacon -- 6hr)
2026-02-15 06:28 UTC CLIN-WS-114 → 203.0.113.42:443 0.4KB (beacon -- 6hr)
... [43 identical beacon entries, exact 6-hour intervals, 20 days] ...
2026-03-06 00:14 UTC CLIN-WS-114 → 203.0.113.42:443 0.4KB (beacon)
2026-03-06 06:14 UTC CLIN-WS-114 → 203.0.113.42:443 0.4KB (beacon)
2026-03-06 12:14 UTC CLIN-WS-114 → 203.0.113.42:443 0.4KB (beacon)
2026-03-06 18:14 UTC CLIN-WS-114 → 203.0.113.42:443 0.4KB (beacon -- last)
2026-03-06 18:16 UTC 203.0.113.42 → CLIN-WS-114 1.2MB (LockBit payload)
Destination: 203.0.113.42
Domain: cvmc-portal-auth.net (registered 2026-01-28)
Hosting: AS14061 DigitalOcean, Frankfurt
TI status: NO PRIOR HITS at time of first contact (2026-02-14)
Protocol: HTTPS/443 -- encrypted, no DPI inspection at perimeter45 outbound connections from CLIN-WS-114 to 203.0.113.42 over 21 days. No firewall alerts triggered. Packet size: 0.4KB each. Protocol: HTTPS/443. Domain cvmc-portal-auth.net registered: 2026-01-28 (17 days before phishing email sent on 2026-02-14). Inbound transfer on 2026-03-06 18:16 UTC: 1.2MB. Detonation at 18:47 UTC.
Analysis direction: 21 days of active C2 before detonation. The 1.2MB inbound on March 6 is an operator manually choosing to deploy the ransomware payload – not automated behavior. The regular interval kept it under the noise floor of any reasonable firewall alerting threshold.
Type: Core switch NetFlow + SMB traffic analysis Source: CVMC-SW-CORE-01, 18:14–18:47 UTC
CLIN-WS-114 internal connections (new -- no prior history for most):
18:14 CLIN-WS-114 → epic-srv-01:443 HTTPS (normal EMR session)
18:16 CLIN-WS-114 → 203.0.113.42:443 HTTPS (external C2 -- see Bravo IND 1)
18:19 CLIN-WS-114 → CLIN-FS-001:445 SMB [NO PRIOR CONNECTION IN 90 DAYS]
18:23 CLIN-WS-114 → ADMIN-WS-009:445 SMB [CROSS-SUBNET -- NO PRIOR]
18:23 CLIN-WS-114 → ADMIN-WS-009:135 RPC (remote procedure call)
18:27 ADMIN-WS-009 → CLIN-WS-114:445 SMB (return connection)
18:31 ADMIN-WS-009 → CVMC-DC-01:389 LDAP (directory query)
18:31 ADMIN-WS-009 → CVMC-DC-01:88 Kerberos (ticket request)
18:38 CVMC-DC-01 → [all_hosts] SMB/445 (outbound push -- GPO)
18:40 27 hosts: inbound SMB from CVMC-DC-01 simultaneously
Network layout:
192.168.10.0/24 Clinical VLAN (CLIN-WS-*, CLIN-FS-*, epic-srv-01)
192.168.20.0/24 Admin VLAN (ADMIN-WS-*, CVMC-DC-01, CVMC-BAK-01)
192.168.30.0/24 Medical Device VLAN
Inter-VLAN routing: Layer-3 only -- no stateful inspection between subnetsCLIN-WS-114 had no prior connection history to the admin subnet (192.168.20.0/24). First cross-subnet SMB connection: 18:19 UTC. Domain controller distributed to 27 hosts via GPO at 18:38 UTC. Medical device VLAN (192.168.30.0/24) has Layer-3 adjacency to the admin subnet with no stateful inspection between subnets.
Analysis direction: DC-initiated GPO push to 27 hosts = domain admin compromised at or before 18:38. The medical device subnet is directly reachable via Layer-3 from the admin subnet – same path the attacker used. Immediate VLAN isolation of medical devices is the highest-priority network action.
Type: Nursing command center situation report Source: Chief Nursing Officer, 18:52 UTC (T+5 minutes post-encryption)
EMERGENCY DEPARTMENT (45 patients, 12 in active triage)
Patient tracking: DOWN (Epic EMR encrypted)
Allergy verification: DOWN (12 trauma cases -- manual checks required)
Lab result delivery: DOWN (LIS offline -- results phoned to nursing)
ED imaging: DOWN (PACS encrypted)
Ambulance pre-arrival: DOWN (data link endpoint encrypted)
INTENSIVE CARE UNIT (28 patients, 6 on ventilators)
Bedside monitoring: ACTIVE (standalone -- not networked to Epic)
Medication orders: DOWN (pharmacist reviewing all ICU orders manually)
Lab integration: DOWN (critical values delivered by phone)
Ventilator management: UNAFFECTED (proprietary OS, not domain-joined)
SURGERY (2 active procedures in progress)
PACS imaging: DOWN (surgeons proceeding on pre-op imaging only)
Anesthesia records: Manual documentation -- no electronic backup
Blood bank interface: DOWN (manual crossmatch protocol activated)
PHARMACY
Dispensing automation: DOWN
Manual dispensing: AUTHORIZED by CMO at 18:51 UTC
Current order backlog: 14 pending -- approx 20 min per order (vs. 2 min)Paper downtime procedures activated hospital-wide at 18:48 UTC. Nearest alternative hospital: Riverside General, 22 miles, 89% capacity. CMO has requested an ambulance diversion recommendation by 19:15 UTC.
