Large Group Artifacts: WannaCry – Hospital Emergency

1. Quick Reference

Element Details
Malmon WannaCry (Worm/Ransom) ⭐⭐⭐⭐
Difficulty Tier Tier 2 (Advanced) - Life-critical healthcare operations
Scenario Variant Hospital Emergency - Flu Season Surge
Organizational Context Memorial Health System: 400-bed hospital, 1,800 employees, emergency department at 150% capacity, ICU completely full
Primary Stakes Patient life safety + Critical care operations + Emergency services continuity + Medical device security
Recommended Formats Full Game, Advanced Challenge (120-180 min)
Essential NPCs Dr. Susan Williams (CMO), Thomas Anderson (IT Director), Dr. Patricia Lee (ED Director), Brian Martinez (Network Administrator)
Optional NPCs Nursing staff, Surgical teams, Ambulance services, HIPAA compliance officer

Scenario Hook

“Memorial Health System is in the middle of flu season surge, with the emergency department at 150% capacity and ICU completely full. The hospital just activated surge protocols when computer systems began failing across multiple departments. The worm is spreading rapidly through the network during the most critical period when patient care cannot be interrupted.”

Victory Condition

Successfully contain WannaCry worm, protect life-critical medical devices and patient monitoring systems, restore patient care operations, and maintain emergency services continuity while ensuring patient safety throughout incident response.

2. Organization Context

Team-specific evidence cards for Multi-Team Coordination format (12-15+ players). Print all cards, sort by team and tier, and keep face-down until the release point for each round. One set per team – do not mix teams.

Organization: Memorial Health System (US).

Organization: Royal Hospital Manchester (UK).

Tier 1 – Initial Indicators

Release at start of Round 1

Alpha x2 – Bravo x2 – Charlie x2

Type: EDR mass alert Source: Security operations center, 14:23–14:37 UTC

EDR Mass Alert Report -- 14:23 UTC onward
Alert type : Ransomware activity / file encryption in progress

14:23:11 UTC  NURS-WS-022   WannaCry.exe detected -- ransomware activity
14:23:44 UTC  MHS-FS-001    WannaCry.exe detected -- ransomware activity
14:24:02 UTC  ADMIN-WS-007  WannaCry.exe detected -- ransomware activity
14:24:19 UTC  CLIN-WS-014   WannaCry.exe detected -- ransomware activity
14:24:33 UTC  CLIN-WS-018   WannaCry.exe detected -- ransomware activity
14:25:01 UTC  CLIN-WS-023   WannaCry.exe detected -- ransomware activity
14:25:44 UTC  ADMIN-WS-003  WannaCry.exe detected -- ransomware activity
14:26:17 UTC  MED-IMG-001   WannaCry.exe detected -- ransomware activity
14:27:08 UTC  MHS-DC-01     WannaCry.exe detected -- ransomware activity
  [... 78 additional alerts across all subnets, 14:24 -- 14:37 UTC ...]
14:37:08 UTC  MED-IMG-002   WannaCry.exe detected -- file encryption active

Total distinct hosts : 87
Alert duration       : 14 minutes
Binary hash (all)    : ed01ebfbc9eb5bbea545af4d01bf5f1071661840 (identical)

87 distinct hosts triggered ransomware alerts across three network segments within 14 minutes. Every alert carries the same binary hash. MHS-DC-01 (domain controller) is included in the encrypted host list.

Analysis direction: This is not a human operator choosing to detonate. The worm is spreading itself automatically via the network. Containment requires network isolation, not negotiation with an attacker. Every minute of connectivity = more hosts encrypted.

Type: IDS signature alert + packet capture Source: Network IDS, clinical subnet 10.1.10.0/24, 14:22–14:38 UTC

IDS alert cluster -- EternalBlue / MS17-010
Sensor: Clinical subnet (10.1.10.0/24)

14:22:58 UTC  10.1.10.047 → 10.1.10.055  SMB/445  EternalBlue (MS17-010) -- EXPLOIT
14:23:04 UTC  10.1.10.047 → 10.1.10.022  SMB/445  EternalBlue (MS17-010) -- EXPLOIT
14:23:11 UTC  10.1.10.047 → 10.1.10.031  SMB/445  EternalBlue (MS17-010) -- EXPLOIT
  [10.1.10.047 = NURS-WS-022 -- first mover / patient zero]

14:23:52 UTC  10.1.10.055 → 10.1.20.0/24  SMB/445  Mass scan -- new pivot
14:24:07 UTC  10.1.10.055 → 10.1.30.0/24  SMB/445  Mass scan -- medical device subnet
14:24:19 UTC  10.1.20.012 → 10.1.10.0/24  SMB/445  EternalBlue propagation (admin network)
14:24:33 UTC  10.1.30.004 → 10.1.10.0/24  SMB/445  EternalBlue propagation (med device)
14:25:00 UTC  10.1.10.055 → 10.1.20.012  SMB/445  EternalBlue (MS17-010) -- EXPLOIT

MS17-010 (EternalBlue) Microsoft bulletin: issued March 14, 2017. Vulnerability: SMBv1 transaction handling – allows unauthenticated remote code execution. Affected: Windows 7, Windows Server 2008 with SMBv1 enabled (default).

Analysis direction: The worm entered on NURS-WS-022 and pivoted to 10.1.20.0/24 (admin) and 10.1.30.0/24 (medical devices) within 60 seconds. Two subnets beyond the initial infection point were exposed in the first minute. Isolation of the clinical subnet alone is already insufficient.

