cybersecurity/BreakEscape
1
0
Fork 0
mirror of https://github.com/cliffe/BreakEscape.git synced 2026-02-21 11:18:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add Mission 2 Stages 5-6: Room Layout and LORE Fragments

Browse Source 
Stage 5 - Room Layout and Spatial Design:
- Hospital floor plan with 7 rooms (hub-and-spoke layout)
- 3 locked doors with progressive difficulty (easy → medium → medium-hard)
- 60-second guard patrol with predictable waypoints
- Detailed container placement (11 total containers)
- PIN puzzle design with multiple clues and fallback device
- Server Room as central hub for VM/encoding challenges
- Multiple solution paths for player agency

Stage 6 - LORE Fragments:
- Fragment 1: Ghost's Manifesto (VM discovery, patient death calculations)
- Fragment 2: CryptoSecure Services (filing cabinet, front company operations)
- Fragment 3: ZDS Invoice (safe puzzle, exploit procurement and cross-cell coordination)
- Campaign connections to M3 (Zero Day Syndicate) and M6 (Crypto Anarchists)
- The Architect coordination role revealed

These planning documents complete the foundational design for Mission 2
"Ransomed Trust" room layout, spatial design, and narrative LORE integration.
This commit is contained in:
Z. Cliffe Schreuders
2026-01-14 09:46:31 +00:00
parent 92db4b3cfe
commit bacb2b7308
2 changed files with 1753 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

755
planning_notes/overall_story_plan/mission_initializations/m02_ransomed_trust/05_room_layout.md Normal file
View File

@@ -0,0 +1,755 @@
# Stage 5: Room Layout and Spatial Design - Mission 2 "Ransomed Trust"
**Mission ID:** m02_ransomed_trust
**Created:** 2025-12-20
**Status:** Stage 5 Complete
---
## Hospital Floor Plan Overview
**St. Catherine's Regional Medical Center - 3rd Floor East Wing**
**Total Rooms:** 7
**Layout Type:** Hub-and-spoke (Reception → IT Department hub → Connected wings)
**Total Locked Doors:** 4 (varying difficulty)
**Guard Patrol:** 1 guard, 60-second predictable loop
---
## Room List and Connections
```
[Emergency Equipment Storage]
|
(locked - medium)
|
[Dr. Kim's Office] ---- [Reception Lobby] ---- [IT Department]
| | |
(locked - medium) (entry point) (locked - easy, tutorial)
| | |
[Conference Room] [Hallway North] [Server Room]
| |
[Hallway South] (locked - medium-hard)
|
[Break Room/Waiting]
Guard Patrol Route (60-second loop):
Reception → Hallway North → IT Department → Hallway South → Emergency Storage → Reception
```
---
## Room 1: Reception Lobby (Entry Point)
**Function:** Mission start, entry point, guard patrol hub
**Dimensions:** 15 GU × 12 GU (Large public space)
**Connections:**
- **North:** Hallway North (always open)
- **East:** IT Department (locked - easy, tutorial lockpicking)
- **West:** Dr. Kim's Office (locked - medium)
**NPCs:**
- **Receptionist** (static position, desk near entrance)
- **Security Guard** (patrol route starts here, returns every 60 seconds)
**Interactive Objects:**
**1. Reception Desk**
- **Type:** Desk (readable surface)
- **Content:** Visitor log, hospital map (shows room layout)
- **Purpose:** Environmental storytelling, orientation
**2. Hospital Founding Plaque (CRITICAL - PIN CLUE)**
- **Type:** Wall-mounted plaque
- **Position:** Near entrance, highly visible
- **Content:** "St. Catherine's Regional Medical Center - Founded 1987"
- **Purpose:** PIN safe clue #1 (correct answer: 1987)
- **Player Action:** Readable object
**3. PA System Speaker**
- **Type:** Ambient audio source
- **Content:** Periodic announcements: "All non-critical systems remain offline. IT working on resolution."
- **Purpose:** Time pressure reminder, atmosphere
**4. Waiting Area Chairs**
- **Type:** Furniture (non-interactive)
- **Purpose:** Environmental dressing, hospital atmosphere
**Atmosphere:**
- Sterile white walls, fluorescent lighting
- Anxious visitors (background NPCs or implied)
- Professional but tense environment
**Guard Patrol Timing:**
- Guard starts here, leaves North at 0:00
- Returns from Emergency Storage at 0:60 (1:00)
---
## Room 2: IT Department (Hub)
**Function:** Marcus's workspace, password hint location, central hub
**Dimensions:** 12 GU × 10 GU (Medium office space)
**Connections:**
- **West:** Reception (locked - easy, tutorial lockpicking)
- **East:** Server Room (locked - medium-hard)
- **South:** Hallway South (always open)
**Door Lock:**
- **Type:** Standard door lock (easy difficulty)
- **Tutorial:** First lockpicking challenge, Agent 0x99 tutorial if needed
- **Bypass:** If Marcus high trust, he unlocks door OR gives keycard
**NPCs:**
- **Marcus Webb** (static position at desk, or pacing if stressed)
**Interactive Objects:**
**1. Marcus's Desk (CRITICAL - PASSWORD HINTS)**
- **Type:** Desk with drawers
- **Container Type:** Unlocked drawers (if Marcus absent or allows access)
- **Contents:**
- **Sticky Note #1:** "Common passwords: Emma2018, Hospital1987, StCatherines"
- **Photo Frame:** "Emma - 7th birthday! 05/17/2018" (PIN clue #2 - red herring)
- **Network diagram:** Shows ProFTPD server on whiteboard
- **Purpose:** Password hints for VM SSH challenge
**2. Filing Cabinet (LORE FRAGMENT)**
- **Type:** 4-drawer filing cabinet
- **Lock Type:** Lockpicking required (easy)
- **Contents:**
- **Marcus's Email Archive (6 months ago):** Warning to Dr. Kim about CVE-2010-4652
- **LORE Fragment:** CryptoSecure Recovery Services document (Ransomware Inc. front company)
- **Purpose:** Proves Marcus warned leadership, LORE discovery
**3. Infected Terminal (ENCODING CHALLENGE)**
- **Type:** Desktop computer (ransomware splash screen)
- **Content:** Base64-encoded ransomware note
- **Interaction:** Read screen, use CyberChef to decode
- **Purpose:** Tutorial reinforcement (Base64 from M1)
**4. Whiteboard**
- **Type:** Wall-mounted whiteboard
- **Content:** Network diagram showing "ProFTPD 1.3.5" server (VM clue)
- **Purpose:** Environmental clue for VM challenge
**5. Motivational Poster**
- **Type:** Wall decoration
- **Content:** "There is no I in TEAM but there is in INCIDENT RESPONSE"
- **Purpose:** Environmental humor, IT gallows humor
**Atmosphere:**
- Cluttered IT office, multiple monitors, cable management chaos
- Coffee-stained desk, stress indicators (empty coffee cups)
- Professional chaos
**Guard Patrol Timing:**
- Guard enters at 0:20 (from Hallway North)
- Exits to Hallway South at 0:30
- Room clear for 50 seconds per cycle
---
## Room 3: Server Room (VM Access Hub)
**Function:** VM terminal access, drop-site terminal, critical mission hub
**Dimensions:** 10 GU × 8 GU (Compact technical space)
**Connections:**
- **West:** IT Department (locked - medium-hard)
- **North:** Hallway North via service door (always open, alternate path)
**Door Lock:**
- **Type:** Electronic keycard lock (medium-hard difficulty)
- **Lockpicking:** Requires lockpicking skill OR Marcus's keycard (high trust)
- **Purpose:** Protects critical infrastructure
**NPCs:** None (secure area)
**Interactive Objects:**
**1. VM Access Terminal (CRITICAL)**
- **Type:** Workstation with SSH access
- **Content:** SecGen "Rooting for a win" VM connection
- **VM Challenges:**
- SSH brute force (password hints from Marcus's desk)
- ProFTPD exploitation (CVE-2010-4652)
- Linux filesystem navigation
- Flag collection
- **Purpose:** Primary VM challenge location
**2. Drop-Site Terminal (CRITICAL)**
- **Type:** Secure terminal for flag submission
- **Interaction:** Text input field, flag validation
- **Flags Submitted:**
- `flag{ssh_access_granted}`
- `flag{proftpd_backdoor_exploited}`
- `flag{database_backup_located}`
- `flag{ghost_operational_log}`
- **Feedback:** Success messages from Agent 0x99, unlock notifications
- **Purpose:** Hybrid integration (VM → in-game unlocks)
**3. CyberChef Workstation (ENCODING STATION)**
- **Type:** Terminal with CyberChef interface
- **Decoders Available:** Base64, ROT13, Hex, URL encoding
- **Challenges:**
- Decode ransomware note (Base64)
- Decode recovery instructions (ROT13)
- **Purpose:** Encoding challenge hub, tutorial station
**4. Server Racks**
- **Type:** Blinking server equipment (environmental)
- **Visual:** Indicator lights, cooling fans
- **Purpose:** Atmosphere, technical environment
**5. Whiteboard (Network Diagram)**
- **Type:** Wall-mounted whiteboard
- **Content:** Hospital network topology, ProFTPD server highlighted
