Cybersecurity

Block the breach: a ransomware game

In this game, navigate a ransomware crisis and save your company from data theft and ruin.
ByCaroline Nihill, Eoin Higgins, and Nick Kolakowski
TOPICS: Cybersecurity / Security Fundamentals / Threat Landscape

Block the Breach

IT BREW ransomware attack simulator

v1.4

Every decision counts.
Every choice has consequences.

Navigate four critical nodes of this cyber crisis and see if you have what it takes to survive a modern ransomware attack.

Pixel-art gif of an old desktop computer with a lock icon on its screen, flames rising from behind it, set against a dotted background.

08:42 AM in the security operations center (SOC).

The hum of server fans. The smell of ozone. And soon, the taste of panic.

You are the new CISO of a major software company. You haven’t even finished your first coffee when the SOC’s silence is shattered. It starts with one ticket from an employee locked out of the system. Then ten.

Then the main dashboard bleeds red. Login failures are cascading across the network.

Your sysadmin points to a text:

Pixel-art illustration of cascading red and white file folders with a warning triangle, depicting a system being overwhelmed by ransomware.

We have encrypted your systems. Pay $20M in Bitcoin or we will leak your data.

Your pulse spikes. Ransomware attacks on organizations have become endemic in recent years. You are now a statistic.

Take control of the crisis


The Breach

You are not alone in this situation, with ransomware a common attack against organizations.

Pixel-art illustration of a grid of six computer monitors, each displaying a red warning triangle, against a dotted background.

// According to Paul Caiazzo, chief threat officer at Quorum Cyber, ransomware is “the most salient, pressing threat” organizations face today. And Rishika Desai, a threat researcher and technical writer at BforeAI, says it affects “everybody, left, right, and center,” regardless of size.

What should you do first?

SELECT YOUR RESPONSE

[A]Pull the plug (sever external connections)// Stop the sync and prevent the malware from "phoning home" or corrupting cloud backups.
[B]Pay the ransom (self-funded)// We don't have cyber insurance, but we can't afford the downtime. Authorize the $20 million payment from company reserves — and hope they give you a holiday discount.
[C]Pay the ransom (file a claim)// We have a comprehensive cyber insurance policy. Call the broker immediately and let them handle the payment.
[D]Ignore and reboot servers// Panic restart. Maybe it's just a glitch!
+25 POINTS

This is a good strategic move. Early detection and isolation is critical to stopping a bad actor from accessing a more important system after they find access.

// Google recently announced AI-powered traps specifically designed to catch rapid file changes and “stop the sync” immediately.

Continue to next node

+0 POINTS

This is a risky precedent to set. While it might be cheaper than ceasing operations, you are fueling the cybercrime industry.

// “From a research perspective, and from people who don’t want these crimes to continue, we know that paying them helps them continue the work,” said Alex Rose, the global head of government partnerships and the counter threat unit team at Sophos. “That’s why they’re in the business of what they’re in, they want to make money. Some people would say [it] incentivizes them to continue their work and so on.”

Continue to next node

+15 POINTS

This is the standard playbook for the insured. Providers typically have response teams on contract.

// The goal is to get the organization out of the ransom situation as soon as possible, said Mike Hamilton, former field CISO for cybersecurity solution provider Lumifi and current chief technology officer for PISCES International.

Continue to next node

+0 POINTS

A critical misstep. You aren’t dealing with amateurs; you are facing down professionals.

// “This isn’t just a slapdash set up; this is big money and big organization and a lot of people, and as they get better at running their nefarious business, it means a faster impact on the side of our customers,” said Chris Hendricks, head of incident response at Coalition.

Continue to next node


Investigation & lateral movement

The initial attack is contained, but the clock is ticking. The Board is demanding a timeline for restoration. However, your team doesn't know how the attackers got in.

Pixel-art illustration of a purple cat stalking a group of small pink mice scattered across a dotted background

// Mike Puglia, general manager of cybersecurity labs at Kaseya, describes this dynamic as “Whac-a-Mole, or a game of cat and mouse, between defenders and attackers, and as soon as one hole is closed, suddenly the next wave comes.”

How do you prioritize your recovery strategy?

SELECT YOUR RESPONSE

[A]Strict forensic quarantine (wait for "patient zero")// Keep critical systems offline. Dedicate all resources to finding the exact entry point before turning anything back on.
[B]Segmented recovery (monitoring & EDR)// Assume the breach is still active. Bring critical services online with heavy monitoring solutions (endpoint detection and response) to flag post-intrusion activity.
[C]Restore from backups and keep going// Speed is the priority here. Wipe the servers and restore from the last backup immediately to get back to business.