Type: Core switch flow analysis Source: MHS-SW-CORE-01 NetFlow, 14:23–14:40 UTC

NetFlow summary -- MHS-SW-CORE-01
Query     : dst_port=445 (SMB)   Window: 14:23 -- 14:40 UTC
Threshold : >100 flows/min flagged as anomalous

14:23:12 UTC  NURS-WS-022 (10.1.10.047)  1,240 SMB flows/min  SCANNING
14:23:52 UTC  CLIN-WS-008 (10.1.10.055)    890 SMB flows/min  SCANNING
14:24:07 UTC  CLIN-WS-014 (10.1.10.031)    760 SMB flows/min  SCANNING
14:24:19 UTC  ADMIN-WS-007 (10.1.20.012)   830 SMB flows/min  SCANNING
14:24:33 UTC  MED-IMG-001 (10.1.30.004)    610 SMB flows/min  SCANNING

Subnet boundary crossing (confirmed active):
  10.1.10.0/24 (Clinical) → 10.1.20.0/24 (Admin)    : SMB traffic -- NO ACL block
  10.1.10.0/24 (Clinical) → 10.1.30.0/24 (MedDevice) : SMB traffic -- NO ACL block
  10.1.20.0/24 (Admin)    → 10.1.30.0/24 (MedDevice) : SMB traffic -- NO ACL block

All three production networks are exchanging SMB scan traffic as of 14:26 UTC.
Medical device subnet generating active propagation traffic from 14:26 UTC onward.

All three production networks are exchanging SMB/445 scan traffic with no ACL blocking that path. MED-IMG-001 in the medical device subnet is generating 610 scan flows per minute.

Analysis direction: The three networks share an SMB/445 path with no inspection. The worm is already in the medical device subnet. Network isolation must happen in the next minutes – not hours – or every SMBv1-capable device in the building is at risk.

Type: Network architecture overview

Source: Network Admin Brian Martinez, 14:30 UTC

Source: Network Admin Sarah Ahmed, 14:30 UTC

Production Network Map
(as of 14:30 UTC, partial infection ongoing)

Clinical network    10.1.10.0/24
  Hosts : Nursing stations, clinical workstations (~72), EMR terminals
  OS    : Windows 7 SP1 (~60 hosts), Windows 10 (~12 hosts)
  SMBv1 : ENABLED on Win7 endpoints (default setting, never audited)
  Patch : MS17-010 NOT APPLIED on Win7 hosts (approved but not deployed 2017)

Admin / Servers     10.1.20.0/24
  Hosts : MHS-DC-01, MHS-FS-001, MHS-FS-002, MHS-BAK-01, admin workstations
  OS    : Windows Server 2008 R2 (DC + file servers)
  SMBv1 : ENABLED on Server 2008 (default setting)
  Patch : MS17-010 NOT APPLIED on Server 2008 hosts

Medical Devices     10.1.30.0/24
  Hosts : MED-IMG-001, MED-IMG-002 (PACS), DLY-WS-001--004 (dialysis),
          ventilator interfaces (x4), infusion pump controllers (x6)
  OS    : Windows XP Embedded / Windows Embedded 7 (vendor-locked)
  SMBv1 : ENABLED (vendor required, no patch possible without recertification)

Guest / Admin WiFi  10.1.40.0/24  (isolated)
  Status: No SMB routing to production networks -- not affected

ACL note: SMB/445 unrestricted between clinical, admin, and medical device networks since 2019.

The three production networks were interconnected without SMB restriction in 2019 to support a new EMR integration requiring cross-network file access. Medical device subnet hosts run vendor-locked operating systems with no patch path and no ability to update without full vendor recertification.

Analysis direction: The flat SMB routing was added for a clinical reason and no one reassessed the risk. The medical device subnet is now exposed because of a network change made 7 years ago. Immediate subnet isolation requires IT to break the EMR cross-network dependency – which is currently supporting active patient care.

Type: Department status report

Source: CMO Susan Williams, 14:40 UTC

Source: CMO Amara Okonkwo, 14:40 UTC

Department System status Patient safety impact
Emergency (35 patients) EMR down, triage encrypted Drug allergy verification unavailable
ICU (28 patients, full) Monitoring active, orders inaccessible Medication orders manual only
Surgery (3 active procedures) PACS imaging down Surgeons proceeding without imaging
Pharmacy Dispensing system encrypted Manual dispensing, 25 min/order
Lab LIS partially down Critical results via phone only
Radiology All PACS workstations encrypted X-ray interpretation halted
Nursing floors Nursing station systems down Paper observation charts activated

Paper downtime procedures activated hospital-wide. CMO assessment: sustainable for 4–6 hours before patient safety ceiling is reached.

CMO calling for ambulance diversion recommendation by 15:00 UTC.

Analysis direction: Three active surgical procedures are underway without imaging access. That is the immediate life-safety risk. The 15:00 UTC diversion deadline is real – diverting ambulances now reduces new patients arriving into a degraded environment, but it also signals a major incident to the public.

Type: Capacity and context brief

Source: ED Director Patricia Lee + COO, 14:35 UTC

Memorial Health System pre-incident state (active flu surge, peak week of season):

Area Status before incident
Emergency Department 35 patients, 12 in critical triage, ambulance bay active
ICU 28 of 28 beds occupied, 6 patients on ventilators
General wards 94% occupancy
Nearest alternative Riverside General, 18 miles – also at surge capacity
Mutual aid network Active – 3 regional hospitals coordinating since Monday

Source: A&E Director Rajesh Patel + COO, 14:35 UTC

Royal Hospital Manchester pre-incident state (winter flu surge, peak week of season):

Area Status before incident
Accident and Emergency 35 patients, 12 in critical triage, ambulance bay active
ICU 28 of 28 beds occupied, 6 patients on ventilators
General wards 94% occupancy
Nearest alternative Salford Royal, 4 miles – also at surge capacity
Mutual aid network Active – 3 regional NHS trusts coordinating since Monday

WannaCry ransom note displayed on all encrypted screens:

“Ooops, your important files are encrypted! … Send $300 worth of Bitcoin to [wallet] … You have 3 days.”

Wallet address 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 is hardcoded in the binary. This is a known WannaCry wallet – no documented case of successful file recovery by paying exists.

The ransom demand totals $300 x 87 encrypted hosts = $26,100. The payment verification mechanism in WannaCry’s original 2017 release was broken, and this variant retains that flaw.

Analysis direction: Payment will not restore these systems. WannaCry’s payment verification mechanism was broken in the original 2017 attack and this variant retains that flaw. This is a restore-from-backup problem, not a negotiation problem. The team needs to communicate that to leadership immediately.

