MicroSim 31 — Incident Response War Room

Real-time IR coordination simulation • Meridian Healthcare Systems

Elapsed
00:00:00
Detection
Containment
Eradication
Recovery
Lessons
Score
0 / 100
Scenario Configuration
Meridian Healthcare Systems
Scenario Preview
P1 — CRITICAL

BlackCat Ransomware — Hospital Network

At 02:47 UTC, the SOC received multiple alerts from EDR agents across the Meridian Healthcare Systems network. Encrypted file extensions (.mhslock) detected on radiology workstations. Active Directory authentication anomalies suggest lateral movement from a compromised VPN endpoint (198.51.100.23). Patient records system (EHR) at risk. DICOM imaging servers showing signs of encryption activity.

Initial Indicators
IOC-001: Suspicious PowerShell execution — 198.51.100.23 IOC-002: .mhslock file extension — radiology-ws-04.meridian.example.com IOC-003: Cobalt Strike beacon — C2: 203.0.113.47:443 IOC-004: AD enumeration — BloodHound queries from SVC-BACKUP account IOC-005: Volume shadow copy deletion — vssadmin.exe
Pre-Built Scenarios
R
BlackCat Ransomware — Hospital Network
Encryption spreading through DICOM servers, EHR at risk. Ransom note demands 50 BTC.
D
PHI Data Exfiltration — Patient Records
2.3M patient records exfiltrated via compromised API endpoint. HIPAA notification required.
A
Volumetric DDoS — Patient Portal
340 Gbps attack flooding patient portal. Telehealth appointments disrupted during peak hours.
I
Insider Data Theft — Departing Employee
Senior DBA exfiltrating IP and patient data via personal cloud storage. Notice period ends in 72 hours.
Incident Team Roles
Incident Commander
Dr. Sarah Chen, CISO
Communications Lead
Marcus Webb, VP Comms
Technical Lead
Raj Patel, SOC Manager
Executive Sponsor
James Morrison, CEO
Incident Status
Incident ID INC-2026-0347
Severity P1
Attack Type Ransomware
Phase Detection
Affected Systems 12 endpoints
Incident Timeline
Decision Point 1 / 5 Decisions affect your outcome score

Start a scenario from the Incident Briefing tab to begin making decisions.

Communications Templates

Auto-populated from incident details. Click "Copy" to use in your response plan.

Internal Stakeholder Update
Start a scenario to generate communications templates.
Customer / Patient Notification
Start a scenario to generate communications templates.
Press Statement
Start a scenario to generate communications templates.
Regulatory Filing (GDPR 72hr / HIPAA)
Start a scenario to generate communications templates.
Law Enforcement Report
Start a scenario to generate communications templates.

Complete scenario decisions to generate an after-action report.

Incident Response War Room

Step into the role of Incident Commander at Meridian Healthcare Systems. Coordinate your team through a live security incident — make real-time decisions, manage communications, and drive the response to resolution.

1-5 Switch tabs
S Start scenario
P Pause/resume timer
R Reset simulation