+15 POINTS

A cautious approach. It is vital to understand the attack, but when communication halts, chaos increases. You must ensure roles are defined.

// “We always talk to organizations about having an incident response plan, but also exercising that plan,” Alex Rose, global head of government partnerships and CTU from Sophos, said. “I think it’s really important that people know their roles and responsibilities and that you communicate. Because…[when] you don’t communicate, people fill that vacuum with whatever they’re thinking and try to do that both internally and externally.”

Continue to next node

+25 POINTS

This is a risky precedent to set. While it might be cheaper than ceasing operations, you are fueling the cybercrime industry.

// “From a research perspective, and from people who don’t want these crimes to continue, we know that paying them helps them continue the work,” said Alex Rose, the global head of government partnerships and the counter threat unit team at Sophos.
“That’s why they’re in the business of what they’re in, they want to make money. Some people would say [it] incentivizes them to continue their work and so on.”

Continue to next node

+0 POINTS

Risky. While backups are essential (ideally the 3-2-1 method), simply restoring them without fixing the vulnerability or monitoring for persistence is dangerous.

// Searchlight Cyber reported that “improved backup and restoration capabilities” are driving attackers toward extortion rather than just encryption. “There’s not a bigger, more disruptive cybersecurity threat that your average organization is going to face,” said Paul Caiazzo, chief threat officer at Quorum Cyber. “There are some organizations that may be more concerned about espionage-related adversaries or attacks, but the ransomware scourge is so prolific that [it] doesn’t matter what size organization you are, whether or not you think you’re a target—you are a target, even opportunistically.”

Continue to next node

The negotiation room

Because you opted to engage with the threat actors to pay the ransom, you have entered the negotiation phase. The attackers have opened a portal on the dark web, complete with a surprisingly professional chat interface and a ticking countdown timer. They are offering a “test decryption” of three non-essential files to prove they hold the passkeys.

// Handling this delicate conversation requires understanding how a ransomware attacker thinks—they view this as a business transaction, not a personal vendetta.

Who do you put in charge of the negotiation chat?

SELECT YOUR RESPONSE

[A]Bring in a specialized third-party breach coach// You hire an incident response firm that specializes in cyber negotiations to talk to the threat actors on your behalf.
[B]Let the CEO negotiate directly// The CEO insists on taking charge to "show strength" to the shareholders and demand immediate restoration of services.
[C]Stall for time using the IT team// Have your internal IT team chat with the hackers to delay the countdown while you secretly try a brute-force decryption on your end.
+25 POINTS

A wise choice. Professional negotiators know the exact cadence and language to use. They can verify that the decryptor actually works without antagonizing the attackers and, often, lower the ransom demand.

Continue to next node

+0 POINTS

A terrible error. Executives often bring emotion into a space where threat actors only care about leverage and payment in cryptocurrency (which is often the type of money demanded during ransomware attacks). The CEO’s aggressive demands offend the attackers, who immediately double the ransom price to prove a point.

Continue to next node

+0 POINTS

A dangerous game. Ransomware actors do this every day. They know when a victim is stalling. Realizing you are trying to bypass them, the attackers decide to abandon the negotiation and decide to punish you instead.

Continue to next node

Double extortion

The attack isn’t over yet. The attackers have stolen your data and are threatening to leak it.

// This is a “double extortion” tactic: Your most sensitive information is encrypted and potentially in the open. You need to decide how to handle this new demand, adding more pressure to the worst week of your professional life.

What do you do now?

SELECT YOUR RESPONSE

[A]Utilize insurance/experts to pay the extortion fee// Let the experts handle it. Bring in third-party negotiators to talk to the threat actors and facilitate payment if necessary.
[B]Pay from company coffers (risking bankruptcy)// We don't have insurance, but we can't let this data leak. Pay the demand directly to the attackers to suppress the leak.
[C]Refuse to pay and publicly disclose breach// Stakeholders deserve to know what happened. Set up a dedicated page for updates and refuse to negotiate for the data.
[D]Hack back (employee vigilantism)// Let the IT team go on the offensive to try and delete the stolen data from the attacker's servers.
+25 POINTS

The smartest route for a payer. You leveraged professionals who know the specific criminal groups.