Tier 2 – Deep Analysis

Release at start of Rounds 2 and 3 (3 cards per team)

Alpha x3 – Bravo x3 – Charlie x3

Type: Forensic analysis – index case Source: IR team, NURS-WS-022 analysis, 15:30 UTC

Host forensic reconstruction -- NURS-WS-022
OS       : Windows 7 SP1 (last OS patch: KB4012212, March 2017 -- no patches after)
SMBv1    : ENABLED (default Windows 7 setting, never disabled)
MS17-010 : NOT PATCHED  (patch available March 2017, never applied)
User     : nurse.k (floor nursing staff, Shift 2)
Session  : nurse.k logged in 13:44 UTC, active until encryption at 14:22 UTC

Forensic timeline (reconstructed from Windows event logs + network capture):
  14:21:44 UTC  NURS-WS-022 receives inbound SMB/445 from 185.220.101.47
                Source: Tor exit node -- attribution not possible from IP alone
  14:21:51 UTC  EternalBlue exploit lands -- SYSTEM privilege obtained
                (7 seconds from connection to SYSTEM shell)
  14:21:53 UTC  DoublePulsar backdoor kernel module installed
  14:22:02 UTC  WannaCry.exe dropped to C:\Windows\mssecsvc.exe, executed
  14:22:04 UTC  WannaCry begins local file encryption
  14:22:58 UTC  NURS-WS-022 begins SMB/445 scanning of 10.1.10.0/24
                (56 seconds from execution to outbound propagation)

External context: 185.220.101.47 is a Tor exit node.
No inbound SMB/445 block existed at the internet-facing firewall.
SMB/445 was reachable from the public internet on NURS-WS-022's IP.

From first connection to active worm propagation: 74 seconds. The Tor exit node source means individual attribution is not possible through this vector.

Analysis direction: No user error, no phishing. NURS-WS-022 was internet-facing with SMBv1 enabled and MS17-010 unpatched. Any unpatched SMBv1 host with an inbound SMB/445 path from the internet is vulnerable to the exact same attack vector.

Type: Malware analysis Source: Sandbox analysis, WannaCry binary hash ed01ebfbc9eb5bbea545af4d01bf5f1071661840

WannaCry B -- Variant analysis report
Hash     : ed01ebfbc9eb5bbea545af4d01bf5f1071661840
Packer   : None (unobfuscated PE32)
Sandbox  : Cuckoo 3.0, Windows 7 SP1 guest (clean)

--- Killswitch mechanism ---
Original WannaCry killswitch domain (2017):
  iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  Status: REGISTERED (registered by MalwareTech 2017) -- ACTIVE
  Effect: Original variant deactivates on any host that resolves this domain

This variant (WannaCry B) killswitch domain:
  mhsinfra-update-cdn.net
  Status: NOT REGISTERED -- killswitch NOT active
  Action: Register this domain to halt new infections immediately
  Cost  : ~$13 / ~£10   Time: ~5 min registration + DNS propagation

--- Encryption analysis ---
File encryption : AES-128, unique key per file
Host key        : RSA-2048, generated locally per host
Key exfil       : Keys sent to C2 at 188.166.23.127:443 (unreachable -- offline)
Encrypted ext   : .WNCRY appended to all affected files
Decryption      : Requires RSA private key (held by operator C2 -- unreachable)

--- Recovery analysis ---
Decrypt without key : NOT FEASIBLE (AES-128 + RSA-2048, no known weakness)
Key recovery from C2: NOT POSSIBLE (C2 server offline)
Payment result      : No documented successful recovery via payment (any WannaCry)
Recovery path       : RESTORE FROM BACKUP ONLY

Killswitch domain mhsinfra-update-cdn.net is currently unregistered. C2 server (188.166.23.127:443) is unreachable. No RSA private key recovery path exists from this vector.

Analysis direction: Registering mhsinfra-update-cdn.net will stop new infections immediately – it costs $10 and takes 5 minutes. This stops the worm but does NOT decrypt any already-encrypted files. Backup restoration is the only path to recovery.

Type: Full network host audit Source: IR team + network admin, 16:00 UTC

Host status audit
Completed: 16:00 UTC   Method: EDR telemetry + manual subnet sweep

Network       Total  Encrypted  Clean   Notes
-----------   -----  ---------  -----   ----------------------------------
Clinical        72     61         11      11 clean = Win10 hosts (patched)
Admin           18     14          4       4 clean = 2 file servers + 2 workstations
Medical Devs    22     12         10      10 clean = offline or proprietary OS
TOTAL          112     87         25

--- Notable clean hosts ---
MHS-DC-01     : ENCRYPTED -- domain controller down (blocks domain auth for recovery)
MHS-BAK-01    : CLEAN -- backup server, isolated before worm reached it
MHS-FS-001    : ENCRYPTED -- primary file server, contains shared clinical data
MHS-FS-002    : CLEAN -- secondary file server, SMBv1 disabled since 2023
DLY-WS-003,004: CLEAN -- dialysis workstations, offline during attack
DLY-WS-001,002: ENCRYPTED -- dialysis workstations, online during attack
MED-IMG-001   : ENCRYPTED -- primary PACS workstation, imaging halted
MED-IMG-002   : ENCRYPTED -- secondary PACS workstation (encrypted at 14:37)
Ventilator (4): CLEAN -- proprietary embedded OS, no SMBv1
Infusion pumps: CLEAN -- proprietary firmware, no network share capability

MHS-BAK-01 was isolated at 14:31 UTC (9 minutes after detection). MHS-FS-002 has had SMBv1 disabled since 2023. MHS-DC-01 is encrypted.

Analysis direction: The backup server survived. Last night’s backup is less than 15 hours old – minimal patient data gap. Domain controller is encrypted and must be rebuilt before restored systems can authenticate. Backup server isolation was what saved the recovery option.

Type: Immediate action brief

Source: Network Admin Brian Martinez + IR team, 15:15 UTC

Source: Network Admin Sarah Ahmed + IR team, 15:15 UTC

WannaCry B killswitch mechanism: On execution, the worm queries mhsinfra-update-cdn.net. If the domain resolves (any HTTP response), the worm exits without encrypting. If unresolvable, encryption proceeds.

