WannaCry Crisis Management Walkthrough
Session Overview
This walkthrough demonstrates a complete session using WannaCry with a business-focused group facing operational crisis. Emphasizes rapid decision-making under extreme pressure with limited technical expertise.
Group Profile
- Elena: Hospital Administrator, MBA → Crisis Manager
- David: IT Help Desk Supervisor, 2 years experience → Detective
- Sam: Network Technician, community college background → Protector
- Taylor: Communications Director, healthcare PR → Communicator
- Pat: Operations Manager, efficiency focused → Tracker
Organization Context
Regional Medical Center: 400-bed hospital serving rural communities with limited backup infrastructure and aging IT systems.
Pre-Session Setup
IM Preparation Considerations
- Malmon: WannaCry (rapid spread, operational impact, clear business consequences)
- Context: Healthcare setting where downtime = patient safety risk
- Group: Limited technical depth but strong operational/business focus
- Emphasis: Crisis management, stakeholder coordination, business continuity
IM Mental Note: This group will struggle with technical details but excel at operational coordination. Focus on decision-making under pressure.
Opening: Crisis Immersion
Emergency Context
IM: “It’s 7:30 AM on a Tuesday. You’re drinking coffee when the emergency pager goes off. Every computer screen in the hospital is showing the same message: ‘Your files have been encrypted. Pay $300 in Bitcoin to recover them.’ This is not a drill.”
IM Note: Immediate crisis immersion - no gradual buildup for WannaCry scenario.
Rapid Expertise Assessment
Three-Track Status Introduction
IM: “Before we begin crisis response, we’ll track your incident response across three dimensions:”
- “🛡️ Network Security (100): Technical security of your systems”
- “⚡ IR Effectiveness (100): How well you work together as a team”
- “🏢 Business Operations (100): Operational continuity and stakeholder confidence”
“Each track starts at 100. Your decisions and discoveries will affect these scores throughout the crisis.”
IM: “Crisis response team activation. Quick introductions - name and why you’re essential during a hospital emergency.”
Elena: “Elena, Hospital Administrator. I make the big decisions and coordinate with Board, regulators, and media.”
David: “David, IT Help Desk Supervisor. I keep the computers working and help staff with technical problems.”
Sam: “Sam, Network Technician. I manage our internet, phones, and computer connections.”
Taylor: “Taylor, Communications Director. I handle media, patient family communication, and staff messaging.”
Pat: “Pat, Operations Manager. I keep patient flow moving and coordinate between departments.”
IM Note: Clear operational focus. Can assign roles that leverage business thinking over technical depth.
Emergency Role Assignment
IM: “Crisis roles based on your strengths:”
- Elena → Crisis Manager: “Strategic decisions with Board and regulatory pressure”
- David → Detective: “Figure out what happened and what’s affected”
- Sam → Protector: “Keep critical systems running and safe”
- Taylor → Communicator: “Manage all internal and external communication”
- Pat → Tracker: “Monitor hospital operations and patient flow”
IM Note: Roles emphasize business coordination over technical expertise.
Crisis Scope
IM: “Patient census: 312 beds occupied, 23 in ICU, 8 in surgery. It’s Tuesday morning - busy time. Every workstation showing ransomware message. Phone system still works.”
Initial Track Status Update
IM: “Current three-track status after initial impact:”
- “🛡️ Network Security: 15 (-85 for complete system encryption and data inaccessibility)”
- “⚡ IR Effectiveness: 100 (crisis team responding immediately and coordinating well)”
- “🏢 Business Operations: 40 (-60 for massive operational disruption but critical systems still functioning)”
“What’s your immediate response?”
IM Note: WannaCry starts with massive immediate impact - no discovery phase needed.
Round 1: Emergency Response
Immediate Crisis Assessment
IM: “This is not a gradual incident. Every computer workstation is locked. Medical equipment on separate networks still functions, but electronic medical records are inaccessible. Patient monitors work, but staff can’t access medication orders, lab results, or discharge information.”
IM Note: WannaCry’s rapid spread creates immediate operational crisis.
Crisis Actions Under Pressure
Elena (Crisis Manager) - Action 1
Elena: “This is a patient safety emergency. I need to immediately activate our downtime procedures and notify hospital leadership, including our Chief Medical Officer and Board Chair.”