// “It is worth bringing them on and into your incident response, because that’s what they do all day—they know the different groups,” said Mike Puglia, general manager of cybersecurity labs at Kaseya. “They have a history of how to do it, and what to handle.”

Continue to next node

+0 POINTS

A desperate error. You cannot trust criminals to honor a data deletion agreement.

// “With data theft, I cannot prove that the threat actor is going to not continue to leak the data, and so that’s why I tend to not recommend people pay ransoms—if it’s purely just to suppress a data leak, because you simply can’t trust what the threat actor is telling you in those moments,” said Paul Caiazzo, chief threat officer for Quorum Cyber.

Continue to next node

+25 POINTS

Brave choice. Timely updates provide momentum and confidence.

// “There can be different phases to that. For example, in some companies, what I have seen is they set up a dedicated page and they give their timely updates,” said Rishika Desai, a threat researcher and technical writer for BforeAI. “You can give [stakeholders] timely updates as and when it’s necessary. At least it gives a confidence to the stakeholder that there is some momentum going on in mitigating the damage that has been caused.”

Continue to next node

+0 POINTS

Illegal and chaotic. Employees going rogue and launching their own ad-hoc cyberattacks adds confusion to an already tumultuous situation. And that’s before you consider how your attackers can likely continue to monitor your moves.

// “The big concern we have is, even if you can use some of your comm systems, it’s understanding what’s compromised…because you also don’t want to be coordinating your plan on a system that they’re able to monitor,” said Alex Rose, global head of government partnerships and the CTU at Sophos.

Continue to next node

Public relations crisis

Because of your previous aggressive or reckless decisions, the threat actors have lost patience. They skip the private extortion demands and dump a 50GB sample of your customer data onto the dark web. Worse, they tip off a major tech journalist.


The reporter calls your office, asking for a comment on the leaked databases. You now have a massive communications crisis on your hands.

How do you communicate during this ransomware leak?

SELECT YOUR RESPONSE

[A]The total blackout// Refuse to comment to the press, ignore customer inquiries, and focus entirely on internal IT fixes.
[B]The holding statement// Issue a brief, legally approved statement acknowledging an "ongoing security incident" while promising updates as the investigation unfolds.
[C]The cover-up// Tell the press the data is fake or belongs to a different company to protect the stock price.
+0 POINTS

The worst possible move from a PR perspective. The media fills the silence with speculation, and your customers panic. Trust has evaporated, along perhaps with at least some customers, a chunk of future revenue, and, if you’re publicly traded, your stock price.

Continue to next node

+25 POINTS

The correct approach. A holding statement buys you time to do forensics without lying to the public. It satisfies regulatory bodies and manages the narrative while your team works the problem.

Continue to next node

+0 POINTS

A potentially criminal mistake. Lying to the public and investors about a material data breach will trigger immediate SEC investigations and class-action lawsuits once the truth inevitably comes out.

Continue to next node

+0 POINTS

Illegal and chaotic. Employees going rogue and launching their own ad-hoc cyberattacks adds confusion to an already tumultuous situation. And that’s before you consider how your attackers can likely continue to monitor your moves.

// “The big concern we have is, even if you can use some of your comm systems, it’s understanding what’s compromised…because you also don’t want to be coordinating your plan on a system that they’re able to monitor,” said Alex Rose, global head of government partnerships and the CTU at Sophos.

Continue to next node

Future proofing

Six months have passed. The immediate crisis is over, but the threat landscape has evolved. Attackers are using software-as-a-service (SaaS) models and outsourcing to third-party vendors who charge for their services.


// “The good news, of course, is that our customers are getting smarter about responding. So, it’s a back-and-forth,” said Chris Hendricks, head of incident response at Coalition.

What is your long-term strategy to win this “back and forth”?

SELECT YOUR RESPONSE

[A]Advanced monitoring & incident response planning// Implement 3-2-1 backups, EDR solutions, and conduct tabletop exercises to ensure everyone knows their role.
[B]Rely solely on cyber insurance// Increase the coverage limit. Let the insurer's response team handle it if the company gets hit again. The technology can't be stopped, so insure against the loss.
[C]The "iron fist" policy// The breach started with a human error. Fire anyone who fails a phishing test to scare the staff into compliance.
+25 POINTS

Viable. The best-prepared enterprises do the homework months in advance.

// “They’ll have realized, if they’re doing…tabletop exercises, that they need to ensure that, first off, technical controls like backups have been implemented robustly and are available for recovery, should they need them in the event [of] ransom impact,” Quorum Cyber Chief Threat Officer Paul Caiazzo said.