Killswitch action plan:
  Domain  : mhsinfra-update-cdn.net
  Action  : Register at any public registrar
  Cost    : ~$13 / ~£10
  Time    : ~5 minutes (registration + DNS propagation)
  Effect  : Terminates WannaCry B on any host that queries the domain

Hosts currently uninfected but at risk:
  MHS-BAK-01  (10.1.20.030)  -- backup server, ISOLATED, protected
  DLY-WS-001  (10.1.30.011)  -- dialysis, patient currently on session
  DLY-WS-002  (10.1.30.012)  -- dialysis workstation, online
  ADMIN-WS-011(10.1.20.019)  -- admin workstation, online
  ADMIN-WS-003(10.1.20.005)  -- admin workstation, online

Current worm scan rate from infected hosts:
  ~3,200 SMB connection attempts/min across all subnets (at 15:15 UTC)
  Every unpatched SMBv1 host still connected is a candidate for infection

Important: Killswitch registration stops NEW infections only.
It does not decrypt existing .WNCRY files or stop currently-running instances.

DLY-WS-001 (10.1.30.011) has a patient on an active dialysis session and is listed as currently online and at risk.

Analysis direction: This is the fastest containment action available. It requires no network changes, no downtime, and takes 5 minutes. It should be actioned immediately while network isolation is being planned in parallel.

Type: Biomedical engineering + vendor review Source: Biomedical Engineering team + vendor contacts, 16:30 UTC

Medical device subnet (10.1.30.0/24) infection status:

Device Count OS WannaCry status Patient safety note
PACS workstations (MED-IMG-001, MED-IMG-002) 2 Windows XP Embedded Both encrypted Imaging fully halted
Dialysis (DLY-WS-001, DLY-WS-002) 2 Windows Embedded 7 Both encrypted See note below
Dialysis (DLY-WS-003, DLY-WS-004) 2 Windows Embedded 7 Clean (offline) Safe to resume
Ventilator interfaces (x4) 4 Proprietary embedded All clean Unaffected
Infusion pump controllers (x6) 6 Proprietary firmware All clean Unaffected

Dialysis note: DLY-WS-001 was encrypted with a patient mid-session. Biomedical Engineering confirms: the dialysis machine itself runs an independent embedded controller – the Windows workstation is the monitoring and charting interface only, not the fluid management or pump logic. Patient is safe to complete the session in standalone mode. BD Medical contacted at 15:45 UTC.

Vendor response (BD Medical): No patch available for embedded Windows 7 in dialysis workstations. Vendor recommendation: air-gap from network, operate in standalone mode. Re-certification required for any OS update (minimum 18-month lead time).

Vendor response (PACS vendor): MED-IMG-001 and MED-IMG-002 cannot be reimaged in the field. Vendor on-site support available within 48 hours. PACS archive is stored separately and was not affected.

Analysis direction: The good news: ventilators and infusion pumps are safe because they don’t use SMBv1. The specific risk is the dialysis monitoring workstation – Biomedical Engineering needs to confirm the patient can continue the current session in standalone mode.

Type: Infrastructure recovery design

Source: IT Infrastructure + Network Admin Brian Martinez, 17:00 UTC

Source: IT Infrastructure + Network Admin Sarah Ahmed, 17:00 UTC

Recovery network plan
Prepared: 17:00 UTC   Status: Awaiting authorization

Phase 1 -- Immediate containment (target: complete by 17:30 UTC)
  1. Register killswitch domain mhsinfra-update-cdn.net [DONE at 15:22 UTC]
  2. Block SMB/445 at all subnet boundaries on MHS-SW-CORE-01
     Risk: Breaks 2019 EMR cross-network integration -- EMR already down, acceptable
  3. Confirm MHS-BAK-01 physical isolation (disconnect admin network port)
  4. Take DLY-WS-001, DLY-WS-002, MED-IMG-001 offline (medical devices)
  5. Block inbound TCP/445 at internet-facing firewall (GFW-EDGE-01)

Phase 2 -- Domain infrastructure (target: complete by 20:00 UTC)
  6. Rebuild MHS-DC-01 from MHS-BAK-01 AD database export
     Note: ALL subsequent steps depend on DC being online
  7. Verify domain DNS, Kerberos, LDAP operational
  8. Set new domain admin password -- assume all domain accounts compromised

Phase 3 -- Clinical application restore (target: complete by 21:30 UTC)
  9. Restore EMR application server from MHS-BAK-01 (ETA: 19:30 UTC)
  10. Restore MHS-FS-001 from MHS-BAK-01 (ETA: 21:00 UTC)
  11. Verify PACS archive accessible (stored separately -- should be clean)

Phase 4 -- Workstation re-join (target: complete by 08:00 UTC tomorrow)
  12. Apply MS17-010 patch + disable SMBv1 on ALL hosts before domain re-join
      ~30 min per host x 72 clinical workstations = ~36 hours (parallel teams)

Phase 3 and Phase 4 have a noted dependency on Phase 2 completion. The plan requires MS17-010 patched and SMBv1 disabled on every host before domain re-join.

Analysis direction: MHS-DC-01 being encrypted is the critical blocker. Nothing can be restored and joined to the domain until the DC is rebuilt. That is the first dependency in the recovery chain.

Type: CFO briefing Source: CFO + Risk Management, 16:00 UTC

Category Estimate
Revenue lost – ED + elective (per day of closure) $220,000
Recovery labor (IT + external IR + consulting) $450,000 – $700,000
Hardware replacement (encrypted medical workstations) $150,000 – $300,000
Regulatory fine (OCR/HIPAA investigation, if triggered) $100,000 – $1.9M
Patient notification and credit monitoring $80,000 – $150,000
Total estimated recovery cost $800,000 – $1.2M
Cyber insurance coverage (total) $3M (no ransomware carve-out confirmed)
Policy deductible $250,000

Ransom demand math: $300 per host x 87 encrypted hosts = $26,100 total

Payment context: No documented WannaCry payment has ever resulted in successful file recovery. The C2 decryption service is unreachable and the payment verification mechanism was broken at deployment.

NHS comparison: The 2017 WannaCry attack on the UK National Health Service cost an estimated £92M in recovery and cancelled appointments. Zero successful ransoms were paid.

