LockBit Scenario: Law Firm Case Preparation Crisis

LockBit Scenario: Law Firm Case Preparation Crisis

Morrison Sterling LLP: AmLaw 200 firm, 200 attorneys, major litigation deadline approaching

Ransomware • LockBit

STAKES

Client confidentiality + Active case preparation + Professional reputation + Legal privilege protection

HOOK

Security teams at Morrison Sterling LLP are seeing case-management systems lock up, staff workstations display ransom demands, and unauthorized outbound transfers from document repositories. Partners are receiving direct extortion messages claiming client files and privileged strategy documents were copied and will be released.

PRESSURE

• Filing and transaction obligations due Monday 9:00 AM
• Privilege exposure threatens $4.2 billion transaction and trial exposure
• Extortion demand received: $3.8 million
• Operational scope: AmLaw 200 firm, 200 attorneys, major litigation deadline approaching

FRONT • 120 minutes • Advanced

Morrison Sterling LLP: AmLaw 200 firm, 200 attorneys, major litigation deadline approaching

Ransomware • LockBit

NPCs

• Daniel Morrison (Managing Partner): Owns client communication and firm-level decisions
• Lisa Nakamura (IT Director): Leads technical containment and restoration priorities
• Robert Garcia (Lead Litigator): Represents active matter deadlines and courtroom impact
• Sandra Park (CISO): Coordinates evidence handling, reporting, and risk posture

SECRETS

• Backup restoration tests were incomplete for key legal-document systems
• Threat actors targeted high-value matter folders and client communication archives
• Prior security recommendations were deferred during peak billing periods

LockBit Scenario: Law Firm Case Preparation Crisis

Blackstone & Associates: Top 100 UK firm, 150 solicitors, major trial preparation

Ransomware • LockBit

STAKES

Client confidentiality + Active case preparation + Professional reputation + Legal privilege protection

HOOK

Security teams at Blackstone & Associates are seeing case-management systems lock up, staff workstations display ransom demands, and unauthorized outbound transfers from document repositories. Partners are receiving direct extortion messages claiming client files and privileged strategy documents were copied and will be released.

PRESSURE

• Filing and transaction obligations due Monday 09:00
• Privilege exposure threatens GBP 3.1 billion transaction and trial exposure
• Extortion demand received: GBP 3.0 million
• Operational scope: Top 100 UK firm, 150 solicitors, major trial preparation

FRONT • 120 minutes • Advanced

Blackstone & Associates: Top 100 UK firm, 150 solicitors, major trial preparation

Ransomware • LockBit

NPCs

• Victoria Blackstone (Senior Partner): Owns client communication and firm-level decisions
• Raj Patel (IT Director): Leads technical containment and restoration priorities
• Eleanor Crawford (Lead Litigator): Represents active matter deadlines and courtroom impact
• James Thornton (CISO): Coordinates evidence handling, reporting, and risk posture

SECRETS

• Backup restoration tests were incomplete for key legal-document systems
• Threat actors targeted high-value matter folders and client communication archives
• Prior security recommendations were deferred during peak billing periods

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

LockBit Law Firm Merger Crisis Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

LockBit Law Firm Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

“It is Thursday at 8:30 AM at Morrison Sterling LLP. Trial and merger teams preparing filings for Monday are suddenly locked out of case-management systems, and staff screens begin showing extortion notes. By 10:15 AM, leadership receives messages claiming privileged client documents were copied out of the network. The firm must decide how to protect clients while maintaining court and transaction obligations.”

“Initial detection was logged at 8:30 AM, and direct extortion contact arrived at 10:15 AM.”

“(Regional context: US legal-sector response.)”

“It is Thursday at 08:30 at Blackstone & Associates. Trial and merger teams preparing filings for Monday are suddenly locked out of case-management systems, and staff screens begin showing extortion notes. By 10:15, leadership receives messages claiming privileged client documents were copied out of the network. The firm must decide how to protect clients while maintaining court and transaction obligations.”

“Initial detection was logged at 08:30, and direct extortion contact arrived at 10:15.”

“(Regional context: UK legal-sector response.)”