Continue to next node

+10 POINTS

Passive. Insurance is vital, but relying only on payout mechanisms won’t stop the disruption. Attackers are motivated by profit.

// “These criminal gangs are not just doing this because it’s fun. They’re doing this because it’s very, very profitable, and there is very little law enforcement and very little risk for them being involved,” said Maël Le Touz, senior threat researcher at Infoblox.

Continue to next node

+0 POINTS

Counter-productive. Instability and lack of communication are the enemies during an attack. Creating a culture of fear prevents people from doing their jobs effectively.

Continue to next node

The extortion evolution

Six months have passed since the incident. Because you chose to play fast and loose—either by draining company coffers or trying to “hack back”—word has spread on dark web forums that your organization is a lucrative, reckless target. A new gang targets you.


This time, they don’t even bother deploying complicated encryption software to lock your files. Knowing you will panic, they just use stolen credentials to silently exfiltrate another massive batch of data and hold it for ransom.


// Even ransomware actors tire of complicated encryption when pure extortion works just as well.

How do you handle an extortion-only attack?

SELECT YOUR RESPONSE

[A]Establish zero trust and refuse// Take the hit, refuse to pay, and use the funds instead to immediately implement zero-trust architecture across the entire network.
[B]Pay the new demand// You paid last time, and you're terrified of the leak. Wire the money again.
[C]Try to quietly buy the data off the dark web// Hire a shady dark web broker to intercept and buy the data back before the attackers can officially leak it.
+25 POINTS

A painful but necessary course correction. By refusing to pay, you stop the cycle of being viewed as an “easy mark.” Implementing zero trust limits lateral movement, stopping future data theft dead in its tracks.

Continue to next node

+0 POINTS

A fatal error. You have established a permanent subscription to being extorted and will be targeted repeatedly until the company is bankrupt.

Continue to next node

+0 POINTS

Foolish. You are effectively just paying the ransom with extra steps and less legal protection, while still funding the exact criminals who attacked you.

Continue to next node

Success:

Threat neutralized

SCORE:

You navigated the crisis with precision. By prioritizing early detection, utilizing expert negotiators, and maintaining transparent communication with stakeholders, you followed the advice of industry leaders. You recognized that ransomware is a business, and you managed the risk without destroying your own.

Actionable advice for IT pros:

Pixel-art illustration of a directional signpost with multiple arrows pointing in different directions, topped with a lock icon, against a dotted background.
  • Adopt a “when, not if” mindset: Build resilience into your infrastructure as soon as possible. Assume a breach is inevitable and focus on minimizing dwell time through active endpoint monitoring.
  • Retain incident response firms early: Do not wait until your screens go red to find a breach coach. Have incident response experts and legal counsel on retainer so they can step in the minute an anomaly is detected.
  • Develop a communications playbook: Draft transparent, legally sound holding statements for stakeholders before an attack happens, preventing the vacuum of silence that destroys brand trust.

// Read more on IT Brew:

Survival…

At a cost

SCORE:

You survived, but at a price. Whether by paying ransoms without insurance or failing to plan via tabletop exercises, you suffered significant disruption. A targeted organization that doesn’t have the backups or the cash to pay a ransom risks going out of business. You paid, but the cost was even steeper.

Actionable advice for IT pros:

Pixel-art illustration of a directional signpost with multiple arrows pointing in different directions, topped with a lock icon, against a dotted background.
  • Backups won’t solve the issue alone: You should never restore backups without first patching the vulnerability that let the attackers in; otherwise, you are just providing a fresh environment for the attacker to re-encrypt.
  • Understand your insurance policy: Cyber insurance is not a blank check. Review your policy’s coverage limits, exclusions, and requirements to ensure a claim isn't denied when you need it most.
  • Shift focus to data exfiltration: Attackers are moving away from just locking files to stealing them outright. Prioritize data loss prevention (DLP) tools to catch massive outward data transfers.

// Read more on IT Brew:

Failure:

Total system collapse

SCORE:

Your decisions accelerated the damage. By failing to communicate clearly or trusting criminals to delete stolen data, you fell into a bad trap. The board has asked for your resignation.