IM: “Executive crisis response. Roll d20 for leadership coordination.”
Elena rolls 12 (+1 for management experience)
IM: “You successfully activate downtime procedures. Paper charts are being distributed, but clinical staff are struggling with the transition. The CMO wants to know if we should divert ambulances. Board Chair is asking about patient safety and liability exposure.”
IM Note: Elena immediately focuses on patient safety and leadership coordination - perfect Crisis Manager thinking.
Elena (Crisis Manager) - Action 2
Elena: “Patient safety is paramount. I need to make the diversion decision based on our current capabilities. Can we safely treat emergency patients with paper systems and limited computer access?”
IM: “Critical operational decision. Roll for patient safety assessment.”
Elena rolls 16 (+1 for healthcare administration experience)
IM: “Excellent crisis leadership! You determine that emergency and ICU patients can be safely managed with paper systems and functioning medical equipment. You authorize continuing emergency admissions but diverting non-urgent procedures. This prevents cascade failures at other hospitals.”
IM Note: Elena balancing patient safety with system capacity - exactly what Crisis Manager should do.
David (Detective) - Action 1
David: “I need to figure out how bad this is and what systems are actually affected. Are our medical devices on the same network as the computers? What about our backup systems?”
IM: “Technical assessment under pressure. Roll d20 for system impact analysis.”
David rolls 10 (+1 for IT support experience)
IM: “You determine that medical devices on separate networks are functioning normally - ventilators, monitors, and imaging equipment work. However, all Windows computers are encrypted, including pharmacy systems, lab reporting, and billing. Backup systems are also encrypted.”
IM Note: David’s IT support background helps him think systematically about what’s affected.
David (Detective) - Action 2
David: “If backups are encrypted too, this spread through our network. I want to figure out how this started and whether it’s still spreading to help Sam stop it.”
IM: “Incident investigation under crisis pressure. Roll for attack vector analysis.”
David rolls 14 (+1 for systematic thinking)
IM: “Good detective work! You discover this started when someone in accounting opened an email attachment this morning. The malware spread through shared network drives and infected every connected Windows computer within 2 hours. It’s not actively spreading now - the damage is done.”
Technical Analysis: MITRE ATT&CK Mapping
IM Note: With the attack vector identified, this is an excellent moment to introduce the ATT&CK framework to help the team understand the full scope of WannaCry’s capabilities.
🎯 MITRE ATT&CK Technique Analysis
| Technique | Tactic | Description | Mitigation | Detection |
|---|---|---|---|---|
| T1486 Data Encrypted for Impact |
Impact | Encrypts files and demands ransom payment for decryption | Backup systems, file monitoring, user training | File modification monitoring, encryption behavior, ransom notes |
| T1566.001 Spearphishing Attachment |
Initial Access | Initial infection vector through malicious email attachments | Email security, user training, attachment scanning | Email analysis, attachment behavior monitoring |
| T1210 Exploitation of Remote Services |
Lateral Movement | Uses EternalBlue exploit to spread via SMB vulnerabilities | Patch management, network segmentation, SMB hardening | Network monitoring, exploit detection, vulnerability scanning |
IM Facilitation Notes:
- Use these techniques to guide player investigation questions
- Help players connect evidence to specific ATT&CK techniques
- Highlight type effectiveness relationships in responses
- Encourage discussion of real-world mitigation strategies
IM Note: David providing Sam with information needed for containment decisions.
Sam (Protector) - Action 1
Sam: “If it’s not actively spreading, my priority is protecting what still works and seeing if we can safely bring any systems back online. I want to isolate critical systems and see what we can recover.”
IM: “System protection and recovery. Roll d20 for network isolation.”
Sam rolls 13 (+1 for network experience)
IM: “You successfully isolate the medical device networks and confirm they’re safe. You also discover 3 computers in the emergency department that were offline during the attack and are still clean. However, attempting to reconnect any infected systems immediately re-spreads the ransomware.”
IM Note: Sam’s network background helps with containment, but WannaCry’s aggressive spreading creates realistic constraints.
Sam (Protector) - Action 2
Sam: “Those 3 clean computers in ED are critical. I want to set up a completely isolated network segment for essential functions - patient lookup, medication orders, and lab results - using those clean systems.”