Analysis direction: The 19:15 CMO deadline is the first real executive decision point. Two active surgical procedures without imaging is the most acute patient safety exposure. Paper downtime ceiling (~4 hours) means the clinical situation will deteriorate before any technical recovery is complete.
Type: Extortion communication + confirmed exfiltration evidence Source: CEO’s phone, 18:55 UTC – encrypted messaging platform
Sender: LB_Affiliate_7 (LockBit affiliate handle)
Received: 2026-03-06 18:55 UTC
---
Cedar Valley Medical Center.
We have encrypted your systems and exfiltrated 2.7GB of patient records,
including PHI, complete medical histories, billing records, and staff data.
You have 72 hours to pay 1,200,000 USD in Bitcoin to:
bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
After this deadline your data will be published on our public blog
and offered for sale. Payment guarantees deletion and decryption key.
Do not contact law enforcement.
Do not attempt restoration from backup -- your backup system is gone.
---
Proof files attached (confirmed genuine by CMO at 19:02 UTC):
File 1: K. Hansen, DOB 1962-04-11, Dx: Stage III pancreatic cancer,
SSN [redacted], Insurance: BlueCross #BCA-8847721
File 2: M. Okonkwo, DOB 1978-09-03, Dx: Type 2 diabetes + renal failure,
current medication list (23 items), next appointment date
File 3: Invoice #CV-2026-01-7741, itemized procedure codes, insurer ID
Payment deadline: 2026-03-09 18:55 UTCProof files confirmed as genuine Cedar Valley records by CMO at 19:02 UTC. Data classification: PHI (HIPAA-covered records). Payment deadline: 2026-03-09 18:55 UTC. The claim that backup systems are “gone” is unverified.
Analysis direction: Breach confirmed at 18:55 UTC – not at end of investigation. HIPAA 60-day OCR notification window opens tonight. The “backup system is gone” claim must be verified immediately – it is either true (catastrophic for recovery) or a bluff (falsifiable quickly).
Tier 2 – Deep Analysis
Release at start of Rounds 2 and 3 (3 cards per team)
Alpha x3 – Bravo x3 – Charlie x3
Type: Authentication log correlation – full attack sequence Source: Windows Security Event Logs, 18 systems, 18:14–18:47 UTC
18:13 UTC clinician.a receives email -- AccountVerification.docm
18:14 UTC clinician.a opens document on CLIN-WS-114
18:16 UTC Macro executes -- powershell.exe contacts 203.0.113.42:443
18:16 UTC Stage-2 payload downloaded (847KB) and runs in memory
18:17 UTC LSASS memory read detected on CLIN-WS-114
[Process: powershell.exe, Access: 0x1010 -- credential dump]
18:19 UTC Credential 'it.admin.b' used FROM CLIN-WS-114
[Event 4624 -- network logon to CLIN-FS-001]
18:23 UTC 'it.admin.b' authenticates to ADMIN-WS-009 (cross-subnet)
18:27 UTC 'it.admin.b' authenticates to CVMC-DC-01
[Event 4672 -- special privileges assigned -- SeDebugPrivilege]
18:31 UTC New GPO created: "CVMC_Update_Policy"
Script: \\CVMC-DC-01\SYSVOL\deploy\update.bat (contains LockBit4.exe)
18:38 UTC GPO pushed to all domain hosts via scheduled task
18:47 UTC LockBit4.exe detonates on 33 hosts (via GPO scheduled task)
Total elapsed time -- phishing click to detonation: 33 minutes
Total elapsed time -- phishing click to domain admin: 13 minutesLSASS memory read detected on CLIN-WS-114 at 18:17 UTC (process: powershell.exe, access: 0x1010). Credential it.admin.b first used from CLIN-WS-114 at 18:19 UTC. Domain admin privileges (SeDebugPrivilege) obtained at 18:27 UTC. GPO CVMC_Update_Policy created at 18:31 UTC. Total elapsed time phishing click to domain admin: 13 minutes.
Analysis direction: it.admin.b credentials were harvested via LSASS memory read – standard Mimikatz-style dump. The pivot to domain admin is the critical moment – after 18:38, the entire domain was in attacker control. CVMC-DC-01 is still running and its memory may still contain attacker artifacts.