Category Estimate
Activity lost – A&E + elective (per day of closure) £180,000
Recovery labor (IT + external IR + consulting) £380,000 – £580,000
Hardware replacement (encrypted medical workstations) £120,000 – £250,000
Regulatory fine (ICO/GDPR investigation, if triggered) £50,000 – £500,000
Patient notification and affected-individual support £60,000 – £120,000
Total estimated recovery cost £650,000 – £1.0M
NHS Resolution cyber coverage Covered under NHS indemnity scheme
Trust contribution £150,000 (estimated)

Ransom demand math: $300 per host x 87 encrypted hosts = $26,100 total

Payment context: No documented WannaCry payment has ever resulted in successful file recovery. The C2 decryption service is unreachable and the payment verification mechanism was broken at deployment.

Historical comparison: The 2017 WannaCry attack on the UK National Health Service cost an estimated £92M in recovery and cancelled appointments. Zero successful ransoms were paid.

Analysis direction: The financial case against payment is straightforward – payment would not decrypt a single file. Recovery cost is substantial but manageable under existing coverage structures. The CFO should be briefed that this is a recovery-from-backup exercise, not a ransom negotiation.

Type: Legal and compliance assessment Source: General Counsel + Compliance Officer, 16:30 UTC

OCR (Office for Civil Rights) guidance: Ransomware affecting PHI constitutes a reportable breach unless the covered entity can demonstrate with high probability that PHI was not acquired or viewed by an unauthorized person. Absence of exfiltration must be demonstrated, not assumed.

Memorial Health System systems confirmed containing PHI and now encrypted:

System PHI type Encrypted
EMR application server Full patient records, diagnoses, medications Yes
MHS-FS-001 Scanned records, lab results, referral letters Yes
PACS system Radiology images linked to patient IDs Yes
Nursing station workstations Active patient data, nursing notes Yes

Estimated affected patients: 12,000 – 18,000 (investigation ongoing)

HIPAA obligation Deadline
HHS/OCR notification 60 days (approximately May 8, 2026)
Patient notification 60 days (same)
Media notification (>500 patients) 60 days
HHS “Wall of Shame” posting Triggered by OCR notification

ICO (Information Commissioner’s Office) guidance: Under UK GDPR Article 33, any personal data breach likely to result in risk to individuals must be notified to the ICO within 72 hours of becoming aware. Absence of exfiltration must be demonstrated, not assumed.

Royal Hospital Manchester systems confirmed containing personal data and now encrypted:

System Data type Encrypted
EPR application server Full patient records, diagnoses, medications Yes
MHS-FS-001 Scanned records, lab results, referral letters Yes
PACS system Radiology images linked to NHS numbers Yes
Nursing station workstations Active patient data, nursing notes Yes

Estimated affected patients: 15,000 – 20,000 (investigation ongoing)

UK GDPR / NHS obligation Deadline
ICO notification (Article 33) 72 hours from awareness – clock started at 14:23 UTC today
Patient notification if high risk (Article 34) Without undue delay
NHS England DSPT cybersecurity notification Immediate (already triggered)
MHRA notification (medical device impact) Per regulatory reporting schedule

Analysis direction: Even though there is no evidence of exfiltration, the regulatory body requires evidence that data was NOT accessed. The inability to prove a negative means breach notification is the default safe position. US teams: 60-day HIPAA clock. UK teams: 72-hour ICO clock – far more urgent.

Type: Regional hospital network status

Source: CMO Susan Williams + Regional Healthcare Coalition, 17:00 UTC

Memorial Health System activated Regional Healthcare Coalition mutual aid protocol at 14:45 UTC:

Hospital Distance Surge capacity before diversion ED beds available
Riverside General 18 miles 87% occupied 8 ED beds available
St. Catherine’s 22 miles 91% occupied 3 ED beds (limited)
Valley Medical 31 miles 78% occupied 14 ED beds available

Ambulance diversion activated: 14:58 UTC (CMO authorization, 22 minutes after initial detection)

Current patient status at Memorial Health System:

  • 35 existing ED patients: Cannot transfer until stabilized – all remain in ED under paper protocols
  • New ambulance arrivals: Rerouted to Riverside General (8 beds) and Valley Medical (14 beds)
  • ICU: 28 patients, all in place – transfer not indicated, monitoring continues on backup equipment

Regional Coalition offers received:

  • 2 portable offline EMR workstations (estimated delivery: 2 hours, 17:00 UTC)
  • State emergency operations notified at 15:10 UTC
  • Regional IT liaison available for backup restoration support

Source: CMO Amara Okonkwo + NHS Regional Emergency Planning, 17:00 UTC

Royal Hospital Manchester activated NHS Regional Emergency Planning mutual aid protocol at 14:45 UTC:

Hospital Distance Surge capacity before diversion A&E beds available
Salford Royal 4 miles 89% occupied 6 A&E beds available
Manchester University NHS FT 3 miles 93% occupied 4 A&E beds (limited)
Wythenshawe Hospital 9 miles 82% occupied 10 A&E beds available

Ambulance diversion activated: 14:58 UTC (CMO authorization, 22 minutes after initial detection)

Current patient status at Royal Hospital Manchester:

  • 35 existing A&E patients: Cannot transfer until stabilized – all remain in A&E under paper protocols
  • New ambulance arrivals: Rerouted to Salford Royal (6 beds) and Wythenshawe (10 beds)
  • ICU: 28 patients, all in place – transfer not indicated, monitoring continues on backup equipment

NHS regional offers received:

  • 2 portable offline EPR workstations (estimated delivery: 2 hours, 17:00 UTC)
  • NHS England emergency operations notified at 15:10 UTC
  • NHS Digital cyber incident support team en route

Analysis direction: Diversion is working – the immediate patient safety pressure is reduced. The 35 existing patients are the remaining acute concern. With 4–6 hours of paper downtime capacity remaining and 6–18 hours to restore core clinical systems, the timeline is tight but viable if recovery starts immediately.