IM: “Emergency network engineering. Roll for isolated system setup.”
Sam rolls 15 (+1 for practical approach)
IM: “Excellent technical thinking! You create an isolated network segment with the 3 clean computers, allowing limited access to essential patient data stored on unaffected servers. This gives clinical staff basic computer access for critical functions.”
IM Note: Sam thinking like a network technician - practical solutions under pressure.
Pat (Tracker) - Action 1
Pat: “I need to understand how this ransomware is affecting actual patient care operations. Which departments are most impacted? Where are we creating bottlenecks or safety risks?”
IM: “Operational impact assessment. Roll d20 for patient flow analysis.”
Pat rolls 12 (+1 for operations focus)
IM: “You identify critical bottlenecks: Pharmacy can’t access medication orders, Lab can’t report results electronically, and Discharge planning is completely manual. ICU is managing with monitors and paper charts, but medication administration is slower and more error-prone.”
IM Note: Pat focusing on operational impact rather than technical details - perfect Tracker thinking.
Pat (Tracker) - Action 2
Pat: “Pharmacy and lab bottlenecks are patient safety risks. I want to coordinate with these departments to establish emergency workflows using Sam’s isolated systems for critical functions.”
IM: “Operational coordination under crisis. Roll for workflow optimization.”
Pat rolls 17 (+1 for operations expertise)
IM: “Outstanding operational management! You coordinate with Pharmacy and Lab to prioritize critical orders through Sam’s isolated systems. You establish triage protocols: ICU and surgery orders get immediate computer access, other units use paper with 4-hour electronic review cycles.”
IM Note: Pat creating practical operational solutions that integrate with Sam’s technical work.
Taylor (Communicator) - Action 1
Taylor: “This is a major PR crisis waiting to happen. I need to get ahead of the story. First priority is internal communication - staff need to know what’s happening and that we can still provide safe patient care.”
IM: “Crisis communication strategy. Roll d20 for staff communication.”
Taylor rolls 14 (+1 for communication experience)
IM: “You successfully communicate to all staff via phone and PA system. Message: ‘Computer systems experiencing technical difficulties. Patient care continues safely using backup procedures. Follow department downtime protocols. Do not discuss with media or families without clearance.’”
IM Note: Taylor immediately thinking about communication strategy and message control.
Taylor (Communicator) - Action 2
Taylor: “Staff communication handled. Now I need to prepare for external pressure - media will find out, patient families will ask questions, and regulators might get involved. I want to draft holding statements and coordinate with Elena on disclosure timing.”
IM: “External stakeholder management. Roll for crisis communication planning.”
Taylor rolls 11 (+1 for PR experience)
IM: “You prepare holding statements emphasizing patient safety and business continuity. However, a local TV station calls asking about ‘computer problems affecting patient care.’ You need to coordinate with Elena on how much to disclose and when.”
IM Note: Taylor facing realistic external pressure that requires coordination with Crisis Manager.
Round 1 Crisis Synthesis and Track Status Update
IM: “After your initial crisis response, let’s update all three tracks:”
- “🛡️ Network Security: 25 (+10 for protecting critical systems and establishing isolated network access)”
- “⚡ IR Effectiveness: 115 (+15 for exceptional role coordination and systematic crisis response)”
- “🏢 Business Operations: 55 (+15 for maintaining patient safety and coordinated communication)”
“You’ve stabilized the immediate crisis but are operating in emergency mode. Let’s assess status:”
Status Reports:
- Elena: “Downtime procedures activated, emergency admissions continuing, leadership informed and supporting decisions”
- David: “Attack vector identified - email attachment in accounting. Spread complete, no longer active”
- Sam: “Critical systems isolated and protected. Emergency computer access restored for ICU, pharmacy, and lab priority orders”
- Pat: “Patient flow optimized around technical constraints. Critical care maintaining safety standards with modified workflows”
- Taylor: “Staff communication complete, external pressure building, need coordination on public disclosure”
IM: “You’ve prevented patient safety disasters, but you’re running on emergency procedures. What’s your strategy for the next phase?”
IM Note: Group has managed initial crisis well through coordination rather than technical solutions.
Round 2: Sustained Operations
Sustained Crisis Management
IM: “4 hours into the crisis. Emergency procedures are working, but staff fatigue is increasing. Paper charting is causing delays. The FBI cybercrime unit has arrived. Media is gathering outside.”