- **Purpose:** Environmental clue for VM target
**6. Emergency Power Indicator**
- **Type:** LED panel
- **Content:** "BACKUP POWER: 12 HOURS REMAINING" (narrative timer)
- **Purpose:** Time pressure visualization (not hard timer)
**Atmosphere:**
- Cold room (server cooling), humming equipment
- Blinking lights from servers
- Professional technical space, restricted access
**Guard Patrol Timing:**
- Guard does NOT patrol server room (too secure)
- Room always safe once accessed
---
## Room 4: Emergency Equipment Storage
**Function:** Safe location (offline backup keys), PIN puzzle hub
**Dimensions:** 8 GU × 8 GU (Small storage room)
**Connections:**
- **South:** Reception via hallway (always open, but guard patrols)
**Door:** Unlocked (no door lock, accessible)
**NPCs:** None
**Interactive Objects:**
**1. PIN-Locked Safe (CRITICAL - PUZZLE)**
- **Type:** 4-digit electronic safe
- **Position:** Wall-mounted, conspicuous
- **Lock Type:** PIN puzzle (4 digits)
- **Correct PIN:** 1987 (hospital founding year)
- **Contents:**
- **Offline Backup Encryption Key (USB drive)**
- **LORE Fragment:** Zero Day Syndicate invoice (in Dr. Kim's office safe, same PIN)
- **Wrong Attempt Feedback:** "Incorrect PIN. Try again." (no lockout)
- **Purpose:** Primary puzzle challenge, hybrid key recovery
**2. PIN Cracker Device (FALLBACK)**
- **Type:** Equipment on shelf
- **Position:** Near safe, requires searching
- **Function:** Brute force 4-digit PIN (2-minute animation)
- **Purpose:** Accessibility fallback for struggling players
**3. Medical Supply Shelves**
- **Type:** Storage shelves (environmental)
- **Content:** Bandages, IV supplies, emergency equipment
- **Purpose:** Hospital atmosphere, environmental dressing
**4. Fire Extinguisher**
- **Type:** Wall-mounted safety equipment
- **Purpose:** Environmental realism
**Atmosphere:**
- Utilitarian storage space
- Industrial shelving, organized supplies
- Secure but accessible (not high-security vault)
**Guard Patrol Timing:**
- Guard enters at 0:40 (from Hallway South)
- Exits to Reception at 0:50
- Room clear for 50 seconds per cycle
---
## Room 5: Dr. Kim's Administrative Office
**Function:** Dr. Kim NPC location, PIN clue location, optional LORE
**Dimensions:** 12 GU × 10 GU (Executive office)
**Connections:**
- **East:** Reception (locked - medium)
- **South:** Conference Room (always open)
**Door Lock:**
- **Type:** Standard door lock (medium difficulty)
- **Purpose:** Protect administrative records
**NPCs:**
- **Dr. Sarah Kim** (static position at desk, or looking out window if stressed)
**Interactive Objects:**
**1. Dr. Kim's Desk**
- **Type:** Executive desk
- **Container:** Unlocked drawers (Dr. Kim allows access)
- **Contents:**
- **Sticky Note (PIN CLUE #3):** "Safe combination: founding year (for emergency access)"
- **Budget Report:** Shows $85K security upgrade rejected, $3.2M MRI approved
- **Patient Status Reports:** 47 patients on life support (reinforces stakes)
- **Purpose:** PIN confirmation clue, budget negligence evidence
**2. Safe (Same PIN as Emergency Storage)**
- **Type:** 4-digit electronic safe
- **PIN:** 1987 (same as emergency storage safe)
- **Contents:**
- **LORE Fragment:** Zero Day Syndicate Invoice (#ZDS-2024-0847)
- **Confidential Documents:** Board meeting minutes
- **Purpose:** Optional LORE discovery, higher-value safe
**3. Window with View**
- **Type:** Environmental element
- **Visual:** City skyline view
- **Purpose:** Executive office atmosphere
**4. Bookshelves**
- **Type:** Furniture (medical journals, management books)
- **Purpose:** Environmental dressing
**Atmosphere:**
- Professional executive office
- Organized but shows signs of crisis stress
- Personal touches (family photos, awards)
**Guard Patrol Timing:**
- Guard does NOT patrol Dr. Kim's office (administrative area)
- Room safe once door unlocked
---
## Room 6: Conference Room
**Function:** Optional exploration, environmental storytelling
**Dimensions:** 10 GU × 12 GU (Meeting space)
**Connections:**
- **North:** Dr. Kim's Office (always open)
- **East:** Hallway North (always open)
**Door:** Unlocked (no lockpicking required)
**NPCs:** None
**Interactive Objects:**
**1. Conference Table**
- **Type:** Large meeting table
- **Content:** Scattered papers (budget meeting notes)
- **Purpose:** Environmental storytelling
**2. Whiteboard (Budget Presentation)**
- **Type:** Wall-mounted whiteboard
- **Content:** Budget allocation chart showing IT security cut by 40%
- **Purpose:** Evidence of institutional negligence
**3. Projector Screen**
- **Type:** Equipment (environmental)
- **Purpose:** Meeting room atmosphere
**Atmosphere:**
- Corporate meeting space
- Evidence of recent budget meeting
- Institutional decision-making location
**Guard Patrol Timing:**
- Guard does NOT patrol conference room
- Room always safe
---
## Room 7: Hallway North & South (Connector)
**Function:** Corridor connecting rooms, guard patrol route
**Dimensions:** North: 20 GU × 4 GU, South: 20 GU × 4 GU (Long corridors)
**Connections:**
- **North Hallway:** Reception, Conference Room, Server Room (service door)
- **South Hallway:** IT Department, Emergency Equipment Storage
**Door:** No doors (open corridors)
**NPCs:**
- **Security Guard** (patrol route passes through both hallways)
**Interactive Objects:**
**1. Benches/Waiting Areas**
- **Type:** Seating (environmental)
- **Purpose:** Hospital corridor atmosphere
**2. Directional Signs**
- **Type:** Wall-mounted signs
- **Content:** "IT Department →", "Emergency Storage →", "Administration ←"
- **Purpose:** Navigation assistance
**3. Hospital Notices**
- **Type:** Bulletin boards
- **Content:** Patient privacy notices, visitor guidelines
- **Purpose:** Environmental realism
**Atmosphere:**
- Sterile hospital corridors
- Fluorescent lighting, linoleum floors
- Functional, institutional
**Guard Patrol Timing:**
- Guard in North Hallway: 0:10-0:20
- Guard in South Hallway: 0:30-0:40
- Hallways clear for 40 seconds per cycle (each)
---
## Break Room (Optional 8th Room)
**Function:** Optional rest area, ambient environment
**Dimensions:** 8 GU × 8 GU (Small break room)
**Connections:**
- **North:** Hallway South (always open)
**Door:** Unlocked
**NPCs:** None (or background staff NPCs)
**Interactive Objects:**
**1. Coffee Machine**
- **Type:** Appliance (environmental, might be interactive)
- **Purpose:** Hospital break room atmosphere
**2. Vending Machines**
- **Type:** Equipment (environmental)
- **Purpose:** Break room realism
**3. Tables and Chairs**
- **Type:** Furniture
- **Purpose:** Rest area atmosphere
**Atmosphere:**
- Tired healthcare worker space
- Coffee stains, magazines, comfortable but worn
**Guard Patrol Timing:**
- Guard does NOT patrol break room
- Room always safe
---
## Guard Patrol Route (60-Second Predictable Loop)
**Route:** Reception → Hallway North → IT Department → Hallway South → Emergency Equipment Storage → Reception
**Timing Breakdown:**
| Time | Location | Duration | Player Opportunity |
|------|----------|----------|-------------------|
| 0:00-0:10 | Reception → Hallway North | 10s | Reception clear, IT Department safe |
| 0:10-0:20 | Hallway North | 10s | North corridor blocked, use alternate route |
| 0:20-0:30 | IT Department | 10s | IT Department blocked, wait in hallway |
| 0:30-0:40 | Hallway South | 10s | South corridor blocked, use Conference Room route |
| 0:40-0:50 | Emergency Equipment Storage | 10s | Storage room blocked, safe cracking interrupted |
| 0:50-0:60 | Return to Reception | 10s | Guard returning, clear path opens |
**Total Loop:** 60 seconds exactly (1 minute)
**Waypoints (5 total):**
1. Reception (start)
2. Hallway North (via North exit)
3. IT Department (via IT entrance)
4. Hallway South (via South exit)
5. Emergency Equipment Storage (via South hallway)
6. Return to Reception (complete loop)
**Player Strategy:**
- **Observe:** Watch one full loop to learn pattern (Task: learn_guard_patrol)
- **Timing:** Move when guard in opposite area (40-50 seconds of clear time per location)
- **Alternate Paths:** Use Conference Room → Dr. Kim's Office → Reception to bypass North Hallway
- **Hiding:** If detected, player has 5 seconds to hide before guard reports
**Detection Mechanics:**
- **Detection Radius:** 5 GU proximity OR 90° vision cone (8 GU range)
- **First Detection:** Warning ("Who's there? Show yourself!")
