Jojo's Hospital

JoJo’s Hospital, a major medical facility in Lexington, KY, has suffered a multi-stage ransomware attack. The incident involves two distinct threat actor groups working together in a Ransomware-as-a-Service (RaaS) model.

• Initial Access: Achieved by a group called SharkFin7, who tricked staff into visiting a malicious watering-hole website using fake ads.

• Lateral Movement & Exfiltration: SharkFin7 collects data and sells the access.

• Ransomware Deployment: A second group, LockByte, purchases the access and encrypts files with a .encrypted extension, demanding ransom from both the hospital and individual patients.

The hospital is paralyzed, and students are tasked with:

1. Reconstructing the attack timeline

2. Attributing activity to the correct actors

3. Using open-source clues to identify threat group profiles

The public version of this game can be accessed here:

Behind the scenes

Here is the human story behind the JoJo’s Hospital ransomware attack—told through the lens of the artifacts your students examine during the game. Each individual plays a distinct role, and the evidence shows not just what they did, but who they are behind the screen. We provide 32 artifacts that tell the story of the individuals conducting the ransomware. From the adversary’s perspective, the attack on JoJo’s Hospital was a calculated, multi-phase operation driven by profit and precision. Orchestrated by PhantomMenace (Alex Cross), the crew used a fake health site—set up by DatsoRaven (Tess Kwon)—to lure hospital staff into downloading malware. Once access was secured and sold by a third-party broker, the LockByte team moved in: Vortex (Jasper) built the ransomware, SilentStorm (Riley) deployed it, and EkoGeko (Nina) led negotiations. While some, like InfernoWave (Dexter), struggled with guilt, most saw it as business as usual—encrypt, extort, and get paid. To them, JoJo’s was just a vulnerable target in a well-oiled ransomware ecosystem.

🧠 The Mastermind: Alex Cross (alias: PhantomMenace)

Alex is the puppet master—funding, coordinating, and profiting from the entire operation. She doesn’t get her hands dirty, but everything flows through her. Chat logs refer to her as “the boss,” and several Bitcoin payments originate from her. Her Instagram flaunts luxury and excess, while her LinkedIn shows her as CEO of a cybersecurity front called Stellar Solutions. She’s a classic example of someone hiding a criminal empire behind a corporate façade.

🗣️ The Negotiator: Nina Volkov (alias: EkoGeko)

Nina handles communications with victims and law enforcement. She’s torn—chat logs reveal private doubts about the morality of extorting a hospital, but she stays in the game. Her reused photos and overlapping profiles on Discord and LinkedIn tie her to the team and to Stellar Solutions. Her story brings human conflict into the mix, showing how some threat actors rationalize their actions.

💥 The Breacher: Luna Harlow (alias: DarkNebula)

Luna is a red teamer who crossed the ethical line. Once a legitimate penetration tester, she now applies her skills to real-world intrusions. Her LinkedIn says “adversary simulation,” but her chats with Alex and Dexter show her planting malware and justifying the mission as “just business.” She represents the dangerous crossover from cybersecurity professional to cybercriminal.

🔥 The Insider: Dexter Hayes (alias: InfernoWave)

Dexter’s the muscle—deeply involved in the operation, but increasingly disillusioned. He talks to Nina about feeling guilty, and chat transcripts show him venting frustration over internal chaos. His posts suggest he might be on the verge of leaving—or flipping. He adds emotional tension to the investigation and reflects the psychological toll of being “in too deep.”

🧰 The Builder: Tess Kwon (alias: DatsoRaven)

Tess is the architect behind the watering-hole site that tricks hospital staff. Domain registration records connect her directly to the malicious infrastructure. In group chats, she shares deployment plans and collaborates on malware delivery. Her role is technical, focused, and central to how the entire breach began.

🌀 The Coder: Jasper Stone (alias: Vortex)

Jasper is the malware engineer who crafts the ransomware used in the attack. His GitHub profile contains the LockByte builder. He openly discusses anti-virus evasion strategies and payload packaging with Tess and others. Jasper is what happens when talented developers build tools for the wrong side.

🕵️ The Access Broker: Selena Alaric (alias: HexEditor)

Selena buys access after the hospital is initially compromised. She appears in dark web messages purchasing credentials and server access from SharkFin7, enabling LockByte’s takeover. This illustrates the Ransomware-as-a-Service model: one group gains access, another buys it, a third deploys the malware.

🔒 The Deployer: Riley Morgan (alias: SilentStorm)

Riley pushes the final payload and triggers the encryption. He’s proud of his role, openly bragging in Discord: “We got them.” Financial records confirm he was paid well, and his name comes up often in end-stage communications. Riley is the executioner—the one who pulls the trigger.

⚡ The Support Tech: Kai Nakamura (alias: QuantumPulse)

Kai plays a smaller but vital support role. He helps prep tools and push updates during the attack. His chat messages are more transactional, but one line says it all: “I did the work. Pay me.” He’s a reminder that even background actors can do real harm.

🔗 The Evidence That Connects Them

• Discord threads show real-time coordination and drama inside the team.\n- Bitcoin ledgers reveal payments linking everyone back to PhantomMenace.\n- Fake blog posts, social media, and LinkedIn profiles create a web of dual identities—part professional, part criminal.

Together, these personas tell a story not just of technical compromise—but of trust, greed, betrayal, and ambition. Each document gives students a window into the human side of cybercrime, making the investigation feel as real as the logs they’re analyzing.