Initial Symptoms to Present:

Warning🚨 Initial User Reports

• “Workstations display extortion notes and lock access to legal-document systems”
• “Case-management repositories show unauthorized outbound transfer activity”
• “Threat messages reference specific confidential matters to prove data theft”
• “Email and document workflows fail across teams preparing urgent filings”

Key Discovery Paths:

Detective Investigation Leads:

Note🔍 Detective Investigation Path

• Forensics show targeted access patterns around high-value matters and strategy folders
• Initial compromise traces to credential abuse and legal-document reconnaissance
• Timeline indicates attacker dwell time prior to encryption and extortion messaging

Protector System Analysis:

Note🛡️ Protector System Analysis

• Core legal-document systems are encrypted and inaccessible to fee earners
• Recovery testing gaps complicate confidence in backup integrity
• Segmentation weaknesses enabled wider access to privileged repositories

Tracker Network Investigation:

Note🌐 Tracker Network Investigation

• Exfiltration telemetry indicates collection of case files and communication archives
• Infrastructure and timing patterns align with coordinated extortion operations
• Targeting suggests deliberate leverage against active deadlines and client pressure points

Communicator Stakeholder Interviews:

Note🗣️ Communicator Stakeholder Interviews

• Clients need immediate guidance on confidentiality exposure and litigation impact
• Courts and counterparties may require disclosure for deadline adjustments
• Insurance and ethics counsel need structured facts before advising on next steps

Mid-Scenario Pressure Points:

• Hour 1: Litigation teams cannot access filings due before Monday
• Hour 2: Threat actors send excerpted legal communications as proof of access
• Hour 3: Counterparties ask whether current proceedings are affected by data exposure
• Hour 4: Insurance and ethics advisers request immediate incident posture documentation

Evolution Triggers:

• If containment is delayed, additional practice groups lose access to case materials
• If recovery is rushed without validation, restored systems may reintroduce compromise
• If disclosure is delayed, professional-conduct exposure and client trust impact expand rapidly

Resolution Pathways:

Technical Success Indicators:

• Verified clean recovery path for critical legal-document platforms
• Evidence package preserved for law-enforcement and regulatory coordination
• Secure interim communication channels established for urgent legal operations

Business Success Indicators:

• Clients receive timely, accurate updates tied to concrete response actions
• Deadline management remains defensible through documented contingency decisions
• Firm leadership preserves confidence through transparent risk framing

Learning Success Indicators:

• Team recognizes legal-sector ransomware leverage patterns around privilege and deadlines
• Participants practice balancing technical confidence with professional obligations
• Group coordinates legal, operational, and security workstreams under pressure

Common IM Facilitation Challenges:

If Client Communication Is Too Slow:

“Technical progress is real, but what specific threshold will trigger client notifications about privilege exposure risk?”

If Deadline Pressure Dominates Security Decisions:

“How do you avoid compounding legal risk by publishing or filing from systems you have not yet validated as trustworthy?”

If Reporting Is Deferred:

“State bar counsel requests incident status and asks when clients were notified of potential privilege exposure, citing professional-conduct duties requiring prompt communication.”

“SRA supervision requests incident status and asks when clients were notified of potential privilege exposure, citing professional-conduct duties requiring prompt communication.”

Success Metrics for Session:

• Team identifies high-risk legal-document exposure pathways
• Containment and recovery decisions remain defensible under deadline pressure
• Client and regulator communication is timely and evidence-based
• Professional obligations are integrated into technical response planning
• Long-term legal-sector control improvements are clearly defined

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 2 investigation rounds, 1 decision round
Focus: Urgent legal operations under extortion and privilege risk
Key Actions: Identify exposure scope, protect critical matters, issue first client/regulator posture

Lunch & Learn (75-90 minutes)

Structure: 4 investigation rounds, 2 decision rounds
Focus: Parallel containment and legal-obligation management
Key Actions: Build evidence timeline, validate recovery path, decide disclosure sequence

Full Game (120-140 minutes)

Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end legal-sector ransomware response under active deadlines
Key Actions: Coordinate legal and technical leadership, make publication/filing confidence calls, define durable remediation

Advanced Challenge (150-170 minutes)

Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Privilege-waiver argumentation, insurer constraints, conflicting client demands
Additional Challenges: Compressed court timelines, uncertain backup integrity, escalating extortion pressure

Quick Demo Materials (35-40 min)

Guided Investigation Clues

• Clue 1 (Minute 5): Security operations at Morrison Sterling LLP confirms encryption across legal-document systems and extortion demand for $3.8 million.
• Clue 2 (Minute 10): Access review shows targeted reads of active matter files tied to approaching Monday obligations.
• Clue 3 (Minute 15): Lead Litigator Robert Garcia confirms unauthorized access to litigation strategy files and draft witness-preparation notes for active matters.