- **Second Detection:** Guard reports (mission delayed, no failure)
- **Audio Cue:** Radio chatter audible when guard within 8 GU
- **Visual Cue:** Minimap shows guard position (red dot)
---
## Container Placement Summary
| Room | Container Type | Lock | Contents | Purpose |
|------|---------------|------|----------|---------|
| IT Department | Marcus's Desk | Unlocked (if allowed) | Password hints, photo | VM SSH challenge setup |
| IT Department | Filing Cabinet | Lockpick (easy) | Email archive, LORE | Proves Marcus warned, LORE fragment |
| IT Department | Infected Terminal | N/A (readable) | Base64 ransomware note | Encoding challenge |
| Server Room | VM Terminal | N/A | SecGen VM access | Primary VM challenges |
| Server Room | Drop-Site Terminal | N/A | Flag submission | Hybrid integration |
| Server Room | CyberChef Station | N/A | Encoding tools | Base64/ROT13 decoding |
| Emergency Storage | PIN Safe | 4-digit PIN (1987) | Offline backup key (USB) | Primary puzzle, key recovery |
| Emergency Storage | Shelf | N/A | PIN cracker device | Fallback tool |
| Dr. Kim's Office | Desk Drawers | Unlocked (allowed) | PIN clue sticky note | PIN puzzle confirmation |
| Dr. Kim's Office | Safe | 4-digit PIN (1987) | ZDS Invoice LORE | Optional LORE discovery |
| Conference Room | Table | N/A | Budget documents | Environmental evidence |
**Total Containers:** 11
- **Locked Containers:** 3 (filing cabinet lockpick, 2 PIN safes)
- **Critical Path:** Desk, Filing Cabinet, VM Terminal, Drop-Site, PIN Safe #1
- **Optional:** Safe #2 (Dr. Kim's office)
---
## Lock Placement Summary
| Door | Room Connection | Lock Type | Difficulty | Bypass Option |
|------|----------------|-----------|------------|---------------|
| 1. IT Department | Reception → IT | Standard Lock | Easy (Tutorial) | Marcus's cooperation |
| 2. Server Room | IT → Server Room | Keycard Lock | Medium-Hard | Marcus's keycard (high trust) |
| 3. Dr. Kim's Office | Reception → Admin | Standard Lock | Medium | None (required lockpicking) |
| 4. Emergency Storage | (none) | No lock | N/A | Always accessible |
**Total Locked Doors:** 3 (4th room unlocked)
**Lockpicking Progression:** Easy (tutorial) → Medium → Medium-Hard
---
## NPC Positioning
| NPC | Room | Position Type | Movement |
|-----|------|--------------|----------|
| Receptionist | Reception Lobby | Static | Behind desk, facing entrance |
| Security Guard | Patrol Route | Waypoint Patrol | 60-second loop (5 waypoints) |
| Marcus Webb | IT Department | Static / Pacing | At desk OR pacing (stress animation) |
| Dr. Sarah Kim | Dr. Kim's Office | Static / Window | At desk OR looking out window |
**Total NPCs:** 4 (1 receptionist, 1 guard, 2 mission-critical)
**NPC Interaction Triggers:**
- **Proximity:** Within 2 GU, interaction prompt appears
- **Dialogue Hub:** Replayable conversations (return to hub after each branch)
- **Guard Detection:** Within 5 GU OR vision cone (90°, 8 GU range)
---
## Terminal Placement
| Terminal | Room | Purpose | Interaction Type |
|----------|------|---------|------------------|
| Infected Terminal | IT Department | Ransomware note (Base64) | Read screen → CyberChef |
| VM Access Terminal | Server Room | SecGen VM connection | SSH client, exploitation |
| Drop-Site Terminal | Server Room | Flag submission | Text input, validation |
| CyberChef Workstation | Server Room | Encoding/decoding | Dropdown menu, input/output fields |
**Total Terminals:** 4
**Server Room Terminal Cluster:** 3 terminals in one secure location (makes sense narratively)
---
## Critical Path Flow
```
1. Reception Lobby (entry)
2. Meet Dr. Kim (Administrative Office) - Lockpick medium door
3. Meet Marcus (IT Department) - Lockpick easy door OR receive keycard
4. Investigate Marcus's Desk (password hints)
5. Navigate Past Guard (tutorial: observe 60s patrol)
6. Server Room (lockpick medium-hard door OR use Marcus's keycard)
7. VM Challenges (SSH, ProFTPD, flags)
8. Drop-Site Flag Submission (unlocks safe location intel)
9. Navigate Past Guard (reinforcement)
10. Emergency Equipment Storage (PIN safe puzzle)
11. Crack PIN 1987 (clues from Reception plaque + Dr. Kim's note)
12. Retrieve Offline Backup Key
13. Return to Server Room (decode ROT13 instructions)
14. Make Critical Decisions (ransom, exposure)
15. Mission Complete
```
**Backtracking Required:**
- Reception plaque (visit early) → Emergency Storage (visit later for safe)
- Dr. Kim's office (optional PIN clue) → Emergency Storage
- Server Room (multiple visits for VM work + flag submission + decoding)
**No Circular Dependencies:** All paths flow forward, player can't be soft-locked
---
## Alternate Paths (Player Agency)
**Avoiding Guards:**
**Path A (Direct):**
Reception → Hallway North → IT Department (requires timing guard patrol)
**Path B (Alternate):**
Reception → Dr. Kim's Office → Conference Room → Hallway North → Server Room (bypasses guard in North hallway)
**Path C (Service Route):**
Reception → Hallway South → IT Department (if guard in North hallway)
**Multiple Solutions:**
- Lockpick Server Room OR use Marcus's keycard (social engineering)
- Solve PIN via clues OR use PIN cracker device (puzzle vs. tool)
- Navigate past guards OR use alternate routes (stealth vs. exploration)
---
## Environmental Storytelling Elements
**Visual Cues:**
- Hospital founding plaque (1987) - PIN clue visible from mission start
- Budget charts on Conference Room whiteboard - Institutional negligence
- Marcus's cluttered desk - Overworked IT staff
- Dr. Kim's organized office - Executive professionalism under stress
- Server room backup power indicator - Time pressure visualization
**Audio Cues:**
- PA announcements - System outage reminders, urgency
- Guard radio chatter - Proximity warning, stealth mechanic
- Server room humming - Technical atmosphere
- Coffee machine sounds (break room) - Hospital staff environment
**Document Clues:**
- Marcus's sticky notes - Password patterns
- Email archives - Proves warnings were ignored
- Budget reports - Shows $85K cut vs. $3.2M MRI spend
- Ransomware note - ENTROPY's message, Base64 tutorial
---
## Room Atmosphere Guide
| Room | Lighting | Sound | Mood |
|------|----------|-------|------|
| Reception | Bright fluorescent | PA announcements, distant voices | Professional, tense |
| IT Department | Overhead lights, monitor glow | Keyboard clicks, fan noise | Cluttered, stressed |
| Server Room | Dim blue LED lighting | Server fans, cooling hum | Technical, cold |
| Emergency Storage | Industrial fluorescent | Ventilation, quiet | Utilitarian, secure |
| Dr. Kim's Office | Warm desk lamps | Quiet, occasional phone | Executive, personal |
| Conference Room | Overhead projector lights | Silent, empty | Institutional, cold |
| Hallways | Harsh fluorescent | Footsteps, echoes | Sterile, institutional |
---
## Accessibility Features
**Multiple Solution Paths:**
- ✅ Lockpicking OR keycard (social engineering Marcus)
- ✅ PIN puzzle OR brute force device (investigation vs. tool)
- ✅ Stealth timing OR alternate routes (skill vs. exploration)
**Forgiving Mechanics:**
- ✅ Infinite lockpicking retries
- ✅ No PIN lockout (try unlimited times)
- ✅ Guard detection = warning first (5-second grace period)
- ✅ Alternate routes available if guard blocks path
**Clear Navigation:**
- ✅ Hospital map in Reception (shows layout)
- ✅ Directional signs in hallways
- ✅ Minimap with guard position
- ✅ Quest markers for objectives
---
## Playtesting Priorities
**Guard Patrol Balance:**
- [ ] 60-second timing too fast/slow?
- [ ] Detection radius fair?
- [ ] Alternate paths discoverable?
- [ ] First-time players can learn pattern?
**PIN Puzzle Accessibility:**
- [ ] Founding year plaque visible enough?
- [ ] Red herring (Emma's birthday) too confusing?
- [ ] Dr. Kim's confirmation clue necessary?
- [ ] PIN cracker device discoverable as fallback?
**Room Flow:**
- [ ] Backtracking frustrating or rewarding?
- [ ] Server room centrality makes sense?
- [ ] Dr. Kim's office optional content clear?
- [ ] Conference room provides value or is empty filler?
**Container Interaction:**
- [ ] Filing cabinet lockpicking satisfying?
- [ ] Marcus's desk contents clear?
- [ ] Safe puzzle rewarding when solved?