Round 2 Track Status Update
IM: “Current three-track status after 4 hours of sustained crisis operations:”
- “🛡️ Network Security: 25 (stable - threat contained but systems still encrypted)”
- “⚡ IR Effectiveness: 110 (-5 for staff fatigue but maintaining coordination)”
- “🏢 Business Operations: 50 (-5 for increasing operational strain and external pressure)”
“How do you sustain operations while managing these growing pressures?”
IM Note: WannaCry scenarios focus on sustained operations under degraded conditions.
Extended Crisis Response
Elena (Crisis Manager) - Action 1
Elena: “FBI arrival and media presence mean this is now a federal investigation and public crisis. I need to coordinate with law enforcement while maintaining operational focus and preparing for public scrutiny.”
IM: “Multi-stakeholder crisis management. Roll d20 for federal coordination.”
Elena rolls 15 (+1 for senior management experience)
IM: “Excellent crisis leadership! You establish clear coordination with FBI - they investigate the attack while you focus on patient care continuity. You also coordinate with hospital legal counsel on disclosure requirements and media strategy.”
IM Note: Elena managing complex stakeholder coordination under pressure.
Elena (Crisis Manager) - Action 2
Elena: “I need to make the big decision about paying the ransom. $300 per computer x 200 computers = $60,000. FBI says don’t pay, but how long can we operate like this without compromising patient safety?”
IM: “Critical strategic decision. Roll for ransom decision analysis.”
Elena rolls 13 (+1 for weighing complex factors)
IM: “You analyze the decision systematically: FBI advises against payment with no guarantee of file recovery. IT estimates 3-5 days to rebuild systems from clean backups if available. Current operations are sustainable for 48-72 hours before patient safety risks increase significantly.”
IM Note: Elena facing the classic WannaCry decision - realistic pressure with no perfect answer.
David (Detective) - Action 1
David: “Elena needs data for the ransom decision. I want to work with the FBI to understand our recovery options. Do we have clean backups? How long would full system restoration take?”
IM: “Recovery planning under investigation pressure. Roll d20 for backup assessment.”
David rolls 11 (+1 for IT systems knowledge)
IM: “You discover mixed backup status: Patient data is backed up daily to an offline system (safe), but application servers and user files have inconsistent backups. Full restoration would require 5-7 days minimum, plus extensive testing before returning to normal operations.”
IM Note: David providing Elena with realistic recovery timeline for decision-making.
David (Detective) - Action 2
David: “7 days is too long for patient safety. I want to explore rapid recovery options - can we restore essential systems first? What would it take to get pharmacy, lab, and nursing stations functional in 48 hours?”
IM: “Accelerated recovery planning. Roll for priority system restoration.”
David rolls 16 (+1 for practical IT approach)
IM: “Good prioritization! You develop a 48-hour restoration plan focusing on pharmacy systems, lab reporting, and nursing station access to patient records. This would restore 70% of normal computer functionality while maintaining safety standards.”
IM Note: David’s practical approach provides Elena with a viable alternative to ransom payment.
Sam (Protector) - Action 1
Sam: “I want to expand our isolated network to support David’s 48-hour restoration plan. Can we safely add more clean computers and restored servers without risking reinfection?”
IM: “Network expansion under quarantine conditions. Roll d20 for safe network extension.”
Sam rolls 14 (+1 for network planning)
IM: “You design a secure network expansion plan using additional isolated computers and restored servers. The plan requires careful coordination but could support essential functions within 48 hours while maintaining security isolation.”
IM Note: Sam building infrastructure to support David’s recovery plan.
Sam (Protector) - Action 2
Sam: “I want to implement additional security measures for the restoration - better network monitoring, endpoint protection, and user access controls to prevent this from happening again.”
IM: “Enhanced security implementation. Roll for protective measures.”
Sam rolls 12 (+1 for security thinking)
IM: “You implement enhanced security for the restoration phase. However, these measures will slow down the recovery process and require additional staff training. Security vs. speed trade-off that Elena needs to decide.”
IM Note: Sam thinking about long-term protection but creating operational decisions for Elena.