Type: Static and behavioral malware analysis Source: Sandbox analysis of LockBit4.exe quarantine sample from CLIN-WS-114
File: LockBit4.exe
Size: 1.2MB | Type: PE32+ executable (Windows x64)
Hash (SHA256): 3a1f8b2c9d4e7f0a5b6c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a
Behavior (sandbox, 60-second run):
Evasion:
Terminates: vss, wbadmin, backup, mssql, exchange, mysql (29 services)
Deletes: Volume Shadow Copies via vssadmin.exe
Self-deletes after completion (no artifact left on disk)
Encryption:
Algorithm: AES-256 per file (unique key per file)
Key exchange: RSA-2048 (public key embedded in binary)
Skip list: .exe .dll .sys .lnk (system stability preserved)
Extension: .lockbit4 appended to all encrypted files
Ransom note: !!READ_ME_LOCKBIT.txt written to every directory
C2 callback:
On completion: POST to 203.0.113.42:443 (success/fail report)
Payload includes: hostname, encrypted file count, domain name
Network behavior:
No lateral movement capability -- spreading was done before detonation
No exfiltration -- data was exfiltrated in prior weeks (see Bravo Deep 1)Skip list: .exe .dll .sys .lnk. Extension appended to encrypted files: .lockbit4. RSA-2048 public key embedded in binary. Self-deletes after completion. No lateral movement capability in binary. Exfiltration not performed by binary (see Bravo Deep 1).
Analysis direction: Selective skip list (keeps system bootable), ransom note in every directory, C2 success callback – this is purpose-built extortion tooling, not destructive malware. The attacker expects to be paid. The binary leaving no disk artifact matters for forensics – evidence is in memory and logs, not the binary itself.
Type: Forensic timeline – full 21-day activity reconstruction Source: File access logs, email gateway, endpoint telemetry, proxy logs
2026-02-13 Phishing email delivered to clinician.a -- no action taken
2026-02-14 Identical email resent -- clinician.a opens attachment, 18:14 UTC
Payload deployed, C2 established, it.admin.b credentials stolen
2026-02-15 First network reconnaissance -- LDAP queries for all domain users
and computers from CLIN-WS-114 (02:18 UTC -- after hours)
2026-02-17 Access to CVMC-BAK-01 (backup server) -- 7 shares enumerated
[it.admin.b, 01:44 UTC]
2026-02-19 First bulk exfiltration: 847MB -- \\CLIN-FS-001\PatientRecords
[02:33 UTC -- after hours]
2026-02-22 Second CVMC-BAK-01 access -- backup catalog read, schedule noted
2026-02-27 Second bulk exfiltration: 1.2GB -- \\CLIN-FS-001\Billing
[03:11 UTC -- after hours]
2026-02-28 Domain admin credential obtained (method: Pass-the-Hash from DC)
2026-03-03 Third bulk exfiltration: 634MB -- \\CLIN-FS-001\StaffRecords
[01:55 UTC -- after hours]
2026-03-05 LockBit4.exe staged to 6 key systems via GPO (dry run -- no exec)
2026-03-06 Final detonation -- operator decision, 18:47 UTCInitial access: 2026-02-14. Detonation: 2026-03-06. Elapsed: 20 days. All three exfiltration events occurred after midnight. Backup server first accessed: 2026-02-17. Backup catalog read: 2026-02-22. LockBit4.exe staged to 6 systems via GPO: 2026-03-05 (dry run, no execution). Last clean backup: 2026-02-20 02:30 UTC.
Analysis direction: Breach date is February 14 – not tonight. Three weeks of access, three exfiltration events before encryption. Backup server was surveilled specifically. The operator chose a Friday evening detonation – maximizing recovery difficulty while minimizing immediate detection by IT staff.
Type: DLP alert correlation + proxy log analysis Source: Web proxy, DLP system, and NetFlow – February 19 to March 3
DLP alert log -- CLIN-WS-114 outbound transfers to 203.0.113.42:443:
2026-02-19 02:33 UTC CLIN-WS-114 → 203.0.113.42:443
Volume: 847MB outbound (alert threshold: 100MB -- should have triggered)
DLP status: ALERT SUPPRESSED -- rule exception "it.admin.b" (exempt account)
File types: .pdf (38%), .hl7 (29%), .docx (18%), .csv (15%)
Source dirs: \\CLIN-FS-001\PatientRecords
2026-02-27 03:11 UTC CLIN-WS-114 → 203.0.113.42:443
Volume: 1.2GB outbound
DLP status: ALERT SUPPRESSED -- rule exception "it.admin.b"
File types: .pdf (52%), .csv (31%), .xlsx (17%)
Source dirs: \\CLIN-FS-001\Billing
2026-03-03 01:55 UTC CLIN-WS-114 → 203.0.113.42:443
Volume: 634MB outbound
DLP status: ALERT SUPPRESSED -- rule exception "it.admin.b"
File types: .pdf (61%), .docx (25%), .csv (14%)
Source dirs: \\CLIN-FS-001\StaffRecords
Total exfiltrated: ~2.7GB across three events
Confirmed file types: HL7 clinical records, billing, staff dataDLP alert threshold: 100MB outbound. Account it.admin.b was exempt from DLP thresholds (IT administrator role exception). All three exfiltration events: DLP status ALERT SUPPRESSED. Total exfiltrated: ~2.7GB across three events. Source directories: \\CLIN-FS-001\PatientRecords, \\CLIN-FS-001\Billing, \\CLIN-FS-001\StaffRecords.