---
## Implementation Notes
**Room Generation:**
- All rooms use standard room generation constraints (ROOM_GENERATION.md)
- Grid Unit (GU) specifications approximate, adjust during implementation
- Doors use standard lock minigame (LOCK_KEY_QUICK_START.md)
- Containers use standard container system (CONTAINER_MINIGAME_USAGE.md)
**Guard AI:**
- Waypoint-based patrol (5 waypoints, 60-second loop)
- Detection: Proximity (5 GU radius) OR line-of-sight (90° cone, 8 GU range)
- State machine: Patrol → Detect → Warn → Report
- Audio/visual cues before detection (radio chatter, minimap indicator)
**NPC Integration:**
- Static NPCs use dialogue hubs (NPC_INTEGRATION_GUIDE.md)
- Marcus and Dr. Kim have replayable conversations
- Receptionist has minimal dialogue (directional only)
**Terminal Integration:**
- VM terminal requires separate SSH client interface
- Drop-site uses text input validation (flag format check)
- CyberChef uses dropdown menu + text input/output fields
---
**Stage 5 Complete: Room Layout and Spatial Design**
**Ready for:** Stage 6 (LORE Fragments detailed content)
**Total Rooms:** 7 (+ optional break room = 8)
**Total Locked Doors:** 3 (easy → medium → medium-hard progression)
**Guard Patrol:** 60-second predictable loop, beginner-friendly
**Critical Path:** Validated, no soft locks, multiple solution paths
**Core Strength:** Hub-and-spoke layout (Server Room central), guard patrol creates tension without frustration, PIN puzzle has multiple clue types + fallback device

998
planning_notes/overall_story_plan/mission_initializations/m02_ransomed_trust/06_lore_fragments.md Normal file
View File

@@ -0,0 +1,998 @@
# Stage 6: LORE Fragments - Mission 2 "Ransomed Trust"
**Mission ID:** m02_ransomed_trust
**Created:** 2025-12-20
**Status:** Stage 6 Complete
---
## LORE System Overview
**Mission 2 LORE Count:** 3 fragments (beginner mission standard)
**Difficulty:** Easy-Medium (all accessible without complex puzzles)
**Purpose:** Reveal ENTROPY coordination, Ransomware Inc. philosophy, cross-cell operations
**Integration with Campaign:**
- Fragment 1: Ghost's ideology (Ransomware Inc. philosophy)
- Fragment 2: Financial network (Crypto Anarchist connection → M6)
- Fragment 3: Cross-cell coordination (Zero Day Syndicate → M3)
---
## LORE Fragment 1: "Ghost's Manifesto - Teaching Resilience Through Adversity"
### Fragment Metadata
**ID:** `lore_m02_ghosts_manifesto`
**Title:** "Ransomware Incorporated: Operational Philosophy"
**Author:** Ghost (Ransomware Inc. operative)
**Date:** 2024-11-15 (2 weeks before mission)
**Format:** Text file (operational_log.txt)
**Length:** Medium (3-4 paragraphs)
### Discovery Details
**Location:** Server Room - VM Terminal
**File Path:** `/var/backups/operational_log.txt` (VM filesystem)
**Unlock Condition:** Complete ProFTPD exploitation, navigate to /var/backups
**Access Method:** VM command: `cat /var/backups/operational_log.txt`
**Ink Tag:** `#unlock_lore:ghosts_manifesto`
**Discovery Flow:**
1. Player exploits ProFTPD backdoor (Task 3.2)
2. Gains shell access to hospital backup server
3. Navigates to /var/backups directory (Task 3.3)
4. Finds operational_log.txt among encrypted database files
5. Reads file content → LORE unlocked
### Fragment Content
```
========================================================================================
RANSOMWARE INCORPORATED: OPERATIONAL PHILOSOPHY
OPERATION RESILIENCE - ST. CATHERINE'S REGIONAL MEDICAL CENTER
AUTHOR: Ghost (Operative ID: RI-047)
DATE: 2024-11-15
CLASSIFICATION: INTERNAL - ENTROPY CELL OPERATIONAL DOCTRINE
========================================================================================
EXECUTIVE SUMMARY:
We are not criminals. We are educators. St. Catherine's Hospital represents everything wrong with institutional cybersecurity in the healthcare sector: negligence, budget misallocation, and willful ignorance of documented vulnerabilities.
INSTITUTIONAL NEGLIGENCE ANALYSIS:
Marcus Webb, IT Administrator, submitted formal warning about CVE-2010-4652 (ProFTPD 1.3.5 backdoor vulnerability) on May 17, 2024. His recommendation: $85,000 server security upgrade with immediate patching.
Hospital board response: "Budget constraints—defer to next fiscal year."
Six months later (November 2024), same hospital board approved $3.2 million MRI equipment purchase. State-of-the-art imaging technology. Zero investment in unsexy cybersecurity infrastructure.
This is not an isolated case. This is systemic institutional failure across the healthcare sector. 214 hospitals scanned (see ZDS reconnaissance report). 147 have critical vulnerabilities. 89 have ignored IT security warnings within the past 12 months.
CALCULATED RISK ASSESSMENT:
St. Catherine's Regional Medical Center:
- 47 patients on life support (ventilators, ECMO, dialysis)
- Backup generator capacity: 12 hours
- Ransom demand: 2.5 BTC (~$87,000 USD)
- Recovery timeline (manual): 12 hours minimum
Statistical Risk Projection:
- Patient death probability: 0.3% per hour delayed recovery
- If ransom paid immediately (0-4 hours): 1.2% cumulative risk = 1-2 expected fatalities
- If manual recovery (12 hours): 3.6% cumulative risk = 4-6 expected fatalities
- If recovery fails entirely: 100% of 47 patients = 47 fatalities
These numbers should horrify you. But they should horrify the hospital administrators MORE.
THEY created this scenario when they chose MRI equipment over server security. THEY created this risk when they ignored Marcus Webb's warnings for six months. THEY valued shiny technology over patient data protection.
We are simply revealing the consequences of their choices.
EDUCATIONAL OBJECTIVES:
Primary: Force St. Catherine's to prioritize cybersecurity (budget increase, Marcus Webb vindication)
Secondary: Send message to healthcare sector (140+ hospitals watching)
Tertiary: Demonstrate ENTROPY capability (coordinated cell operations)
POST-OPERATION PROJECTIONS:
Regardless of outcome (ransom paid or manual recovery):
- St. Catherine's will triple cybersecurity budget (confirmed via board pressure analysis)
- Marcus Webb will be promoted OR vindicated (public documentation of warnings)
- 40+ hospitals will implement emergency security audits (sector-wide deterrence effect)
- Healthcare IT community will prioritize vulnerability patching (behavior modification)
The suffering is regrettable but educational. Resilience is taught through adversity.
If 2-6 patients die during this operation, that is tragic. But if this operation prevents 200-600 deaths across 40 hospitals over the next 5 years (statistical modeling), then the mathematics are clear.
We accept responsibility for our actions. We do not accept responsibility for the institutional negligence that created this scenario. That responsibility lies with St. Catherine's board, who chose profit over patient safety.
APPROVAL STATUS:
Operation approved by The Architect (confirmation code: ARCH-RI-2024-11-15-RESILIENCE)
The Architect's directive: "Healthcare sector is systematically vulnerable. Ransomware Incorporated's methodology is proven effective (see Operation Triage success metrics). St. Catherine's represents ideal target profile. Proceed with precision. Ensure SAFETYNET response reveals coordination between cells."
Coordination confirmed:
- Zero Day Syndicate: Exploit package delivered, reconnaissance complete
- Crypto Anarchists: Payment processing infrastructure ready (HashChain Exchange)
- Ghost Protocol: Anonymity layer active, no attribution possible
All ENTROPY cells aligned. Operation Resilience is go.
OPERATIONAL NOTES:
Marcus Webb is the key narrative figure. His documented warnings make the negligence undeniable. Protect his reputation in operational communications. He is not our enemy—his leadership is.
Dr. Sarah Kim (Hospital CTO) will face professional consequences regardless of outcome. She recommended budget cuts. Her guilt will drive decision-making. Use that.
Patient deaths are statistical risk, not certainty. Hospital has competent medical staff. Backup power is reliable. They have 12 hours. That is sufficient IF they act decisively.
We are not murderers. We are harsh teachers. The lesson is expensive, but institutional change requires pain.
CLOSING STATEMENT:
After this operation, St. Catherine's will never ignore an IT security warning again. Neither will the 40 hospitals watching this unfold. The healthcare sector will learn to prioritize digital hygiene.
That is worth the cost. That is worth the risk. That is our mission.
Mission accomplished.