Pat (Tracker) - Action 1
Pat: “Staff are getting exhausted with paper procedures. I need to assess how long we can maintain current operations safely and what support staff need to sustain performance.”
IM: “Operational sustainability assessment. Roll d20 for staff capacity analysis.”
Pat rolls 13 (+1 for operations management)
IM: “You identify growing operational stress: Medication errors increasing slightly due to manual processes, discharge times 40% longer, staff overtime approaching burnout levels. Current operations sustainable for 48-72 hours before significant performance degradation.”
IM Note: Pat providing crucial operational intelligence for Elena’s decision-making.
Pat (Tracker) - Action 2
Pat: “I want to optimize our current operations to buy time for David’s restoration plan. Can we streamline workflows, bring in additional staff, or reorganize departments to maintain safety for 48 hours?”
IM: “Operational optimization under crisis. Roll for workflow enhancement.”
Pat rolls 17 (+1 for operational expertise)
IM: “Excellent operational management! You reorganize workflows to reduce paper processing bottlenecks, coordinate with HR to bring in off-duty staff, and establish quality checkpoints to maintain safety standards. This extends safe operations to 72 hours.”
IM Note: Pat’s operational excellence buys time for technical recovery.
Taylor (Communicator) - Action 1
Taylor: “Media pressure is intensifying and patient families are asking questions. I need to coordinate with Elena on public disclosure. Do we acknowledge the ransomware attack publicly or minimize the technical details?”
IM: “Public disclosure strategy. Roll d20 for crisis communication planning.”
Taylor rolls 12 (+1 for PR strategy)
IM: “You develop a balanced disclosure strategy: Acknowledge ‘computer system difficulties requiring emergency procedures’ without specifically mentioning ransomware. Emphasize patient safety measures and business continuity, but this partial disclosure may backfire if details leak.”
IM Note: Taylor facing realistic communication dilemma with no perfect answer.
Taylor (Communicator) - Action 2
Taylor: “I want to get ahead of potential leaks by preparing transparent communication that emphasizes our effective crisis response and patient safety measures. If details come out anyway, we want to control the narrative.”
IM: “Proactive narrative management. Roll for transparent communication strategy.”
Taylor rolls 15 (+1 for strategic communication)
IM: “Excellent communication strategy! You prepare transparent messages emphasizing effective crisis response, patient safety maintenance, and cooperation with law enforcement. When a staff member leaks ransomware details, your prepared narrative frames the hospital as competent and responsible.”
IM Note: Taylor’s proactive approach turns potential crisis into reputation management success.
Round 2 Synthesis and Track Status Update
IM: “After sustained crisis management, let’s update all three tracks:”
- “🛡️ Network Security: 35 (+10 for recovery planning and enhanced security measures)”
- “⚡ IR Effectiveness: 120 (+10 for exceptional federal coordination and cross-role collaboration)”
- “🏢 Business Operations: 70 (+20 for proactive communication success and operational optimization)”
“You’ve sustained operations through the acute crisis phase. Status update:”
Coordination Results:
- Elena: “Federal coordination established, ransom decision pending David’s 48-hour recovery plan, legal and board support secured”
- David: “Recovery plan developed - 48 hours to restore 70% functionality, working with Sam on secure implementation”
- Sam: “Secure network expansion planned, enhanced security measures ready, coordinating with David’s timeline”
- Pat: “Operations optimized for 72-hour sustainability, staff support measures implemented, quality controls maintained”
- Taylor: “Proactive communication strategy successful, media narrative controlled, stakeholder confidence maintained”
IM: “You’ve demonstrated exceptional crisis coordination. You can sustain current operations while implementing recovery. Final phase: ensuring long-term resilience.”
IM Note: Group excelled at business coordination and crisis management despite limited technical expertise.
Round 3: Recovery and Resilience
Long-term Recovery Planning
IM: “24 hours post-attack. David’s recovery plan is proceeding successfully. Media coverage has been largely positive, praising your crisis response. FBI investigation continues.”
Round 3 Track Status Update
IM: “Current three-track status 24 hours post-attack:”
- “🛡️ Network Security: 45 (+10 for successful recovery progress and system restoration)”
- “⚡ IR Effectiveness: 125 (+5 for continued excellent coordination and collaborative planning)”
- “🏢 Business Operations: 80 (+10 for positive media coverage and stakeholder confidence)”
“How do you ensure this never happens again and build long-term resilience?”