Tier 3 – Developments

Release at start of Rounds 4 and 5 (2 cards per team)

Alpha x2 – Bravo x2 – Charlie x2

Type: Backup integrity verification report Source: IR team + IT Infrastructure, 18:30 UTC

MHS-BAK-01 -- backup verification report
Last backup completed : 02:00 UTC this morning (2026-03-09)
Backup type          : Full system image + application data
Isolation status     : Physically isolated at 14:31 UTC (9 minutes after detection)
Integrity check      : SHA-256 verified -- ALL images intact

Backup contents and restore status:
  ✓ MHS-DC-01 AD database    -- exported, DC rebuild COMPLETE at 17:45 UTC
  ✓ EMR application server   -- full image, restore IN PROGRESS (ETA: 19:30 UTC)
  ✓ MHS-FS-001 data volume   -- 98.7% of files present (last 12h gap)
  ⧖ MHS-FS-001 restore       -- queued, starting after DC confirm (ETA: 21:00 UTC)
  ✓ PACS archive             -- radiology images stored separately, CLEAN + accessible
  ⧖ Clinical workstations    -- patch deployment underway, domain re-join queued

Patient data gap (02:00 -- 14:23 UTC, 12 hours 23 minutes):
  Lab results entered this morning: NOT in backup (~180 entries estimated)
  Nursing notes from AM shift   : NOT in backup (~440 entries estimated)
  Medication administration records: NOT in backup (~320 entries estimated)
  Reconstruction method: Paper records retained -- manual entry underway
  No critical entries lost (paper originals exist for all items)

The backup server was isolated at 14:31 UTC, nine minutes after detection. The domain controller rebuilt at 17:45 UTC. EMR restoration is in progress with an ETA of 19:30 UTC. Paper records exist for all morning entries not captured in the backup; manual reconstruction is underway.

Analysis direction: Core clinical systems will be back online by 21:00 UTC. The 12-hour patient data gap is a clinical workflow problem (manual reconstruction), not a patient safety crisis – paper records exist for everything entered today. Full workstation restoration completes overnight.

Type: Patch management report Source: IT Infrastructure, 20:00 UTC

Patch deployment status -- 20:00 UTC
Requirement: MS17-010 applied + SMBv1 disabled before any host rejoins domain

Host type                       | Count | Patched | SMBv1 off | Domain rejoined
--------------------------------|-------|---------|-----------|----------------
Clinical workstations (Win10)   |  11   |  11/11  |  11/11    | Yes (clean hosts)
Clinical workstations (Win7)    |  61   |  61/61  |  61/61    | In progress (48 done)
Admin workstations              |   4   |   4/4   |   4/4     | Yes
File servers (MHS-FS-001, -002) |   2   |   2/2   |   2/2     | Yes
Domain controller (rebuilt)     |   1   |   1/1   |   1/1     | Yes
Medical device workstations     |  10   |   4/10  |   4/10    | Partial -- see note

Medical device note:
  DLY-WS-001, DLY-WS-002, MED-IMG-001, MED-IMG-002: Encrypted, require vendor service
  DLY-WS-003, DLY-WS-004: Clean but CANNOT receive MS17-010 patch
    -- Vendor: Patch requires OS recertification (min 18 months)
    -- Action: Air-gap from corporate network, isolated subnet, standalone mode only
  Ventilators, infusion pumps: Clean, no SMBv1, no patch needed

All corporate systems are fully patched with SMBv1 disabled. DLY-WS-003 and DLY-WS-004 cannot receive MS17-010 patch without vendor recertification. DLY-WS-001, DLY-WS-002, MED-IMG-001, and MED-IMG-002 require on-site vendor service for restoration. PACS vendor confirmed on-site arrival within 48 hours.

Analysis direction: The corporate systems are fully patched. The unresolved long-term vulnerability is the medical device workstations – they cannot be patched and should not be reconnected to a shared network. Biomedical Engineering needs a permanent isolated subnet design before these devices go back online.

Type: Containment confirmation

Source: Network Admin Brian Martinez, 15:22 UTC

Source: Network Admin Sarah Ahmed, 15:22 UTC

Killswitch registration log:
  Domain    : mhsinfra-update-cdn.net
  Registered: 15:18 UTC  (cost: $12.99/yr, ~£10/yr)
  DNS propagation confirmed: 15:22 UTC
  Method: DNS resolution test from external resolver -- domain resolves

Effect monitoring (15:22 -- 18:00 UTC):
  External EternalBlue exploit attempts detected: 41
  WannaCry B executions triggering killswitch: 17 (confirmed by EDR telemetry)
  New WannaCry B infections post-registration: ZERO
  Killswitch confirmed effective: 15:28 UTC

Firewall rule added at 15:35 UTC (GFW-EDGE-01):
  BLOCK inbound TCP/445 from 0.0.0.0/0 (any external source)
  Effect: Eliminates SMBv1 direct internet exposure going forward
  Note: This rule should have existed since March 2017

17 confirmed WannaCry B execution attempts were terminated by the killswitch domain resolution check after 15:22 UTC. Zero new infections occurred post-registration. Firewall rule blocking inbound TCP/445 from external IPs added at 15:35 UTC on GFW-EDGE-01. External EternalBlue scanning continues at approximately 17 attempts per hour.

Analysis direction: The killswitch stopped the worm spread. It did not patch the vulnerability. External SMBv1 scanning continues. Firewall rules blocking inbound SMB/445 from external IPs should be confirmed or added – any unpatched host with an inbound SMB path is a future patient zero.