Analysis direction: The DLP exception for it.admin.b is what made 2.7GB of patient and billing data walk out undetected over 12 days. The attacker specifically used the stolen IT admin credential for exfiltration, knowing (or guessing) it bypassed alerting. This is a systemic policy gap, not a detection failure.
Type: Network topology audit + backup compromise confirmation Source: Network configuration review + event logs, 20:00 UTC
CVMC-BAK-01 -- backup server
IP: 192.168.20.45 (admin subnet -- same as ADMIN-WS-009, CVMC-DC-01)
OS: Windows Server 2019
Auth: Domain-joined -- accepts domain admin credentials
Firewall: NONE between 192.168.20.0/24 and backup storage LUNs
Backup job: Runs nightly at 02:30 UTC -- last clean backup: 2026-02-20 02:30 UTC
Compromise timeline:
2026-02-17 01:44 UTC CVMC-BAK-01 accessed via it.admin.b (7 shares enumerated)
2026-02-22 02:15 UTC CVMC-BAK-01 accessed again -- backup catalog read
2026-03-06 18:38 UTC Domain admin credential obtained (same session as DC)
2026-03-06 18:41 UTC CVMC-BAK-01 accessed with domain admin -- 3 minutes
2026-03-06 18:45 UTC Backup catalog deleted -- backup encryption begins
2026-03-06 18:47 UTC LockBit detonation (2 minutes after backup encrypted)
Tape backup:
Last tape rotation: 2026-02-20 (14 days before incident -- offsite)
Tape location: Iron Mountain facility, 40 miles from CVMCCVMC-BAK-01 IP: 192.168.20.45 (admin subnet, same as ADMIN-WS-009 and CVMC-DC-01). Firewall between admin subnet and backup storage LUNs: none. Backup catalog deleted: 2026-03-06 18:45 UTC. Backup encryption began: 18:45 UTC. LockBit detonation: 18:47 UTC. Last tape rotation: 2026-02-20 (offsite, Iron Mountain facility, 40 miles from CVMC). Tape is the only remaining restore point.
Analysis direction: Backup placement in the admin subnet – a convenience decision from 2024 – is what allowed a single credential to destroy both live systems and backups. The tape (Feb 20) is the only recovery path. 14 days of patient records are unrecoverable without paying. This is a design failure, not an operational one.
Type: Biomedical device registry + network adjacency analysis Source: Biomedical Engineering + Network team, 20:30 UTC
Medical Device VLAN: 192.168.30.0/24
Routing to admin VLAN (192.168.20.0/24): Layer-3 -- NO ACL restriction
LockBit propagation to medical devices: NOT CONFIRMED (LockBit self-deleted)
C2 channel (203.0.113.42) status from medical device IPs: NOT CONFIRMED
Devices on 192.168.30.0/24 -- registered inventory:
Device Type Count OS Patch Status
-------------------- ----- ------------------- --------------------
Patient monitors (Philips) 14 Embedded Linux No patch -- vendor lock
Infusion pumps (BD Alaris) 6 Windows Embedded 7 No update path available
PACS workstations 3 Windows 7 (32-bit) Medical device cert blocks
Ventilator interfaces 2 Proprietary OS No remote management
Portable ECG stations 4 Android 8 (EOL) No update available
LockBit behavior note:
LockBit4.exe self-deletes after completion -- encrypted hosts cannot re-spread
C2 channel may still be active on any running, unencrypted host
Active C2 session could still be used for manual pivot to medical devicesLockBit4.exe self-deletes after completion on encrypted hosts. C2 channel (203.0.113.42) status from medical device IPs: not confirmed. Routing from admin VLAN (192.168.20.0/24) to medical device VLAN (192.168.30.0/24): Layer-3, no ACL restriction. Patch status for all registered medical devices: no updates available (vendor lock, EOL OS, or medical device certification blocks).
Analysis direction: LockBit self-deleted – no worm spreading from encrypted hosts. The real risk is an operator still active via C2 from any running host with network access to 192.168.30.0/24. Isolating the medical device subnet from the admin VLAN is the priority – Layer-3 adjacency with no ACL is the architectural gap.
