LockBit Scenario: Sterling Legal Group Merger Crisis
Scenario Details for IMs
Opening Presentation
“It’s Thursday morning at Sterling Legal Group, and the firm is in final preparations for a $4.2 billion merger closing on Monday. Attorneys are working around the clock reviewing documents and coordinating with clients when every computer screen suddenly displays ransom demands. Within hours, the managing partner receives direct contact from threat actors claiming to have stolen confidential client files, case strategies, and attorney-client privileged communications, threatening to publish everything if ransom isn’t paid.”
Initial Symptoms to Present:
- “All workstations displaying ransom demands with firm-specific threats about client data”
- “Document management systems completely encrypted affecting active case preparation”
- “Threat actors contacted partners claiming to have stolen merger documents and client files”
- “Email systems down affecting client communications and court filing deadlines”
Key Discovery Paths:
Detective Investigation Leads:
- Digital forensics reveal systematic targeting of high-value client files and merger documentation
- Email analysis shows initial compromise through spear-phishing targeting specific attorneys
- Timeline indicates attackers maintained access for months, monitoring case developments
Protector System Analysis:
- Complete encryption of document management systems and case files
- Backup assessment reveals critical gaps in disaster recovery testing
- Network segmentation failures allowed lateral movement to privileged client data
Tracker Network Investigation:
- Data exfiltration analysis shows terabytes of confidential legal documents stolen
- Communication patterns indicate professional criminal operation with legal industry knowledge
- Evidence of reconnaissance targeting specific high-value cases and clients
Communicator Stakeholder Interviews:
- Client communications regarding potential exposure of confidential information
- Court notification requirements for delayed filings and case preparation issues
- Professional liability assessment and ethics committee consultation needs
Mid-Scenario Pressure Points:
- Hour 1: Merger team cannot access due diligence documents needed for Monday closing
- Hour 2: Threat actors send sample of stolen client communications to demonstrate data theft
- Hour 3: Opposing counsel in active litigation learns of potential data exposure
- Hour 4: Professional liability insurance carrier demands immediate risk assessment
Evolution Triggers:
- If ransom payment is made, attackers may still threaten clients directly or sell data
- If payment is refused, confidential client data begins appearing on criminal forums
- If response exceeds 72 hours, threat actors may contact media and opposing counsel directly
Resolution Pathways:
Technical Success Indicators:
- Emergency document recovery protocols activated using verified clean backups
- Secure communication channels established for client notifications and court filings
- Law enforcement coordination for investigation while protecting client confidentiality
Business Success Indicators:
- Client relationships maintained through transparent communication and professional handling
- Court deadlines met through alternative documentation and emergency procedures
- Professional ethics obligations fulfilled while managing crisis response
Learning Success Indicators:
- Team understands data protection requirements in professional service environments
- Participants recognize intersection of cybersecurity and professional liability
- Group demonstrates crisis communication balancing transparency with confidentiality obligations
Common IM Facilitation Challenges:
If Client Notification Is Delayed:
“Your technical investigation is thorough, but the managing partner needs to know: when and how do you notify clients that their confidential information may have been stolen? Professional ethics rules require prompt disclosure.”
If Professional Liability Is Ignored:
“While you’re working on recovery, the firm’s malpractice insurance carrier is demanding immediate risk assessment. How does potential client data exposure affect professional liability and firm survival?”
If Court Deadlines Are Forgotten:
“Your security response is excellent, but Maria has three court filings due tomorrow and cannot access case files. Do you request extensions and reveal the breach, or find alternative solutions?”