Back to Quest Board
🔴

The Crypt of Encrypted Shadows

Ransomware Attack on Core Banking Infrastructure
P1 — Critical

A devastating ransomware attack strikes the heart of your banking fortress. Encrypted shadows spread across your domain as a dark sorcerer demands tribute in cursed coin. Your realm's most guarded secrets — the portfolios of ultra-high-net-worth patrons — hang in the balance.

60 minutes
DC 15
4 Injects
4–12 Players

Compliance Frameworks

NIST CSF RS.RP ISO 27001 A.16 GDPR Art.33-34 PRA SS1/21 FCA SYSC 13.7

🛡️ Roles & Party Members

War Chief Required
Incident Commander

Leads the response team, makes containment and escalation decisions

Arcane Engineer Required
IT Operations Lead

Provides technical context, assesses system impact, proposes containment actions

Shadow Watcher Required
SOC Analyst

Interprets alerts, provides forensic indicators, monitors detection tooling

Keeper of the Codex Required
Compliance / DPO

Assesses regulatory notification obligations, advises on breach classification

Loremaster Optional
Legal Counsel

Advises on legal exposure, privilege, law enforcement engagement

Herald of the Realm Optional
Client Relations

Manages client communication strategy, assesses reputational impact

High Council Elder Optional
Senior Management

Provides executive-level decision authority, approves external communications

Town Crier Optional
Communications Lead

Drafts holding statements, manages media and social media response

⚡ Inject Timeline

1
Initial Detection — The First Tremor
T+0 Minutes

It is 07:42 UTC on a Tuesday morning. The Security Operations Centre (SOC) receives a Priority 1 alert from the Endpoint Detection and Response (EDR) platform. Multiple workstations on the Private Cli...

6 Discussion Prompts 1 Dice Events 4 Possible Complications
2
Escalation and Scope Expansion — The Shadow Deepens
T+15 Minutes

The SOC has completed initial triage. The attack vector has been identified as a phishing email received by a senior relationship manager at 07:12 UTC. The email contained a macro-enabled Excel attach...

7 Discussion Prompts 1 Dice Events 4 Possible Complications
3
Client and Media Pressure — The Siege Tightens
T+30 Minutes

A financial journalist from a national broadsheet has contacted the Communications team, stating they have received a tip-off about a cyber attack at the bank. They are requesting comment before a 14:...

6 Discussion Prompts 1 Dice Events 4 Possible Complications
4
Recovery Decisions — The Path to Restoration
T+45 Minutes

The containment team has successfully isolated all affected endpoints and halted lateral movement. The threat actor's C2 channel has been blocked at the perimeter firewall and DNS sinkhole. However, ...

6 Discussion Prompts 1 Dice Events 4 Possible Complications

📋 Debrief Questions

Post-Battle Assessment
  1. Was the ransomware detected and contained effectively?
  2. Were regulatory notification obligations understood and met?
  3. Was the ransom payment decision handled appropriately?
  4. Were client communications timely and effective?
  5. Were backup and recovery procedures adequate?
  6. What improvements should be made to prevent recurrence?