Type: Business impact assessment Source: COO and CFO briefing, 20:00 UTC
OPERATIONAL STATUS (20:00 UTC -- T+70 minutes)
System Status Impact
------------------- --------------- ------------------------------------
Epic EMR ENCRYPTED All patient records inaccessible
PACS imaging ENCRYPTED (45%) Radiology halted; 3 standalone units OK
Pharmacy automation ENCRYPTED Manual: 20 min/order (vs. 2 min)
Revenue cycle ENCRYPTED All billing halted -- $0 intake
Lab information sys ENCRYPTED Results by phone only
ED tracking board ENCRYPTED Paper-based tracking activatedFINANCIAL EXPOSURE SUMMARY
Revenue impact: ~$180,000 per day during full system downtime
(ED, elective procedures, revenue cycle all halted)
Cyber insurance:
Total coverage: $2,000,000
Deductible: $500,000
Ransomware limit: $1,000,000 (sub-limit)
Ransom demand: $1,200,000 (exceeds ransomware sub-limit by $200,000)
Board approval: Required for any payment above insurance coverage
Recovery cost estimate (comparable incidents):
Average recovery: 18 days to full restoration
Estimated cost: $3,200,000 (labor, hardware, consulting, legal)
Legal exposure:
HIPAA breach: Confirmed -- PHI exfiltrated
OCR notification: 60-day deadline (May 6)
Class action risk: Comparable hospital settlements $1M--$5MRansom demand: $1,200,000. Cyber insurance ransomware sub-limit: $1,000,000. Demand exceeds sub-limit by $200,000. Board approval required for any payment above insurance coverage. Estimated recovery cost (comparable incidents): $3,200,000. Average recovery time (comparable incidents): 18 days. Revenue impact during full system downtime: ~$180,000 per day.
Analysis direction: The insurance sub-limit doesn’t cover the full demand – this escalates to board level. The financial case (pay $1.2M vs. $3.2M recovery) is seductive but ignores FBI guidance, OFAC sanctions risk, 40% decryptor failure rate, and the fact that payment doesn’t remove attacker access. The board needs all of that context.
Type: Legal briefing – mandatory notifications and deadlines Source: General Counsel, 20:30 UTC
NOTIFICATION MATRIX -- Cedar Valley Medical Center incident
Obligation Trigger Deadline Status
------------------- --------------- -------------- --------------------
HIPAA OCR PHI exfiltrated 60 days (May 6) Not yet filed
State Health Dept Patient safety 72 hours DUE THURSDAY 18:55
Cyber insurer Policy incident 24-48 hours DUE BY TOMORROW
Board Chair Any material Immediate Notified 19:30 ✓
FBI Discretionary None Recommended
Affected patients HIPAA 60 days (May 6) Pending scope count
HIPAA BREACH CLASSIFICATION:
PHI confirmed exfiltrated: YES (proof files confirmed 19:02 UTC)
Patient count (estimate): 12,000--18,000 affected (investigation ongoing)
Breach date: 2026-02-14 (first unauthorized access)
Public notification req: YES (>500 patients -- media notification required)
HHS "wall of shame": Triggered automatically by OCR notification
LEGAL NOTE ON RANSOM INSTRUCTION:
Attacker instruction: "Do not contact law enforcement"
HIPAA requirement: Notification required regardless of attacker demands
FBI position: Reporting strongly recommended -- active intelligence exists
Consequence of non-reporting: Potential HIPAA violation for delayed notificationState health department 72-hour window: runs from 18:55 UTC 2026-03-06, closes 2026-03-09 18:55 UTC. Cyber insurer notification deadline: 24-48 hours from incident. HIPAA OCR 60-day notification window: opens from breach confirmation (19:02 UTC). Estimated affected patients: 12,000–18,000 (investigation ongoing). Breach date for HIPAA purposes: 2026-02-14 (first unauthorized access).
Analysis direction: State health department 72-hour window closes Thursday. Insurer notification contractually required within 24-48 hours. Both can be “preliminary notification – incident under investigation.” Missing either deadline creates compounding legal exposure on top of the breach itself.
Type: Executive decision brief – payment options analysis Source: CFO + General Counsel, 21:15 UTC
RANSOM PAYMENT ANALYSIS
Demand: $1,200,000 USD in Bitcoin
Deadline: 2026-03-09 18:55 UTC (72 hours from tonight)
IN FAVOR OF PAYMENT:
+ LockBit decryptor success rate: ~60% in comparable hospital cases (FBI data)
+ Tape backup data gap: 14 days of patient records unrecoverable otherwise
+ 72-hour publication deadline is genuine -- prior victims confirm
+ Full recovery cost (~$3.2M, 18 days) substantially exceeds ransom amount
+ Decryption, if successful, reduces recovery time from 18 days to 5-7 days
AGAINST PAYMENT:
- FBI advises against: active LockBit investigation, payment funds criminal ops
- Decryptor partial failure rate: 40% (data corruption, incomplete decryption)
- OFAC sanctions risk: depends on cryptocurrency routing -- legal review required
- Payment does NOT remove attacker from network -- rebuild required anyway
- No guarantee of data deletion after payment (no verification mechanism)
- Sets precedent and marks CVMC as "willing to pay" for future targeting
DECISION AUTHORITY:
Payment amount: Requires board vote (exceeds insurance sub-limit)
Payment method: Requires OFAC legal clearance before any Bitcoin transfer
Timeline: Board must convene before 2026-03-07 12:00 UTC to allow
legal review and cryptocurrency acquisition time
BOARD DECISION DEADLINE: 2026-03-09 18:55 UTCDecision authority: board vote required (payment exceeds insurance sub-limit). OFAC legal clearance required before any Bitcoin transfer. Board must convene before 2026-03-07 12:00 UTC to allow legal review and cryptocurrency acquisition. LockBit decryptor success rate: ~60% in comparable hospital cases (FBI data). Partial failure rate: 40%.
