Ransomware, Confusion, and Critical Decisions: A Cyber Crisis Simulation Autopsy – Alliancy

Alcyconia, plunged professionals into a cyber crisis management exercise of rare intensity

At the beginning of the summer, at the Cyber Campus, the cyber crisis management expert, Alcyconie, immersed professionals in a cyber crisis management exercise of rare intensity. For an hour, they had to rescue Voltessia, an electricity supplier that had fallen victim to ransomware.

It was 4:31 p.m. when the alert fell. The Voltessia company is in crisis. There is no doubt about it: its financial management tools are no longer responsive, and its electricity distribution applications are unstable. In three closed rooms of the Cyber Campus in Paris, the participants take their seats. For an hour, they play the members of the management of Voltessia, a fictitious company confronted with a very realistic chaos. Faces freeze. “We are in crisis.” The tone is set: there is no need to procrastinate, the attack has already taken place. This is the rule of the game reduced to one hour instead of the usual three, so here, the crisis is not detected, it is lived. A choice made by Alcyconie, the organising company, which specialises in cyber crisis management. “In real life, the difficulty is often to qualify the passage into a crisis. Here, in one hour, we want to get to the heart of the problem: how do we act? Who decides what? How do we document?”, explained Stéphanie Ledoux, CEO and founder of Alcyconia.

Simulate urgency, without a safety net

To give substance to this urgency, Alcyconie relies on PIA, an immersive digital platform designed in-house. Each participant accesses it via an individual workstation: emails, calls, social networks, ANSSI (National Agency for the Security of Information Systems) notifications, customer pressure, everything is there. On the social media side, “Y” and “Instagrum” rely on the interface of their counterparts (X and Instagram), mixing fake posts and news to sow doubt. And the illusion hits the mark. Participants discovered a tweet from SaxX, the hacker revealing data leaks about X, which announces the cyberattack targeting the energy distributor. The players had to react in the heat of the moment. Not only in technical terms. As Voltessia is an essential operator, the European NIS 2 directive imposes strict obligations: handrails, formalised crisis governance, controlled communication, coordination between services. The exercise then becomes a concrete test of the new legal responsibilities. “We are at the crossroads between operational stress and legal liability,” commented Anaïs Fauré, head of the cyber crisis management team.

Too much noise, not enough decisions

In the unit, the fictitious roles have been distributed: HRD, CISO, CIO, communications manager, general management, etc. everyone must decide in uncertainty. Very quickly, the phones ring, the emails accumulate. One takes a call over the loudspeaker, another tries to score while a third debate aloud. The atmosphere turns to cacophony. “When everyone talks, no one decides,” said Anaïs Fauré. The first mistakes are repeated. Miscommunication, lost information, delayed response. The challenge becomes clear: it is not so much the technique that counts, but the ability to organize chaos. However, one unit stood out for its meticulous strategy and its order, that of the leaders of large groups: definition of roles, feedback after each call, management of flows and regular updates on the situation. All the reflexes were present.

It’s not just a technical problem

The scenario intensifies. The Medusa ransomware encrypted sensitive data. Credentials have been compromised. A bounce attack on the supply chain is suspected. The CERT, simulated remotely, confirms that data has been exfiltrated. Worse, some could be put up for sale on the dark web. Should we communicate? Pay? Or to keep quiet and wait? This is the classic but brutal dilemma. Journalists call. A participant wants to alert the general manager. “Here, we are testing the decision-making chain. This is typical of a pivotal moment: should we stop activity or continue in degraded mode?” said Anaïs Fauré. Beyond the technical aspect, legal obligations add to the complexity of the moment (notification to the ANSSI, the CNIL, preservation of evidence, etc.). In the heat of the moment, forgetfulness accumulates and without a clear strategy, the cell exhausts itself running after emergencies. “A cyber crisis doesn’t last three hours. It sometimes takes several months. What we see there is just the ignition,” recalled Stéphanie Ledoux. In a real-life situation, the first 15 days are crucial: collecting evidence, legal notifications, documenting decisions, reputation management. The exercise, condensed into an hour, concentrates stress, but above all reveals the flaws in preparation.

An hour of chaos, months of teaching

At 5:31 p.m., the scenario was interrupted. The intensity drops, the faces relax, a few nervous laughs erupt. In the dining room, the debriefing begins: what to remember, what to correct, what to document? Everyone felt the emotional charge. “What it reveals above all is the plurality of impacts: legal, HR, reputational, operational,” noted one participant. A detailed post-mortem has been sent to refine the procedures and adjust the directories. Because here, the objective was not to succeed in everything. “This kind of exercise is intensive training. What we gain is the ability to decide in uncertainty, to document under pressure, to manage egos in the room,” said Stéphanie Ledoux. If, at the Ministry of the Armed Forces, these simulations can last a whole week, the participants of the day will have been spared: for them, an hour will have been enough to get the adrenaline pumping. Voltessia did not sink. But it didn’t save everything either. And that’s precisely the goal. “We have the right to be beaten, not to be surprised,” said Anaïs Fauré. This is perhaps the best lesson of the afternoon.

Article written by Fiona Slous for Alliancy.