• Clue 1 (Minute 5): Security operations at Blackstone & Associates confirms encryption across legal-document systems and extortion demand for GBP 3.0 million.
• Clue 2 (Minute 10): Access review shows targeted reads of active matter files tied to approaching Monday obligations.
• Clue 3 (Minute 15): Lead Litigator Eleanor Crawford confirms unauthorized access to litigation strategy files and draft witness-preparation notes for active matters.

Pre-Defined Response Options

• Option A: Immediate Recovery with Early Disclosure
  • Action: Isolate affected systems, begin recovery from validated backups, and notify impacted clients quickly.
  • Pros: Strong ethics posture and better long-term trust outcomes.
  • Cons: Higher short-term disruption and potential matter delays.
  • Type Effectiveness: Super effective for legal-compliance posture and sustainable recovery.
• Option B: Payment-Centered Acceleration
  • Action: Prioritize payment negotiation for rapid decryption while delaying broad disclosure decisions.
  • Pros: Potentially faster operational restoration if decryption succeeds.
  • Cons: No assurance on data deletion, high reputational and compliance risk.
  • Type Effectiveness: Partially effective and strategically fragile.
• Option C: Evidence-First Limited Disclosure
  • Action: Preserve forensic evidence, stage recovery, and sequence notifications after initial scoping.
  • Pros: Better factual basis for legal and insurance decisions.
  • Cons: Delay risk for professional-conduct and client-confidence obligations.
  • Type Effectiveness: Moderately effective if timing and communication discipline are strong.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Detection and Immediate Legal Impact (30-35 min)

Investigation Clues:

• Clue 1 (Minute 5): Encryption and workflow interruption affect active filing and transaction preparation.
• Clue 2 (Minute 10): Forensics show targeted access to privilege-sensitive repositories.

• Clue 3 (Minute 15): Lead Litigator Robert Garcia confirms unauthorized access to litigation strategy files and draft witness-preparation notes for active matters.

• Clue 3 (Minute 15): Lead Litigator Eleanor Crawford confirms unauthorized access to litigation strategy files and draft witness-preparation notes for active matters.

• Clue 4 (Minute 20): Extortion messages reference specific matters to increase pressure.

Round 2: Reporting, Liability, and Deadline Confidence (30-35 min)

Investigation Clues:

• Clue 5 (Minute 30): Leadership receives escalating client demands for certainty on confidentiality exposure.

• Clue 6 (Minute 40): State bar counsel requests incident status and asks when clients were notified of potential privilege exposure, citing professional-conduct duties requiring prompt communication.

• Clue 6 (Minute 40): SRA supervision requests incident status and asks when clients were notified of potential privilege exposure, citing professional-conduct duties requiring prompt communication.

• Clue 7 (Minute 50): Insurance counsel requires defensible timeline and control narrative.
• Clue 8 (Minute 55): Litigation and transaction teams request go/no-go guidance for Monday obligations.

Round Transition Narrative

After Round 1 -> Round 2:

“The FBI reports similar tactics in other legal-sector incidents where stolen documents were used to pressure clients directly.”

“NCSC and NCA report similar tactics in other legal-sector incidents where stolen documents were used to pressure clients directly.”

Facilitation questions:

• “What is your minimum evidence threshold before asserting matter integrity to clients and courts?”
• “Which decision must be made now versus deferred until additional forensic certainty exists?”
• “How do you communicate uncertainty without undermining legal credibility?”

Debrief Focus:

• Integrating privilege and professional obligations into incident command
• Balancing recovery speed with defensible legal and client communication
• Maintaining trust when evidence quality evolves over time

Full Game Materials (120-140 min, 3 rounds)

NoteHow Full Game Differs from Lunch & Learn

The Full Game expands the scenario from 2 guided rounds to 3 open-ended rounds. Players drive their own investigation using the Key Discovery Paths above rather than receiving timed clues. Round 3 focuses on institutional recovery and legal-sector control redesign.