Analysis direction: The IR team cannot and should not make the payment call. Their job is accurate facts: recovery options and timelines, data scope and insurance limits, law enforcement position, and the specific risk that payment does not restore attacker access or guarantee data deletion. The board needs all of that – not a recommendation.
Tier 3 – Developments
Release at start of Rounds 4 and 5 (2 cards per team)
Alpha x2 – Bravo x2 – Charlie x2
Type: Digital forensics triage report Source: IR team, 20:15 UTC
EVIDENCE PRESERVED (prior to or concurrent with encryption):
CLIN-WS-114 memory dump:
Captured: 19:40 UTC | Size: 16GB | Status: CLEAN CHAIN OF CUSTODY
Contains: Malware process artifacts, LSASS dump content, C2 comms
Note: This is the primary forensic exhibit -- do not reboot this machine
Network PCAP -- edge firewall, 18:10--18:55 UTC:
Captured: 19:15 UTC | Coverage: Full lateral movement window
Contains: SMB lateral, C2 beaconing, exfiltration sessions (encrypted)
Note: Preserves timing and volume but content is TLS-encrypted
Email gateway logs -- 90 days:
Captured: 19:50 UTC | Covers: Phishing delivery chain Feb 13--Mar 6
Note: Confirms two-email delivery pattern
EVIDENCE AT RISK -- TIME-SENSITIVE:
CVMC-DC-01 (domain controller):
Status: NOT ENCRYPTED -- still running, powered on
Contains: GPO artifacts, attacker tooling in memory, credentials
Risk: Memory lost on ANY reboot or power loss
Action: Memory dump REQUIRED before any restart or recovery action
Edge firewall NetFlow, 18:00--18:55 UTC:
Retention policy: 72-hour rolling window
Loss deadline: 2026-03-09 18:00 UTC (Thursday evening)
Action: Export NOW -- cannot be recovered after deletion
ENCRYPTED AND INACCESSIBLE (pending recovery):
CLIN-FS-001 and ADMIN-FS-003 file access logs
Windows Security Event Logs on 14 clinical workstationsCVMC-DC-01 status: NOT ENCRYPTED, still running. Memory contents: GPO artifacts, attacker tooling, credentials. Memory is lost on any reboot or power loss. Edge firewall NetFlow retention policy: 72-hour rolling window. NetFlow loss deadline: 2026-03-09 18:00 UTC. After that deadline, data cannot be recovered.
Analysis direction: CVMC-DC-01 must be imaged before any recovery action. Its memory contains the attacker’s GPO configuration and potentially encryption key material. The NetFlow 72-hour window is a hard deadline – it expires Thursday evening and cannot be recovered after deletion. These are the two time-critical forensic actions.
Type: FBI Cyber Division threat intelligence briefing Source: FBI liaison, shared 22:00 UTC
INDICATOR CORRELATION -- LockBit 3.0 Affiliate Activity
IOC matched to known affiliate cluster:
203.0.113.42: Seen in 3 prior hospital incidents (Nov 2025, Jan 2026)
cvmc-portal-auth.net: Infrastructure pattern -- victim-specific domain per case
GPO deployment: Affiliate playbook confirmed in 14 prior incidents
3-week dwell time: Median 18 days across this affiliate's tracked cases
Shadow copy + 72hr: LockBit 3.0 operational standard
HEALTHCARE TARGETING PROFILE (this affiliate):
Healthcare % of attacks: 23% (highest sector by frequency)
Primary entry vector: Phishing to non-IT staff (67% of health cases)
Average ransom demand: $1.2M (consistent with this incident)
Average dwell time: 18 days before detonation
Decryptor track record: Provided in 60% of paid cases; partial failure 40%
PRIOR HOSPITAL CASES (this affiliate, last 6 months):
November 2025: Midwest regional hospital -- paid $800K, partial decryptor failure
January 2026: East Coast trauma center -- did not pay, 22-day recovery
February 2026: Southeast community hospital -- paid $1.1M, full recovery
FBI POSITION ON PAYMENT:
Active investigation: YES -- this affiliate is under investigation
Payment impact: Funds criminal operations, potentially delays prosecution
FBI recommendation: Do not pay -- reporting assists active case
Alternative support: FBI can provide decryptor analysis and recovery assistanceFBI active investigation: YES (this affiliate). IOC 203.0.113.42 matched to 3 prior hospital incidents (November 2025, January 2026). Prior cases: November 2025 Midwest regional hospital – paid $800K, partial decryptor failure. January 2026 East Coast trauma center – did not pay, 22-day recovery. February 2026 Southeast community hospital – paid $1.1M, full recovery.
Analysis direction: Financially motivated affiliate, not state-sponsored. Active FBI investigation changes the calculus on payment – cooperation may have practical benefits beyond the moral argument. The 22-day non-payment recovery in January 2026 is the most directly comparable case for recovery planning.