- Ghost
Ransomware Incorporated
ENTROPY Cell Operative
========================================================================================
END OPERATIONAL LOG
========================================================================================
```
### Educational Value
**CyBOK Alignment:**
- **Adversarial Behaviours:** Attacker motivations, ideological justification
- **Human Factors:** Institutional decision-making failures, budget prioritization
- **Risk Management:** Statistical risk assessment, calculated harm
**Learning Objectives:**
- Understand ENTROPY's ideological framework (not just profit-motivated criminals)
- Recognize institutional cybersecurity negligence patterns
- See how attackers calculate and justify collateral damage
- Learn that ransomware groups use sophisticated risk analysis
### Narrative Impact
**Player Understanding:**
- Ghost calculated patient death probabilities (not reckless, calculated)
- Hospital's budget choices created vulnerability (institutional failure)
- ENTROPY cells coordinated (The Architect orchestrates operations)
- Marcus Webb intentionally positioned as narrative hero (Ghost respects him)
**Emotional Response:**
- Horror: Ghost has spreadsheet of projected deaths
- Anger: Ghost feels no remorse ("worth the cost")
- Complexity: Ghost's critique of hospital negligence has validity
- Understanding: ENTROPY's ideology clear (even if evil)
**Moral Dilemma Enhancement:**
- If player pays ransom: Funding calculated evil
- If player doesn't pay: 2-6 patient deaths (as Ghost predicted)
- Ghost's mathematics proven either way (haunting accuracy)
---
## LORE Fragment 2: "CryptoSecure Recovery Services - Ransomware Inc. Front Company"
### Fragment Metadata
**ID:** `lore_m02_cryptosecure_services`
**Title:** "CryptoSecure Recovery Services - Client Testimonial Log"
**Author:** Ransomware Incorporated (corporate documentation)
**Date:** 2024-10-30 (3 weeks before mission)
**Format:** Business document (PDF converted to text)
**Length:** Medium (2-3 pages)
### Discovery Details
**Location:** IT Department - Filing Cabinet
**Container Type:** 4-drawer filing cabinet (lockpicking required - easy)
**Drawer:** Third drawer, folder labeled "Vendor Contacts - Data Recovery"
**Access Method:** Lockpick filing cabinet → Search drawers → Read document
**Ink Tag:** `#unlock_lore:cryptosecure_services`
**Discovery Flow:**
1. Player lockpicks IT Department door (Task 2.3)
2. Investigates Marcus's office (optional exploration)
3. Lockpicks filing cabinet (easy difficulty)
4. Finds folder: "Vendor Contacts - Data Recovery"
5. Reads CryptoSecure brochure/testimonial log → LORE unlocked
### Fragment Content
```
════════════════════════════════════════════════════════════════════════════════════
CRYPTOSECURE RECOVERY SERVICES
Cryptocurrency-Based Data Recovery Specialists
"When Traditional Backups Fail, We Deliver Results"
CORPORATE HEADQUARTERS: Unknown (Distributed Operations)
CONTACT: recovery@cryptosecure-services.onion (Tor network only)
PAYMENT METHODS: Bitcoin, Monero, Ethereum (cryptocurrency ONLY)
AVERAGE RESPONSE TIME: <4 hours from incident report
SUCCESS RATE: 99.8% (all clients recovered, all ransoms paid)
════════════════════════════════════════════════════════════════════════════════════
CLIENT TESTIMONIAL LOG - OPERATION TRIAGE (PILOT PROGRAM)
HEALTHCARE SECTOR PROOF-OF-CONCEPT
Q1-Q2 2024 OPERATIONS
────────────────────────────────────────────────────────────────────────────────────
CLIENT #1: GREENFIELD COMMUNITY CLINIC
INCIDENT DATE: March 15, 2024
RANSOMWARE VARIANT: ResilientCrypt v2.1 (AES-256 encryption)
SYSTEMS AFFECTED: 420 patient records, 3 server workstations
RANSOM DEMAND: 0.5 BTC (~$29,000 USD at time)
INCIDENT TIMELINE:
- 03:47 AM: Ransomware deployment via vulnerable FTP server
- 04:12 AM: Clinic director contacts CryptoSecure Recovery Services
- 04:45 AM: Payment processed via HashChain Exchange (Crypto Anarchist infrastructure)
- 05:30 AM: Decryption keys delivered, systems restored
- 08:00 AM: Clinic operational, zero patient deaths
TOTAL DOWNTIME: 4 hours 13 minutes
CLIENT SATISFACTION SURVEY:
- Overall Service: 9/10
- Response Time: 10/10
- Technical Support: 9/10
- Price Fairness: 7/10
CLIENT TESTIMONIAL:
"Fast, professional service. Systems restored before morning appointments. Expensive lesson—wish we'd invested in backups instead. But grateful for CryptoSecure's efficiency. Hired new IT director immediately after incident."
POST-INCIDENT ACTIONS:
- Greenfield Clinic cybersecurity budget increased 300%
- Implemented daily backup procedures (offline storage)
- Staff cybersecurity training program established
- No repeat incidents (ongoing monitoring confirms)
EDUCATIONAL OUTCOME: SUCCESS (Client learned, improved security)
────────────────────────────────────────────────────────────────────────────────────
CLIENT #2: RIVERSIDE MEDICAL ASSOCIATES
INCIDENT DATE: April 22, 2024
RANSOMWARE VARIANT: ResilientCrypt v2.2 (AES-256 + anti-forensics)
SYSTEMS AFFECTED: 1,240 patient records, 7 workstations, 1 server
RANSOM DEMAND: 0.8 BTC (~$46,000 USD at time)
INCIDENT TIMELINE:
- 02:15 AM: Ransomware deployment via phishing email (Finance Dept)
- 06:30 AM: Medical director contacts CryptoSecure (4-hour delay, attempted DIY recovery)
- 07:15 AM: Payment processed
- 08:00 AM: Decryption keys delivered
- 11:30 AM: Systems restored (partial corruption, 1 patient complication - non-fatal)
TOTAL DOWNTIME: 9 hours 15 minutes (delayed by client's DIY attempt)
CLIENT SATISFACTION SURVEY:
- Overall Service: 7/10
- Response Time: 9/10 (once contacted)
- Technical Support: 8/10
- Price Fairness: 6/10
CLIENT TESTIMONIAL:
"Expensive lesson. Regret payment but grateful for speed. Should have contacted immediately instead of trying DIY recovery—cost us 4 hours and one patient complication. Implemented security overhaul. IT department now properly funded."
POST-INCIDENT ACTIONS:
- Riverside Medical doubled IT staff (1 → 2 FTE)
- Implemented enterprise backup solution (Veeam)
- Phishing awareness training (quarterly)
- No repeat incidents
EDUCATIONAL OUTCOME: SUCCESS (Client learned, improved security)
────────────────────────────────────────────────────────────────────────────────────
CLIENT #3: VALLEY HEALTH CENTER
INCIDENT DATE: May 10, 2024
RANSOMWARE VARIANT: ResilientCrypt v2.3 (AES-256 + time-locked decryption)
SYSTEMS AFFECTED: 890 patient records, 5 workstations
RANSOM DEMAND: 1.2 BTC (~$68,000 USD at time)
INCIDENT TIMELINE:
- 01:30 AM: Ransomware deployment via compromised remote desktop (weak password)
- 02:00 AM: Night shift director contacts CryptoSecure immediately
- 02:45 AM: Payment processed (fastest client response time)
- 03:15 AM: Decryption keys delivered
- 05:00 AM: Systems restored, all data recovered
TOTAL DOWNTIME: 3 hours 30 minutes (fastest recovery on record)
CLIENT SATISFACTION SURVEY:
- Overall Service: 8/10
- Response Time: 10/10
- Technical Support: 9/10
- Price Fairness: 7/10
CLIENT TESTIMONIAL:
"Professional service. Regret needing it, but impressed by efficiency. Learned our lesson about password policies. IT security is now board-level priority. Worth every Bitcoin to keep patients safe."
POST-INCIDENT ACTIONS:
- Valley Health implemented MFA (multi-factor authentication) across all systems
- Password policy overhaul (12+ characters, complexity requirements)
- Network segmentation (patient records isolated)
- Penetration testing (quarterly)
- No repeat incidents
EDUCATIONAL OUTCOME: SUCCESS (Client learned, improved security)
────────────────────────────────────────────────────────────────────────────────────
OPERATION TRIAGE - AGGREGATE METRICS
TOTAL CLIENTS: 3 healthcare facilities
TOTAL REVENUE: 2.5 BTC (~$143,000 USD total)
AVERAGE DOWNTIME: 5.6 hours
PATIENT FATALITIES: 0 (zero deaths across all incidents)
CLIENT SATISFACTION: 8/10 average
REPEAT INCIDENTS: 0% (all clients improved security post-incident)
REINVESTMENT ALLOCATION:
- Ransomware Development (ResilientCrypt v3.0): 40% (~$57,200)
- AES-256 → ChaCha20-Poly1305 upgrade
- Enhanced anti-forensics
- Time-locked decryption (prevent early analysis)
- Infrastructure Maintenance: 20% (~$28,600)
- Tor hidden services hosting
- Cryptocurrency wallet management
- Operational security (Ghost Protocol coordination)
- Zero Day Syndicate Coordination: 15% (~$21,450)
- Exploit package procurement
- Reconnaissance services
- Target vulnerability analysis
- Crypto Anarchist Payment Processing: 10% (~$14,300)
- HashChain Exchange fees
- Cryptocurrency laundering
- International transfer infrastructure
- ENTROPY Cell Collaboration: 10% (~$14,300)
- Cross-cell coordination fees
- The Architect's operational oversight
- Inter-cell intelligence sharing
- Operational Reserve: 5% (~$7,150)
- Emergency funds
- Legal contingency (if operatives arrested)
────────────────────────────────────────────────────────────────────────────────────
OPERATION RESILIENCE - ST. CATHERINE'S HOSPITAL PROJECTION
TARGET: St. Catherine's Regional Medical Center
PROJECTED REVENUE: 2.5 BTC (~$87,000 USD)
FACILITY SIZE: 3x larger than previous clients
PATIENT RISK: 47 on life support (higher stakes = higher pressure = faster payment)
TARGET RATIONALE:
- Documented IT warnings (Marcus Webb - ideal narrative)
- Budget negligence ($3.2M MRI vs. $85K security)
- ProFTPD vulnerability confirmed (ZDS reconnaissance)
- Maximum educational impact (larger facility = sector-wide attention)
PROJECTED OUTCOMES:
If Ransom Paid (Estimated Probability: 70%):
- Systems restored: 4-6 hours
- Patient deaths: 0-2 (statistical risk minimal)
- Hospital reputation: Intact (quick resolution)
- Cybersecurity budget: +200-300% increase
- Sector-wide impact: 15-25 hospitals implement emergency upgrades
If Manual Recovery (Estimated Probability: 30%):
- Systems restored: 12 hours (IT department capable)
- Patient deaths: 2-6 (statistical risk 3.6%)
- Hospital reputation: Damaged (lawsuits likely)
- Cybersecurity budget: +400-500% increase (panic response)
- Sector-wide impact: 40-60 hospitals implement emergency upgrades
BOTH OUTCOMES ACHIEVE EDUCATIONAL OBJECTIVE.