Organizational Resilience Building
Elena (Crisis Manager) - Final Actions
Elena: “I want to coordinate with the Board to invest in cybersecurity infrastructure and staff training. This crisis showed we can manage emergencies well, but we need to prevent them from happening.”
IM: “Strategic organizational investment. Roll d20 for board coordination.”
Elena rolls 14 (+1 for demonstrated crisis leadership)
IM: “Your effective crisis leadership gives you credibility with the Board. They approve significant cybersecurity investment including staff training, backup system improvements, and dedicated IT security position. Your crisis management success becomes the foundation for organizational improvement.”
David & Sam (Joint Action)
David & Sam: “We want to work together on implementing comprehensive cybersecurity measures - user education, system hardening, backup procedures, and incident response protocols.”
IM: “Collaborative technical improvement. Roll d20 for comprehensive security implementation.”
Combined roll: 16 (+1 for collaboration)
IM: “Excellent technical collaboration! You implement user training programs, network segmentation, automated backup systems, and incident response procedures. Your experience during the crisis helps design realistic and effective security measures.”
Pat & Taylor (Joint Action)
Pat & Taylor: “We want to develop crisis communication and operational continuity plans that integrate business operations with cybersecurity incident response.”
IM: “Integrated operational planning. Roll d20 for business continuity enhancement.”
Combined roll: 15 (+1 for crisis experience)
IM: “Outstanding business integration! You create operational procedures that seamlessly integrate cybersecurity incident response with patient care continuity, staff communication, and stakeholder management. Future incidents will be managed even more effectively.”
Final Three-Track Assessment
IM: “Here’s your final incident response assessment across all three tracks:”
- “🛡️ Network Security: 95 (+20 for comprehensive security improvements and enhanced infrastructure)”
- “⚡ IR Effectiveness: 130 (+5 for organizational learning and integrated planning capabilities)”
- “🏢 Business Operations: 105 (+25 for strengthened stakeholder relationships and improved procedures)”
“Notice how all three tracks ended higher than they started - crisis response transformed into organizational strength! Final status:”
Final Outcomes:
- Crisis Management: Maintained patient safety throughout crisis
- Stakeholder Coordination: Federal, media, and board relationships strengthened
- Technical Recovery: Systems restored with enhanced security
- Operational Resilience: Improved procedures for future incidents
- Organizational Learning: Crisis experience drives systematic improvement
IM: “You transformed a potential disaster into organizational strength through exceptional coordination and crisis management.”
Debrief: Business Crisis Management
Key Learning Insights
Group Reflections:
- Elena: “Crisis management requires balancing multiple stakeholder needs while maintaining focus on core mission”
- David: “Technical recovery is important, but business continuity decisions drive everything”
- Sam: “Security measures have to work for real people under real pressure”
- Pat: “Operations people are crucial for translating technical problems into business impact”
- Taylor: “Proactive communication turns crisis management into reputation building”
Real-World Applications
- Incident response must integrate technical and business considerations
- Crisis communication is as important as technical remediation
- Operational sustainability determines response strategy options
- Stakeholder coordination requires clear roles and communication
- Organizational learning from incidents drives resilience improvement
IM Note: This group excelled at business coordination and demonstrated that effective incident response depends more on coordination and decision-making than technical expertise.
IM Commentary: Managing Business-Focused Groups
Successful Adaptations
Emphasizing Coordination Over Technical Depth
- Focused on decision-making and stakeholder management
- Used technical constraints as business problems to solve
- Emphasized operational impact over technical details
Realistic Business Pressure
- Patient safety created authentic urgency
- Regulatory and media pressure added realistic complexity
- Financial and operational decisions drove action priorities
Leveraging Business Expertise
- Each participant contributed professional expertise naturally
- Business thinking translated well to incident response coordination
- Group excelled at integrated problem-solving
Key Success Factors
- Clear stakes: Patient safety and organizational reputation
- Business relevance: Decisions familiar from professional experience
- Coordination emphasis: Technical solutions required business integration
- Authentic pressure: Realistic time constraints and stakeholder demands
This walkthrough demonstrates how incident response training can be effective for business-focused groups by emphasizing coordination, decision-making, and stakeholder management rather than technical expertise.