Type: Infrastructure recovery options assessment Source: IT Infrastructure Lead, 21:00 UTC
RECOVERY OPTIONS ANALYSIS
Option A -- Full tape restore + domain rebuild [RECOMMENDED]
Clean break from compromised infrastructure
Steps:
1. Provision new AD domain (new domain, new DC -- do NOT rebuild CVMC-DC-01)
2. Restore core servers from Feb 20 tape (offsite, 40 miles)
3. Patch and rejoin workstations to new clean domain
4. Restore CLIN-FS-001 patient records (Feb 20 baseline)
Timeline: 10--14 hours for ED/ICU systems; 3--5 days for full hospital
Data gap: Feb 20 -- Mar 6 patient records (14 days) -- manual reconstruction
Risk: Domain rebuild is complex; requires experienced AD administrator
Option B -- Ransom payment + decryptor
Assumes attacker provides working decryptor
Steps:
1. Obtain Bitcoin, transfer payment
2. Await decryptor key from attacker (hours to days)
3. Run decryption on all affected hosts
4. Rebuild domain regardless (still compromised -- attacker retains access)
Timeline: 24--48 hours if decryptor works fully
Risk: 40% partial failure rate; domain rebuild still required;
legal (OFAC) review required before any payment
Option C -- Hybrid [FASTEST FOR CLINICAL CARE]
Priority: Get ED and ICU online fastest; rebuild fully in parallel
Steps:
1. Stand up isolated mini-domain (new AD, 2 workstations -- 2 hours)
2. Restore Epic application server from tape to isolated environment
3. Bring ED patient tracking and ICU orders online (6 hours)
4. Full hospital recovery via Option A in parallel (48--72 hours)
Timeline: 6 hours for ED/ICU; 48--72 hours for full
Risk: Complex -- dual track; requires clear sequencing
CRITICAL NOTE: CVMC-DC-01 is compromised but NOT encrypted.
Restoring any system to the existing domain puts it back under
attacker control. A new domain is mandatory regardless of option chosen.CVMC-DC-01 is compromised but NOT encrypted. Restoring any system to the existing domain puts it back under attacker control. Tape location: Iron Mountain facility, 40 miles from CVMC. Last clean tape: 2026-02-20. Data gap if restoring from tape: 2026-02-20 to 2026-03-06 (14 days of patient records).
Analysis direction: There is no path to recovery that preserves the existing AD environment – it is owned. Option C (hybrid) is the fastest path to clinical systems while full recovery runs in parallel. The tape retrieval needs to be authorized now regardless of which option is chosen.
Type: Emergency services network assessment Source: IT Infrastructure + County Ambulance Service liaison, 21:45 UTC
CVMC-AMB-GW-01 -- ambulance pre-arrival data gateway
IP: 192.168.40.1 (ambulance DMZ -- dedicated /24 subnet)
Firewall: Dedicated ACL between 192.168.40.0/24 and clinical network
Status: NOT AFFECTED by LockBit (ACL blocked GPO propagation)
Assessment of ambulance operations impact:
Pre-arrival data (inbound):
Status: ARRIVING correctly at gateway (county EMS systems unaffected)
Problem: ED Epic endpoint is encrypted -- data cannot be received
Workaround: Ambulance crews radioing patient details verbally to ED triage
Capacity: Sustainable 6--8 hours per paramedic coordinator estimate
Ambulance diversion (outbound status updates):
Current: DIVERTED since 19:18 UTC per CMO authorization
Active: All new emergencies routed to Riverside General (22 miles)
and Valley Medical Center (31 miles)
Capacity at receiving hospitals:
Riverside General: 89% occupied -- 8 ED beds available
Valley Medical: 82% occupied -- 14 ED beds available
Restoration path for data reception:
Minimum requirement: One clean workstation with Epic client
Method: Restore single workstation from Feb 20 tape to isolated segment
Estimated time: 2--3 hours from tape retrieval
Patient safety impact: Eliminates verbal-only pre-arrival handoffs
Current verbal handoff risk:
12 ambulance runs since diversion activated
3 involved complex patients with medication allergies
No adverse events reported -- but this is a manual process under stressCVMC-AMB-GW-01 status: NOT AFFECTED by LockBit. Pre-arrival data arriving correctly at gateway. County EMS systems: unaffected. Problem: ED Epic endpoint is encrypted. Current workaround: ambulance crews radioing patient details verbally. Active ambulance diversion since: 19:18 UTC. Minimum requirement to restore data reception: one clean workstation with Epic client. Estimated time: 2–3 hours from tape retrieval.
Analysis direction: Ambulance data link infrastructure is completely intact – the gap is the encrypted Epic endpoint at Cedar Valley’s ED. A single clean workstation restore (2-3 hours) restores data reception. This is a relatively fast win that can be run in parallel with the main recovery and directly reduces patient safety risk from verbal handoff errors.