Actionable advice for IT pros:

Pixel-art illustration of a directional signpost with multiple arrows pointing in different directions, topped with a lock icon, against a dotted background.
  • Remove executives from the negotiation table: Never let CEOs or internal staff communicate directly with threat actors. Ransomware is a business transaction best handled by specialized negotiators.
  • Never cover up a breach: The instinct to hide an attack to protect stock prices will always backfire. Regulatory fines and class-action lawsuits for cover-ups are far more damaging than admitting to the initial breach.
  • Understand the attackers’ motivation: Recognize that you are dealing with sophisticated financial organizations, not lone hackers. They want money, not vengeance; plan your defenses around disrupting their economic model.

// Read more on IT Brew:

Ransomware

Perhaps the predominant hack tactic being used by threat actors today, ransomware involves deploying malware that can lock the victim out of their data or steal it outright. Then, the victim has a choice—pay the ransom or see their data sold to the highest bidder. At least, that's the way it used to be. Now attackers don't necessarily turn the information over without releasing it first; some threat actors take the money and still sell the data, a practice known as "double extortion." It's a sign of a changing threat landscape and more chaotic, anarchic criminal enterprises behind the attacks.

IT Brew Glossary

Endpoint detection and response (EDR)

Endpoint detection and response (EDR) involves the use of a collection of software tools, including automated cybersecurity defenses and analytics, which allows IT pros to constantly monitor and defend their organization's endpoints, like laptops and other devices, from attack. If properly implemented, EDR can detect and mitigate the impact of a variety of cyber incursions along the perimeter, including (but certainly not limited to) social engineering and fileless malware.

IT Brew Glossary

Software-as-a-service (SaaS)

Software-as-a-service (SaaS) is a cloud-based software delivery model in which third-party vendors make applications and services available to end users via the internet, usually on a subscription basis.

IT Brew Glossary

Zero trust

"Zero trust" refers to an information-security model that denies access by default and employs continuous verification techniques. Core principles, according to Forrester, a consultancy that first used the phrase in 2009, include enforcement of "least privilege" access and monitoring.

IT Brew Glossary

How to handle a ransomware attack

Many attacks get caught and shut down before any ransom demand lands, which makes the attackers' end goals hard to pin down. Even so, Sophos researcher Keith Jarvis frames ransomware as the dominant share of cybercrime activity today.

Read more

Google's AI-powered ransomware trap for Drive

Google built a Drive-integrated AI model, trained on millions of real ransomware samples, to spot signs that a file has been tampered with. When it detects something, Drive automatically pauses syncing on the affected files — though users have to enable file syncing first so Drive for Desktop can see incoming changes.

Read more

Should you pay ransomware actors?

When encryption locks down a system, an organization simply can't operate — and that need to regain access is one of the biggest drivers of ransom payments. The threat of leaking sensitive data adds even more pressure to negotiate.

Read more

Communicating during a ransomware attack

Once attackers make contact, the people with authority to negotiate should engage — but only after looping in legal and the cyber insurance provider first. Incident response varies, and can include bringing in third-party firms to handle the negotiation.

Read more

Is the 3-2-1 backup rule still the gold standard?

The 3-2-1 rule is a long-standing data-protection best practice for surviving physical and digital emergencies: keep three copies of your data across two different types of media, with one copy stored off-site.

Read more

How a ransomware attacker thinks

Ransomware crews range from polished operations to ramshackle outfits, but the motive is always money — gain access, escalate privileges, encrypt the data, demand payment — and they often lurk undetected for months, even running affiliate programs that take a cut.

Read more

IT BREW CYOA 2026


Data Source:
IT Brew (Interviews with Quorum Cyber, Sophos, Kaseya, Coalition, etc.)

Disclaimer:
The following interactive game uses real reporting to contextualize a fictional cyberattack scenario. Any resemblance in this game to actual events is coincidental. What follows is not intended in any way as legal advice from IT Brew or Morning Brew Inc. Victims of a real-world cyberattack should immediately consult the relevant legal authorities.

> INITIALIZING SECURITY OPERATIONS CENTER...

> LOADING THREAT VECTORS...

> AUTHENTICATING CISO CREDENTIALS...

> ALL SYSTEMS NOMINAL

> SIMULATION READY

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

By subscribing, you accept our Terms & Privacy Policy.

About the authors

Caroline Nihill

Caroline Nihill is a reporter for IT Brew who primarily covers cybersecurity and the way that IT teams operate within market trends and challenges.

Eoin Higgins

Eoin Higgins is a reporter for IT Brew whose work focuses on the AI sector and IT operations and strategy.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

By subscribing, you accept our Terms & Privacy Policy.