Round 1: Executive Briefing and Scope Discovery (35-40 min)

Managing Partner Daniel Morrison convenes an emergency briefing and states that Monday deadlines cannot be missed without major client harm. IT Director Lisa Nakamura confirms widespread encryption across legal-document workflows. Lead Litigator Robert Garcia reports that active matter files are inaccessible. CISO Sandra Park requests immediate containment while preserving evidence for the FBI and legal reporting channels.

Senior Partner Victoria Blackstone convenes an emergency briefing and states that Monday deadlines cannot be missed without major client harm. IT Director Raj Patel confirms widespread encryption across legal-document workflows. Lead Litigator Eleanor Crawford reports that active matter files are inaccessible. CISO James Thornton requests immediate containment while preserving evidence for NCSC/NCA coordination and legal reporting channels.

Players investigate openly using role capabilities. Early findings include targeted exfiltration, workflow encryption, and active deadline impact.

If team stalls: “You can protect speed or confidence first. Which path is defensible to clients and regulators by end of day?”

Round 2: Regulator Coordination and Deadline Decisions (35-40 min)

• Technical teams complete artifact collection and present recovery paths with explicit uncertainty bounds.
• Leadership requests a clear recommendation for Monday obligations and client communication sequencing.

• Coordination now spans State bar rules and attorney-client privilege, State bar disciplinary authority, and FBI channels.

• Coordination now spans SRA rules and legal professional privilege, Solicitors Regulation Authority (SRA), and NCSC and NCA channels.

Facilitation questions:

• “What controls must be in place before proceeding with high-risk legal actions?”
• “How will you document rationale so decisions remain defensible in later review?”

Round 3: Institutional Recovery and Control Redesign (40-45 min)

Opening: Two weeks later, immediate containment is complete and firm leadership requests a 90-day remediation roadmap with legal and technical accountability.

Pressure events:

• Key clients request evidence of meaningful control improvements
• Internal governance demands owner-assigned milestones and measurable risk reduction
• Practice groups request controls that preserve billing-critical workflow speed

Victory conditions for full 3-round arc:

• Verified clean baseline for legal-document and communication systems
• Defensible regulatory and client reporting package
• Durable legal-sector security controls that preserve privilege and operational continuity

Debrief Questions

1. “Which early indicator most clearly signaled targeted legal leverage versus generic ransomware behavior?”
2. “How did deadline pressure alter risk tolerance across legal and technical teams?”
3. “What evidence was essential for credibility with clients and authorities?”
4. “How can law firms improve sector-wide readiness without exposing sensitive matter practices?”

Debrief Focus

• Legal-sector extortion incidents are driven by privilege and deadline leverage
• Defensible response requires synchronized legal, operational, and technical decision-making
• Long-term resilience depends on tested recovery, controlled access, and transparent governance

Advanced Challenge Materials (150-170 min)

Red Herrings and Misdirection

1. Routine document-workflow maintenance overlaps with suspicious timeline artifacts.
2. A recent lateral-hire access review appears related but is operationally separate.
3. An unrelated email-routing outage mimics attacker-induced communication disruption.

Removed Resources and Constraints

• No prebuilt playbook for privilege-sensitive ransomware response
• Limited immutable-backup coverage on selected matter systems
• Delayed external advisory support during the first decision window

Enhanced Pressure

• Leadership demands same-day confidence statement for Monday obligations
• Clients request immediate detailed disclosures before forensic scope is complete
• Practice teams request recovery exceptions to preserve filing timelines

Ethical Dilemmas

1. Preserve deeper evidence and accept short-term case disruption, or recover faster and reduce attribution depth.
2. Delay filings for stronger confidence, or proceed with explicit residual risk under client pressure.
3. Share broad indicators for sector defense, or limit detail to protect sensitive legal workflows.

Advanced Debrief Topics

• Building legal-sector doctrine for surveillance-plus-extortion incidents
• Structuring governance when legal and technical confidence diverge
• Improving cross-firm readiness while preserving confidentiality obligations