────────────────────────────────────────────────────────────────────────────────────
CRYPTOSECURE RECOVERY SERVICES - OPERATIONAL PHILOSOPHY
We do not see ourselves as criminals. We are market-driven educators. Healthcare institutions systemically underinvest in cybersecurity until crisis forces change. We provide that crisis.
Our methodology:
1. Target negligent institutions (documented warnings ignored)
2. Create controlled crisis (patient risk calculated, not reckless)
3. Offer rapid resolution (professional service, high success rate)
4. Ensure institutional learning (post-incident security improvements verified)
Success metrics:
- Client recovery rate: 99.8%
- Post-incident security improvements: 100%
- Repeat incidents: 0%
- Patient fatalities: <1% (statistical baseline for medical facilities)
Traditional cybersecurity consultants charge millions for penetration testing and security audits. Institutions ignore recommendations because no immediate pain.
We charge thousands for ransomware incidents. Institutions implement recommendations immediately because pain is visceral.
The mathematics are clear: Our approach is more effective at driving institutional change.
────────────────────────────────────────────────────────────────────────────────────
PAYMENT PROCESSING INFRASTRUCTURE
All payments processed via Crypto Anarchist infrastructure:
- Primary: HashChain Exchange (Monero mixing, Bitcoin conversion)
- Secondary: Silk Route Protocol (multi-hop transaction routing)
- Tertiary: DarkCoin Mixer (final anonymization layer)
Payment flow:
1. Client sends Bitcoin to wallet address (provided in ransom note)
2. Crypto Anarchists convert BTC → XMR (Monero - privacy cryptocurrency)
3. Monero mixed across 47 wallets (anonymization)
4. Converted back XMR → BTC (clean Bitcoin)
5. Distributed to ENTROPY cell accounts (international exchanges)
Total fee: 12% of ransom (paid to Crypto Anarchists)
Attribution: Impossible (even for SAFETYNET forensics)
This infrastructure enables Ransomware Incorporated's operations while maintaining operational security. Crypto Anarchists provide essential service to ENTROPY cells network-wide.
────────────────────────────────────────────────────────────────────────────────────
CONTACT INFORMATION
CryptoSecure Recovery Services
recovery@cryptosecure-services.onion
Emergency Contact (24/7):
ghostprotocol-relay-047@encrypted.onion
Corporate Partners:
- Zero Day Syndicate (Exploit Procurement)
- Crypto Anarchists (Payment Processing)
- Ghost Protocol (Anonymity Infrastructure)
All partnerships coordinated under The Architect's oversight.
════════════════════════════════════════════════════════════════════════════════════
END DOCUMENT - CRYPTOSECURE RECOVERY SERVICES CLIENT LOG
════════════════════════════════════════════════════════════════════════════════════
```
### Educational Value
**CyBOK Alignment:**
- **Malware & Attack Technologies:** Ransomware business model, legitimate front companies
- **Adversarial Behaviours:** Profit-driven vs. ideological attacks, institutional targeting
- **Applied Cryptography:** Cryptocurrency laundering, payment anonymization
**Learning Objectives:**
- Understand ransomware-as-a-service business models
- Learn how criminal organizations use legitimate-appearing fronts
- Recognize cryptocurrency payment infrastructure complexity
- See how attackers measure "success" (client security improvements, not just revenue)
### Narrative Impact
**Campaign Connection (M6):**
- HashChain Exchange mentioned (Crypto Anarchist infrastructure)
- Payment processing flow detailed (M6 financial investigation target)
- If player pays ransom: $87K flows through this exact infrastructure
- If player doesn't pay: System remains operational but unfunded
**Cross-Cell Coordination:**
- Crypto Anarchists provide payment processing (12% fee)
- Zero Day Syndicate provides exploits (mentioned)
- Ghost Protocol provides anonymity (relay system)
- All coordinated by The Architect
**Institutional Learning:**
- All 3 previous clients improved security post-incident (100% success rate)
- Ransomware Inc. tracks security improvements (verifies educational impact)
- St. Catherine's projected to follow same pattern (prediction accuracy)
---
## LORE Fragment 3: "Zero Day Syndicate Invoice - Exploit Procurement"
### Fragment Metadata
**ID:** `lore_m02_zds_invoice`
**Title:** "Zero Day Syndicate - Invoice #ZDS-2024-0847"
**Author:** Zero Day Syndicate (billing department)
**Date:** 2024-10-15 (1 month before mission)
**Format:** Invoice (PDF converted to text)
**Length:** Short-Medium (1-2 pages)
### Discovery Details
**Location:** Dr. Kim's Administrative Office - PIN-Locked Safe
**Container Type:** 4-digit electronic safe (same PIN as Emergency Storage: 1987)
**Safe Location:** Wall-mounted in Dr. Kim's office (behind framed certificate)
**Access Method:** Lockpick Dr. Kim's office door → Crack safe PIN (1987) → Read invoice
**Ink Tag:** `#unlock_lore:zds_invoice`
**Discovery Flow:**
1. Player lockpicks Dr. Kim's office door (medium difficulty)
2. Investigates office (optional exploration beyond meeting Dr. Kim)
3. Finds safe behind framed certificate on wall
4. Cracks 4-digit PIN: 1987 (same as emergency storage safe)
5. Retrieves invoice document → LORE unlocked
**Optional Discovery:** Not required for mission completion, but high-value LORE
### Fragment Content
```
═══════════════════════════════════════════════════════════════════════════════════
ZERO DAY SYNDICATE
Premier Exploit Development & Vulnerability Research
"We Find Them Before They Find You"
CORPORATE CONTACT: acquisition@zero-day-syndicate.onion
EMERGENCY SUPPORT: +1-XXX-XXX-XXXX (Encrypted Voice Only)
PAYMENT TERMS: Cryptocurrency Only (BTC, XMR, ETH accepted)
═══════════════════════════════════════════════════════════════════════════════════
INVOICE #ZDS-2024-0847
DATE: October 15, 2024
DUE DATE: October 22, 2024 (NET 7 days)
BILL TO:
Ransomware Incorporated
Attn: Ghost (Operative ID: RI-047)
Contact: ghost-ri-047@entropy-comms.onion
PROJECT: Healthcare Sector Exploit Package + Reconnaissance
TARGET VERTICAL: Regional Medical Centers (ProFTPD Vulnerability)
OPERATION CODE: Operation Resilience
───────────────────────────────────────────────────────────────────────────────────
ITEMIZED SERVICES
1. ProFTPD 1.3.5 Backdoor Exploit Package
CVE-2010-4652 (CRITICAL SEVERITY)
Deliverables:
- Working exploit code (Python + Bash scripts)
- Deployment instructions (step-by-step guide)
- Post-exploitation toolkit (privilege escalation, persistence)
- Detection evasion techniques (IDS/IPS bypass)
- Automated payload generator (customizable for targets)
Testing Status: VERIFIED (97% success rate across 50+ test environments)
Detection Risk: LOW (only 3/47 major AV vendors detect as of Oct 2024)
PRICE: $25,000.00 USD (paid in BTC equivalent)
───────────────────────────────────────────────────────────────────────────────────
2. Healthcare Sector Vulnerability Reconnaissance
Target Analysis: 214 hospitals scanned (US regional medical centers)
Deliverables:
- Comprehensive vulnerability report (CSV database)
- ProFTPD version identification (147 hospitals running vulnerable versions)
- Network topology mapping (ingress/egress points)
- Security posture assessment (firewall configs, IDS deployments)
- Staff social engineering susceptibility analysis
Scan Methodology:
- Non-intrusive port scanning (stealth mode)
- Service banner grabbing (version identification)
- Public documentation review (security audits, compliance reports)
- Social media reconnaissance (staff LinkedIn profiles, IT complaints)
PRICE: $15,000.00 USD (paid in BTC equivalent)
───────────────────────────────────────────────────────────────────────────────────
3. Target Selection Consultation & Risk Analysis
Recommended Primary Target: St. Catherine's Regional Medical Center
Deliverables:
- Top 10 target ranking (risk/reward optimization)
- St. Catherine's detailed profile:
* ProFTPD 1.3.5 confirmed vulnerable
* 47 patients on life support (high pressure leverage)
* IT security warnings documented (Marcus Webb, May 2024)
* Budget negligence confirmed ($85K security vs. $3.2M MRI)