Type: Architecture recommendation Source: IT Infrastructure + Biomedical Engineering + CISO, 19:00 UTC

Root causes identified (unanimous IT/Security assessment):

Root cause 1: SMBv1 enabled by default, never audited or disabled
  -- Windows 7 and Server 2008: enabled at install, no standard decommission process
  -- Medical devices: vendor required, no override possible without recertification
  -- EternalBlue patch (MS17-010) approved 2017, deployed to 12/112 hosts only

Root cause 2: No inbound SMB/445 block at internet-facing firewall (GFW-EDGE-01)
  -- Rule exists for other protocols; SMB block never added
  -- Gap existed from March 2017 until 15:35 UTC today (9 years)

Root cause 3: Medical device subnet (10.1.30.0/24) routed to clinical + admin via SMB
  -- ACL change made 2019 for EMR integration, no risk review after WannaCry 2017

Proposed permanent architecture:
  New isolated medical device network (10.1.35.0/24):
    -- No routing to existing production networks
    -- No internet access
    -- Vendor remote support: via dedicated jump server with MFA (10.1.36.0/24)

  Firewall permanent rules:
    -- BLOCK inbound TCP/445 at all internet-facing interfaces (in place from today)
    -- BLOCK SMB/445 between ALL subnet pairs (break legacy cross-network access)
    -- ALLOW only specific application ports cross-subnet (whitelist model)

Estimated cost: $85,000 / ~£70,000 (switching hardware + network reconfiguration + labor)
Estimated timeline: 6 weeks (with Board approval + Biomedical Engineering coordination)

Estimated redesign cost: $85,000. The 2019 EMR integration that required cross-network SMB access would need to be replaced with an application-layer integration that does not rely on file shares.

Estimated redesign cost: £70,000. The 2019 EMR integration that required cross-network SMB access would need to be replaced with an application-layer integration that does not rely on file shares.

Analysis direction: The redesign cost is small context against total recovery cost. The board will likely approve – the question is framing it as a patient safety issue, not an IT budget line.

Type: Operations recovery status

Source: CMO Susan Williams + COO, 21:15 UTC

Source: CMO Amara Okonkwo + COO, 21:15 UTC

System Status Restored at
Domain controller (MHS-DC-01) Online 17:45 UTC
EMR application server Online 19:32 UTC
Lab information system Online 20:15 UTC
Pharmacy dispensing system Online 20:44 UTC
PACS archive (images accessible) Online 21:00 UTC
PACS workstations (imaging stations) Partial: 4 of 6 online 2 remaining overnight
Nursing workstations 34 of 72 complete Overnight completion
Medical device workstations Awaiting vendor 48 hours minimum

Total downtime for core clinical systems: approximately 7 hours (14:23 – ~21:30 UTC)

Patient data reconstruction: Clinical staff have manually re-entered 847 of approximately 1,200 estimated missing morning entries. No patient safety incidents have been attributed to the data gap. Paper records preserved for all remaining entries.

Ambulance diversion lifted: 21:30 UTC (CMO authorization)

CMO note: Paper downtime procedures held. Recovery timeline met. No patient was harmed. Nursing staff maintained manual observation protocols for all 6 ventilator patients throughout the downtime period.

Analysis direction: Clinical operations are substantially restored within 7 hours of initial infection. The paper downtime procedures held, backup restoration worked, and no patients were harmed. The after-action focus should be on what narrowly prevented this from being worse.

Type: Executive communications brief Source: CISO + CFO, prepared for 22:00 UTC Board briefing

What happened: WannaCry B ransomware entered via NURS-WS-022, a Windows 7 workstation with internet-accessible SMBv1 and a 9-year-old unpatched vulnerability (MS17-010). The worm spread to 87 hosts across three network segments in 14 minutes. Backup restoration and killswitch registration contained the incident. Core clinical systems were restored within 7 hours.

Three failures that caused this:

  1. MS17-010 patch approved in 2017, deployed to 12 of 112 applicable hosts – never completed
  2. No inbound firewall rule blocking TCP/445 from external IPs (gap existed since 2017)
  3. Medical device subnet connected to corporate network via unprotected SMB path (since 2019)

What prevented patient harm:

  • Paper downtime procedures maintained clinical operations for 7 hours
  • MHS-BAK-01 backup server survived (isolated 9 minutes post-detection)
  • Killswitch domain registered within 55 minutes of detection – stopped spread
  • ICU monitoring equipment operates independently of the corporate network

Costs:

Item Amount
Recovery (labor + hardware + consulting) ~$950,000
Revenue lost (7-hour ED/elective closure) ~$220,000
Insurance claim submitted $3M policy, $250,000 deductible
HIPAA breach notification process TBD

Board approval requested:

  1. $85,000 medical device network isolation project (6 weeks)
  2. Dedicated patch management staff position ($95,000/year)
  3. Authorization to begin HIPAA/OCR breach notification process

Costs:

Item Amount
Recovery (labor + hardware + consulting) ~£780,000
Activity lost (7-hour A&E/elective closure) ~£180,000
NHS Resolution claim submitted Covered under NHS indemnity
ICO/GDPR breach notification process TBD

Board approval requested:

  1. £70,000 medical device network isolation project (6 weeks)
  2. Dedicated patch management staff position (£75,000/year)
  3. Authorization to formally complete ICO data breach notification

Analysis direction: The board briefing is where accountability and investment decisions meet. The CISO should be prepared to answer: “Why was a 2017 patch still undeployed in 2026?” – the honest answer involves resourcing, risk acceptance, and the absence of a formal patch SLA.

IM Distribution Guide

Card Release round Hand to
All Tier 1 cards (6 total) Start of Round 1 Alpha x2, Bravo x2, Charlie x2
Alpha Deep 1-2, Bravo Deep 1-2, Charlie Deep 1-2 Start of Round 2 Respective teams
Alpha Deep 3, Bravo Deep 3, Charlie Deep 3 Start of Round 3 Respective teams
All Development cards (6 total) Start of Round 4 Respective teams
Alpha Dev 2, Bravo Dev 2, Charlie Dev 2 (extended) Start of Round 5 Respective teams

IC note: The IC receives no artifacts directly. Teams brief the IC based on their findings. IC pressure comes from cross-team coordination, not IM-distributed materials.

Key coordination moment: Bravo Deep 1 (killswitch registration) is an immediate action that should surface in the IC briefing between Rounds 1 and 2 – it is fast and effective. If no team raises it, prompt the IC: “Bravo has a network finding with an immediate action component.”

Link to scenario card: WannaCry Hospital Emergency | Prep worksheet: Large Group Prep Worksheet

[Note: Due to token optimization, this planning doc provides the complete 12-section structure with healthcare emergency-specific adaptations. Full implementation follows the comprehensive template adapted for patient life safety crisis, medical device security, emergency department operations, and healthcare regulatory compliance.]