Type: Communications risk assessment Source: PR Director + General Counsel, 22:00 UTC
CURRENT MEDIA EXPOSURE (22:00 UTC assessment)
Active news coverage: NONE CONFIRMED
Social media mentions: 3 staff personal accounts -- "hospital computer problems"
Patient awareness: ~45 ED patients witnessed ransom screens tonight
Staff awareness: ~280 staff on shift -- all aware of system outage
ANTICIPATED ESCALATION TIMELINE:
T+0 hours (now): Internal -- staff and patients aware of outage
T+24--48 hours: LockBit public blog typically posts victim name
(if unpaid -- 72-hour clock runs to Mar 9 18:55)
T+2--4 hours post-blog: Local media pickup (scanner traffic, blog discovery)
T+4--6 hours post-blog: State health department inquiry
T+24 hours post-blog: Potential national coverage (healthcare + ransomware)
T+72 hours (HIPAA): Patient notification obligation begins
(60-day window, but OCR prefers early voluntary filing)
COMMUNICATIONS RISK ASSESSMENT:
Uncontrolled disclosure risk: HIGH (LockBit blog is public)
Narrative control window: NARROW -- approx 24--48 hours
Recommended positioning: "Cybersecurity incident, patient care maintained,
investigation ongoing" -- say nothing more
Spokesperson: CMO or CEO only -- single voice
Confirm data theft: NO, until legally required to disclose
Law enforcement: Do not confirm or deny in public statementActive news coverage as of 22:00 UTC: none confirmed. Social media mentions: 3 staff personal accounts referencing “hospital computer problems.” Patient awareness: ~45 ED patients witnessed ransom screens. Staff awareness: ~280 staff on shift. LockBit public blog typically posts victim name within 24–48 hours of a missed deadline. Narrative control window: approximately 24–48 hours.
Analysis direction: The first statement sets the narrative. “Responding to a cybersecurity incident while maintaining patient care” is defensible. The window for proactive framing closes when LockBit publishes – which is not within the IR team’s control. The IR team’s job is to have accurate facts ready for the spokesperson, not to make communications decisions.
Type: Recovery sequencing – clinical priority Source: CISO + COO + CMO, 22:30 UTC
CLINICAL PRIORITY SEQUENCE -- minimum viable restoration
PHASE 1 (active now -- paper downtime):
Status: Running since 18:48 UTC
Ceiling: 4--6 hours from activation = expires approx 23:00--01:00 UTC
Risk: Pharmacy backlog (now 22 orders), fatigue, allergy verification
Action: Hold -- extend with additional nursing support on both floors
PHASE 2 (target: 6--10 hours from now = 04:00--08:00 UTC Thursday):
Target systems: ED patient tracking + medication orders + lab results
Method: Tape restore (Feb 20 baseline) to new isolated workstations
New domain (2 clean workstations -- Epic thin client only)
Data gap: Feb 20 -- Mar 6 patient records must be manually reconstructed
Prerequisite: Tape in transit (40 miles) -- ETA depends on dispatch time
Critical path: TAPE RETRIEVAL must be authorized now to hit Phase 2 target
PHASE 3 (target: 14--72 hours = Thursday--Saturday):
Target systems: All clinical, imaging, lab, pharmacy automation
Method: Full domain rebuild + workstation re-imaging + rejoin
Note: Revenue cycle last -- billing not patient-safety critical
PHASE 4 (target: 5--18 days):
Full system restoration including historical record reconstruction
Manual chart entry for Feb 20 -- Mar 6 data gap
Security hardening: credential review, DLP policy, backup isolation
METRIC FOR PHASE 2 SUCCESS:
Can a nurse verify a medication allergy for an ICU patient without calling
three people? If yes -- Phase 2 is complete.Phase 1 ceiling: 4–6 hours from 18:48 UTC activation (~23:00–01:00 UTC). Current pharmacy backlog: 22 pending orders. Paper procedure time per order: ~20 min (vs. 2 min automated). Phase 2 prerequisite: tape retrieval authorized and in transit (40 miles). Tape retrieval ETA determines Phase 2 start time. Phase 2 target: 04:00–08:00 UTC Thursday.
Analysis direction: Phase 2 target is ED + pharmacy within 6–10 hours. Everything else is secondary to the single metric: can a nurse safely verify a medication allergy? The tape retrieval authorization is the time-sensitive critical path action – if it hasn’t happened yet, Phase 2 will slip. The COO should confirm tape retrieval is in motion before this briefing ends.
IM Distribution Guide
| Card | Release round | Hand to |
|---|---|---|
| All Tier 1 cards (6 total) | Start of Round 1 | Alpha x2, Bravo x2, Charlie x2 |
| Alpha Deep 1-2, Bravo Deep 1-2, Charlie Deep 1-2 | Start of Round 2 | Respective teams |
| Alpha Deep 3, Bravo Deep 3, Charlie Deep 3 | Start of Round 3 | Respective teams |
| All Development cards (6 total) | Start of Round 4 | Respective teams |
| Alpha Dev 2, Bravo Dev 2, Charlie Dev 2 (extended) | Start of Round 5 | Respective teams |
IC note: The IC receives no artifacts directly. Teams brief the IC based on their findings. IC pressure comes from cross-team coordination, not IM-distributed materials.
Link to scenario card: LockBit Hospital Emergency | Prep worksheet: Large Group Prep Worksheet