* Backup systems analyzed (12-hour manual recovery possible)
* Hospital board risk tolerance profiled (likely to pay ransom)
- Alternative targets (Tier 2/3 fallback options)
- Timeline recommendations (optimal deployment window)
- SAFETYNET response prediction (estimated 4-6 hour deployment)
Risk Assessment: MEDIUM (SAFETYNET will investigate, but attribution difficult)
Reward Assessment: HIGH (maximum educational impact, sector-wide attention)
PRICE: $10,000.00 USD (paid in BTC equivalent)
───────────────────────────────────────────────────────────────────────────────────
4. Deployment Guide & Technical Support
Post-Sale Support Package (30 days)
Deliverables:
- Custom deployment playbook (St. Catherine's-specific)
- Encrypted communication channel (Ghost Protocol relay)
- Technical support (email/voice, 48-hour response SLA)
- Troubleshooting assistance (if exploitation fails)
- Operational security guidance (attribution prevention)
Support Includes:
- Initial deployment verification
- Troubleshooting failed exploitation attempts
- Privilege escalation consultation
- Data exfiltration recommendations (backup key locations)
PRICE: $5,000.00 USD (paid in BTC equivalent)
───────────────────────────────────────────────────────────────────────────────────
SUBTOTAL: $55,000.00 USD
ENTROPY CELL DISCOUNT (15%): -$8,250.00 USD
────────────────────────────────────────────────
TOTAL DUE: $46,750.00 USD
PAYMENT METHOD: Bitcoin (BTC)
BTC WALLET ADDRESS: 1ZDSxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BTC AMOUNT (at Oct 15, 2024 rate): 1.34 BTC (~$34,821/BTC)
PAYMENT PROCESSOR: Crypto Anarchist Infrastructure (HashChain Exchange)
PROCESSING FEE: 5% ($2,337.50) - paid by Zero Day Syndicate, not client
───────────────────────────────────────────────────────────────────────────────────
PAYMENT STATUS
Invoice Sent: October 15, 2024
Payment Received: October 18, 2024 (3 days early - excellent client)
Amount: 1.34 BTC ($46,750.00 USD equivalent)
Transaction Hash: 0x7f3b2a... [truncated for security]
Confirmation: VERIFIED (6 confirmations, irreversible)
PAYMENT NOTES:
Ransomware Incorporated (Ghost) is a repeat customer with excellent payment history.
This is the 4th collaboration since Operation Triage initiation (March 2024).
Client satisfaction rating: 5/5 stars (all previous exploits performed as advertised).
Recommend priority support and future discount incentives for continued partnership.
───────────────────────────────────────────────────────────────────────────────────
DELIVERABLES TRANSFER
Exploit Package: DELIVERED (October 19, 2024)
Transfer Method: Encrypted file transfer via Ghost Protocol relay
File Integrity: SHA-256 hash verified by client
Reconnaissance Report: DELIVERED (October 19, 2024)
Format: CSV database + PDF executive summary
Target Count: 214 hospitals analyzed, 147 vulnerable identified
Target Consultation: DELIVERED (October 20, 2024)
Format: Video conference (Tor-based encrypted call)
Duration: 90 minutes (comprehensive target briefing)
Attendees: Ghost (RI-047), ZDS Consultant (Anonymized), The Architect (observer)
Deployment Guide: DELIVERED (October 20, 2024)
Format: Step-by-step PDF + video tutorial
St. Catherine's customization: Complete (hospital-specific playbook)
ALL DELIVERABLES CONFIRMED RECEIVED - PROJECT COMPLETE
───────────────────────────────────────────────────────────────────────────────────
ARCHITECT APPROVAL
This invoice and associated project were approved by The Architect under ENTROPY Cell Coordination Protocol.
Approval Code: ARCH-ZDS-RI-2024-10-15-RESILIENCE
Authorization: "Proceed with St. Catherine's targeting. Healthcare sector prioritization confirmed. Zero Day Syndicate's reconnaissance is excellent—St. Catherine's profile matches operational requirements perfectly."
The Architect's Notes:
"St. Catherine's represents ideal case study for institutional negligence. Marcus Webb's documented warnings create undeniable narrative. Budget allocation ($3.2M MRI vs. $85K security) is textbook example of cybersecurity deprioritization. Exploit package ensures technical success. Ransomware Incorporated's operational execution is reliable. Coordination with Crypto Anarchists confirmed (payment processing ready). Cross-cell operation approved."
ENTROPY CELL COLLABORATION CONFIRMED:
✓ Zero Day Syndicate: Exploit provision (this invoice)
✓ Ransomware Incorporated: Operational execution (Ghost)
✓ Crypto Anarchists: Payment processing (HashChain Exchange)
✓ Ghost Protocol: Anonymity infrastructure (communication relay)
This operation represents successful multi-cell coordination under The Architect's oversight.
───────────────────────────────────────────────────────────────────────────────────
ZERO DAY SYNDICATE - OPERATIONAL NOTES
St. Catherine's Deployment Success Probability: 95%+
Confidence Factors:
- ProFTPD 1.3.5 vulnerability confirmed (version banner verified)
- No WAF (web application firewall) detected
- Minimal IDS deployment (outdated Snort rules)
- IT staff overworked (Marcus Webb sole administrator for 400+ workstations)
- Security patch cycle: Quarterly (last patch: July 2024, 3 months ago)
Risk Mitigation:
- Backup server isolated network segment (no internet egress monitoring)
- FTP server accessible via hospital VPN (weak password policy)
- No MFA (multi-factor authentication) on admin accounts
- SSH keys not rotated in 18+ months (weak key management)
Alternative Entry Vectors (if ProFTPD fails):
1. Phishing (Finance department susceptible, see social engineering analysis)
2. VPN brute force (weak passwords identified)
3. Supply chain (third-party vendor access confirmed)
Fallback targets (if St. Catherine's compromised before deployment):
1. Metro General Hospital (Tier 2 - similar profile)
2. County Medical Center (Tier 3 - smaller but still viable)
Zero Day Syndicate guarantees successful exploitation or full refund (less 20% restocking fee).
───────────────────────────────────────────────────────────────────────────────────
TECHNICAL SPECIFICATIONS
ProFTPD 1.3.5 Backdoor (CVE-2010-4652):
Vulnerability Description:
ProFTPD versions 1.3.3c-1.3.5 contain a backdoor in the source code that allows remote attackers to execute arbitrary code via a crafted FTP command sequence.
Exploitation Method:
1. Connect to FTP server (port 21)
2. Send specially crafted USER command: "USER admin:)<backdoor_trigger>"
3. Backdoor opens shell on port 6200 (TCP)
4. Connect to port 6200, gain shell access as proftpd user
5. Escalate privileges using local kernel exploit (included in package)
Post-Exploitation:
- Privileges: proftpd user (limited)
- Escalation: Linux kernel exploit (CVE-2023-XXXX) → root access
- Persistence: Cron job installation, SSH key injection
- Exfiltration: SCP transfer, FTP download (ironic), HTTP exfil server
Detection Evasion:
- Backdoor trigger uses non-standard characters (most IDS rules miss pattern)
- Shell connection mimics legit FTP data transfer (port 6200 common FTP passive mode)
- Traffic blends with normal hospital VPN usage
- No file writes during exploitation (memory-only payload option)
EXPLOITATION SUCCESS RATE (ZDS Testing):
- 50 test environments: 48 successful (96%)
- 2 failures due to non-standard FTP configs (edge cases)
- St. Catherine's config: STANDARD (guaranteed success)
───────────────────────────────────────────────────────────────────────────────────
CLIENT SATISFACTION & REPEAT BUSINESS
Ransomware Incorporated (Ghost) - Client History:
Purchase #1 (March 2024): Operation Triage - Greenfield Clinic
- Exploit: SMB vulnerability
- Result: SUCCESS (ransomware deployed, $29K ransom paid)
- Client Feedback: "Exploit worked flawlessly. Professional service."
Purchase #2 (April 2024): Operation Triage - Riverside Medical
- Exploit: Phishing toolkit + remote desktop compromise
- Result: SUCCESS ($46K ransom paid)
- Client Feedback: "Exceeded expectations. Will use again."
Purchase #3 (May 2024): Operation Triage - Valley Health
- Exploit: RDP brute force + privilege escalation
- Result: SUCCESS ($68K ransom paid)
- Client Feedback: "ZDS is the gold standard for exploit provision."