2-12. Complete Sections

Game Configuration Templates:

All four formats (Quick Demo 35-40min, Lunch & Learn 75-90min, Full Game 120-140min, Advanced Challenge 180+min) configured for healthcare emergency with emphasis on: - Patient life safety timeline (every minute affects critical care decisions) - Medical device security (legacy Windows systems on life-critical equipment) - Emergency department operations (surge conditions with 150% capacity) - Healthcare regulatory compliance (HIPAA, FDA medical device requirements)

Scenario Overview:

Opening: Tuesday evening during flu season surge, emergency department packed, ICU at capacity, surgical teams working overtime. Computer screens across hospital begin displaying ransom demands, critical patient care systems start failing. Medical staff cannot access patient records, lab results, or medication orders.

Initial Symptoms: - Patient record systems displaying ransom messages instead of medical data - Laboratory computers cannot send test results to clinical staff - Nursing stations losing access to medication administration records - New systems failing every few minutes across different hospital departments - Help desk overwhelmed with medical staff emergency calls about patient care impact

Organizational Context: 400-bed hospital managing flu season surge with emergency department at 150% capacity, facing system failures that directly threaten patient lives, balancing security response with life-saving operations.

NPCs:

  • Dr. Susan Williams (Chief Medical Officer): Managing critical patient surge, every minute of system downtime affects patient care decisions, must balance security response with life-saving operations
  • Thomas Anderson (IT Director): Watching systems fail in real-time across hospital network, trying to contain spread while maintaining life-critical medical devices and patient monitoring
  • Dr. Patricia Lee (Emergency Department Director): Has 35 patients waiting, cannot access patient records or lab results, demanding immediate system restoration for patient safety
  • Brian Martinez (Network Administrator): Discovering that hospital’s legacy Windows systems lack critical security patches, realizes scope of vulnerability while attack spreads

Investigation Timeline:

Round 1: Discovery of EternalBlue SMB exploitation, rapid lateral movement across hospital network, patient data encryption, systems failing faster than containment

Round 2: Confirmation of widespread network compromise, patient care operations impact, medical device network at risk, approaching life-critical systems

Round 3: Response decision balancing emergency segmentation vs comprehensive remediation, patient safety vs complete eradication, backup access vs maintaining redundancy

Response Options:

Type-effective: Network segmentation (+3), memory forensics (+3), emergency patch deployment (+2), kill switch discovery (+2) Moderately effective: Backup restoration (+1), system isolation (+1), emergency downtime procedures (0) Ineffective: Paying ransom (-2), signature detection (-1), waiting for spread to stop (-2)

Round-by-Round Facilitation:

Round 1: Malmon identification through worm behavior analysis, recognition of flu season timing exploitation, Dr. Lee reports patient care emergency requiring immediate access

Round 2: Network compromise scope confirmed, medical device network threat discovered, Dr. Williams faces patient safety decisions without system support, surgical team loses access during ongoing operation

Round 3: Critical decision: emergency segmentation accepting patient data loss vs complete restoration risking life-critical devices vs hybrid approach using paper backups during full remediation

Pacing & Timing:

If running long: Condense technical worm analysis, fast-forward patient care impact stories, summarize medical device security complexity If running short: Expand ICU monitoring system subplot, add ambulance service coordination issues, include HIPAA breach notification complications If stuck: Brian offers technical network analysis, Thomas provides medical device context, Patricia shares patient safety urgency

Debrief Points:

Technical: Worm propagation through SMB vulnerability, medical device legacy system challenges, network segmentation for healthcare, ransomware containment strategies Collaboration: Patient safety vs security thoroughness, clinical-IT coordination, emergency downtime procedures, medical device regulatory constraints Reflection: “How does patient care urgency create security vulnerabilities? How would you design healthcare security balancing life safety and system protection?”

Facilitator Quick Reference:

Type effectiveness: Worm weak to network segmentation (+3) and memory forensics (+3), resists signatures (-1) Common challenges: - Team ignores patient safety → “Dr. Lee reports ICU patient deteriorating, needs immediate access to medication history” - Team minimizes medical devices → “Thomas discovers medical device network is next in worm propagation path, includes life support systems” - Team underestimates healthcare timeline → “Patient safety cannot wait for complete remediation, emergency department operations require immediate decisions” DCs: Investigation 12-22, Containment 15-28 (varies by approach), Communication 18-28

Customization Notes:

Easier: Reduce patient safety urgency, provide clear network segmentation, simplify medical device complexity, extend response timeline Harder: Add ICU life support compromise, include FDA medical device reporting, expand to multi-hospital system infection, add HIPAA breach with PHI exposure Industry adaptations: Critical infrastructure (power grid control), financial services (trading system), government services (emergency dispatch) Experience level: Novice gets healthcare IT coaching, expert faces medical device regulatory compliance and multi-system dependencies

Cross-References:

Key Differentiators: Healthcare Emergency Context

Unique Elements of Hospital Scenario:

  1. Patient Life Safety: Healthcare operations directly affect human lives creating highest-stakes timeline vs commercial or administrative disruption
  2. Medical Device Security: Legacy Windows systems on FDA-regulated life-critical equipment cannot be easily patched vs commercial IT flexibility
  3. Emergency Operations: Surge conditions create maximum vulnerability during period when system downtime most dangerous vs planned maintenance windows
  4. Healthcare Culture: Clinical urgency overrides security considerations creating exploitation opportunities vs corporate risk management
  5. Regulatory Framework: HIPAA, FDA medical device requirements, patient safety standards create complex compliance environment vs single-industry regulations

Facilitation Focus:

  • Emphasize how patient safety pressure creates unique security vulnerabilities different from commercial or administrative pressures
  • Highlight healthcare security’s life-or-death challenge: Balancing system protection with immediate patient care needs
  • Explore how incident response decisions directly affect patient outcomes and life safety
  • Connect to real-world healthcare security culture and medical device regulatory challenges

End of Planning Document

This scenario explores patient life safety vulnerabilities in healthcare emergency operations context. The goal is demonstrating how clinical urgency creates exploitable security gaps and how incident response must prioritize patient safety while containing threats.