Purchase #4 (October 2024): Operation Resilience - St. Catherine's
- Exploit: ProFTPD backdoor (this invoice)
- Result: PENDING (deployment scheduled November 2024)
TOTAL REVENUE FROM CLIENT: $196,750 (4 invoices, 100% payment record)
Zero Day Syndicate values this partnership and offers Ransomware Incorporated:
- 15% ENTROPY cell discount (applied to all invoices)
- Priority support queue
- Custom exploit development (upon request)
- Advance notification of new vulnerabilities
───────────────────────────────────────────────────────────────────────────────────
CONTACT FOR SUPPORT
Technical Support: support@zero-day-syndicate.onion
Sales Inquiries: acquisition@zero-day-syndicate.onion
Emergency Contact: +1-XXX-XXX-XXXX (Encrypted Phone, 24/7)
Ghost Protocol Relay (for Ghost RI-047): ghostprotocol-relay-047@encrypted.onion
Thank you for your business. Zero Day Syndicate looks forward to continued collaboration under The Architect's coordination.
═══════════════════════════════════════════════════════════════════════════════════
ZERO DAY SYNDICATE - INVOICE #ZDS-2024-0847
CONFIDENTIAL - ENTROPY CELL INTERNAL DOCUMENTATION
═══════════════════════════════════════════════════════════════════════════════════
```
### Educational Value
**CyBOK Alignment:**
- **Malware & Attack Technologies:** Exploit development lifecycle, vulnerability procurement
- **Adversarial Behaviours:** Attack supply chains, exploit marketplaces
- **Systems Security:** CVE exploitation, service vulnerabilities, privilege escalation
**Learning Objectives:**
- Understand exploit marketplace economics (pricing, services, support)
- Learn how criminal organizations purchase/sell vulnerabilities
- Recognize attack planning sophistication (reconnaissance, target analysis)
- See The Architect's role in coordinating multi-cell operations
### Narrative Impact
**Campaign Connection (M3):**
- Zero Day Syndicate introduced (M3 mission will target ZDS directly)
- Exploit supply chain revealed (shut down ZDS = reduce ENTROPY capability)
- The Architect's coordination role confirmed (orchestrates cross-cell ops)
**Cross-Cell Coordination:**
- ZDS provides exploits to Ransomware Inc. (supplier relationship)
- Crypto Anarchists process payments (financial infrastructure)
- Ghost Protocol provides anonymity (communication relay)
- The Architect approves all operations (central leadership)
**St. Catherine's Targeting:**
- Wasn't random: ZDS scanned 214 hospitals, recommended St. Catherine's specifically
- Marcus Webb's warnings were known: "documented warnings create undeniable narrative"
- Budget negligence was criteria: "$3.2M MRI vs. $85K security is textbook example"
- 47 patients calculated: "high pressure leverage"
**Player Revelation:**
- Hospital was specifically chosen for maximum impact
- ENTROPY's planning is sophisticated (reconnaissance, risk analysis, target profiling)
- Marcus was right all along (ZDS confirmed ProFTPD vulnerability May 2024)
- This attack was preventable (hospital ignored documented risk)
---
## LORE Fragment Discovery Flow
### Chronological Discovery Order (Typical Playthrough)
**Fragment 1 (Earliest): CryptoSecure Services**
- **When:** Early Act 2 (IT Department investigation)
- **How:** Lockpick filing cabinet (easy) → Find document
- **Impact:** Understand Ransomware Inc. business model, previous operations
- **Player Knowledge:** ENTROPY uses front companies, targets healthcare repeatedly
**Fragment 2 (Middle): Ghost's Manifesto**
- **When:** Mid Act 2 (VM exploitation complete)
- **How:** ProFTPD exploit → Navigate filesystem → Read operational_log.txt
- **Impact:** Horror at calculated patient deaths, Ghost's ideology revealed
- **Player Knowledge:** Ghost planned this precisely, no remorse
**Fragment 3 (Latest/Optional): ZDS Invoice**
- **When:** Late Act 2 or Act 3 (optional exploration)
- **How:** Lockpick Dr. Kim's office → Crack safe (1987) → Find invoice
- **Impact:** Cross-cell coordination confirmed, M3 setup
- **Player Knowledge:** ZDS sold exploit, The Architect coordinates, attack was planned 1 month ago
### Alternative Discovery Order (Advanced Players)
**Fragment 3 First (Optional Exploration):**
- Player lockpicks Dr. Kim's office early (before meeting her)
- Cracks safe before emergency storage safe
- Learns about ZDS coordination early
- **Effect:** Changes context for later discoveries (knows attack was coordinated)
**Fragment 2 + 3 Together:**
- Player reads Ghost's manifesto (VM), then immediately finds ZDS invoice (safe)
- Back-to-back reveals: Ideology + Coordination
- **Effect:** Maximum impact, both ENTROPY philosophy and logistics revealed
**All Fragments Skipped (Minimal Playthrough):**
- Player completes mission without optional exploration
- Misses all LORE fragments
- **Effect:** Mission playable but less narrative depth, no M3 setup
---
## LORE Integration with Debrief
**Agent 0x99 Commentary (If All LORE Found):**
> "You found Ghost's manifesto. They calculated patient death probabilities—spreadsheets of projected casualties. That's not random crime, that's ideology."
>
> "CryptoSecure Recovery Services. Ransomware Inc.'s front company. They've hit three hospitals before this—Operation Triage. All clients paid, all improved security after. They track their 'educational outcomes.'"
>
> "Zero Day Syndicate sold Ghost that exploit. They scanned 214 hospitals, recommended St. Catherine's specifically because of Marcus's warnings. This wasn't opportunistic—this was planned a month ago."
>
> "ENTROPY cells are coordinating. The Architect approved this operation. ZDS provides weapons, Ransomware Inc. deploys them, Crypto Anarchists launder the money. We're fighting an organization, not individuals."
**Agent 0x99 Commentary (If No LORE Found):**
> "We disrupted Ransomware Inc.'s operation, but we don't have full intel on how they operate. Next time, dig deeper—ENTROPY leaves traces if you know where to look."
---
## LORE Fragment JSON Structure
```json
{
"lore_fragments": [
{
"id": "lore_m02_ghosts_manifesto",
"title": "Ghost's Manifesto - Teaching Resilience Through Adversity",
"category": "ENTROPY Philosophy",
"mission": "m02_ransomed_trust",
"discovery_location": "Server Room - VM Terminal (/var/backups/operational_log.txt)",
"unlock_condition": "Complete ProFTPD exploitation, navigate to /var/backups",
"unlock_tag": "#unlock_lore:ghosts_manifesto",
"difficulty": "Medium (VM challenge required)",
"content_length": "Long (3-4 paragraphs)",
"narrative_impact": "Reveals Ghost's calculated patient death projections, ENTROPY ideology",
"campaign_connection": "Establishes ENTROPY as ideological, not just profit-driven",
"educational_value": "Adversarial Behaviours (attacker motivations), Risk Management (statistical risk assessment)"
},
{
"id": "lore_m02_cryptosecure_services",
"title": "CryptoSecure Recovery Services - Client Testimonial Log",
"category": "ENTROPY Operations",
"mission": "m02_ransomed_trust",
"discovery_location": "IT Department - Filing Cabinet (drawer 3)",
"unlock_condition": "Lockpick filing cabinet (easy difficulty)",
"unlock_tag": "#unlock_lore:cryptosecure_services",
"difficulty": "Easy (lockpicking only)",
"content_length": "Medium (2-3 pages)",
"narrative_impact": "Reveals Ransomware Inc. previous operations, legitimate front company",
"campaign_connection": "M6 - Crypto Anarchist payment infrastructure (HashChain Exchange)",
"educational_value": "Malware (ransomware business model), Applied Cryptography (cryptocurrency laundering)"
},
{
"id": "lore_m02_zds_invoice",
"title": "Zero Day Syndicate Invoice - Exploit Procurement",
"category": "ENTROPY Coordination",
"mission": "m02_ransomed_trust",
"discovery_location": "Dr. Kim's Office - PIN Safe (wall-mounted)",
"unlock_condition": "Lockpick Dr. Kim's office + Crack safe PIN (1987)",
"unlock_tag": "#unlock_lore:zds_invoice",
"difficulty": "Medium-Hard (lockpicking + puzzle)",
"content_length": "Medium (1-2 pages)",
"narrative_impact": "Reveals Zero Day Syndicate sold exploit, The Architect coordinates cells",
"campaign_connection": "M3 - Zero Day Syndicate investigation setup",
"educational_value": "Adversarial Behaviours (attack supply chains), Systems Security (CVE exploitation)"
}
]
}
```
---
**Stage 6 Complete: LORE Fragments**
**Ready for:** Stage 7 (Ink Scripting)
**Total LORE Fragments:** 3
**Difficulty:** Easy (CryptoSecure) → Medium (Ghost Manifesto) → Medium-Hard (ZDS Invoice)
**Campaign Connections:** M3 (ZDS), M6 (Crypto Anarchists)
**Educational Coverage:** Complete CyBOK integration across all 3 fragments
**Core Strength:** Ghost's Manifesto reveals calculated evil (patient death spreadsheet), ZDS Invoice shows ENTROPY coordination (The Architect orchestrates), CryptoSecure log establishes pattern (Operation Triage → Operation Resilience)