LockBit Scenario: Municipality Payroll Crisis

Town of Brookfield: Municipal government serving 95,000 residents with 1,450 employees

Ransomware • LockBit

STAKES

Public service continuity + Employee payroll + Citizen data protection + Government operations

HOOK

The Town of Brookfield is preparing for bi-weekly payroll for 1,450 municipal employees when all government systems display ransom demands. Threat actors contact the mayor claiming to have stolen employee records, citizen data, and sensitive government documents, threatening public release. With payroll due in 48 hours and essential services at risk, city leadership must decide between ransom payment and public service disruption.

PRESSURE

Payroll deadline approaches - employees depend on timely payment + Public services cannot be interrupted + Citizen data exposure risks

FRONT • 120 minutes • Advanced

Town of Brookfield: Municipal government serving 95,000 residents with 1,450 employees

Ransomware • LockBit

NPCs

• Mayor Linda Chen: Managing public relations crisis while coordinating emergency response, must balance taxpayer interests with employee needs and government continuity
• Steve Rodriguez (Chief Information Officer): Dealing with complete system encryption affecting all municipal services, assessing data theft scope while coordinating recovery with limited budget
• Karen Williams (Human Resources Director): Cannot process payroll for 1,450 employees, managing employee communications while addressing data breach implications
• Robert Jackson (Emergency Services Coordinator): Coordinating essential service continuity including police, fire, and utilities while managing cybersecurity incident response

SECRETS

• City delayed critical security updates due to budget constraints and fear of service disruption
• Backup systems were inadequately maintained and may not support full recovery
• Attackers accessed sensitive citizen data including tax records, permits, and law enforcement information

---

Scenario Details for IMs

Opening Presentation

“It’s Wednesday morning at Brookfield Town Hall, and the payroll team is preparing to process payments for 1,450 municipal employees when every government computer screen displays ransom demands. Within hours, the mayor receives direct contact from threat actors claiming to have stolen employee records, citizen tax data, and sensitive government documents, threatening to publish everything. All town services are affected, payroll cannot be processed, and essential services are at risk.”

Initial Symptoms to Present:

• “All municipal systems displaying ransom demands with city-specific threats about citizen data”
• “Payroll systems completely encrypted with deadline approaching in 48 hours”
• “Threat actors contacted mayor claiming to have stolen employee and citizen records”
• “Essential services including police and fire systems losing connectivity”

Key Discovery Paths:

Detective Investigation Leads:

• Digital forensics reveal systematic targeting of citizen data and government documents
• Analysis shows initial compromise through municipal email system phishing attack
• Timeline indicates attackers maintained access for months, collecting sensitive government information

Protector System Analysis:

• Complete encryption of all municipal systems affecting public services
• Backup assessment reveals inadequate disaster recovery capabilities due to budget constraints
• Network analysis shows lateral movement across all city departments

Tracker Network Investigation:

• Data exfiltration analysis reveals extensive theft of citizen tax records and government documents
• Communication analysis shows professional ransomware operation with government sector experience
• Evidence of reconnaissance targeting specific municipal vulnerabilities and processes

Communicator Stakeholder Interviews:

• Employee communications regarding delayed payroll and data breach implications
• Citizen notification requirements for potential exposure of personal information
• Inter-agency coordination with county, state, and federal emergency management

Mid-Scenario Pressure Points:

• Hour 1: Police and fire departments report system connectivity issues affecting emergency response
• Hour 2: Threat actors publish sample of stolen citizen tax records to demonstrate data theft
• Hour 3: Local media reports government systems down affecting all public services
• Hour 4: Employee union representatives demand immediate payroll resolution and data protection

Evolution Triggers:

• If ransom payment is made using taxpayer funds, public accountability questions arise
• If payment is refused, citizen data begins appearing on criminal marketplaces
• If recovery exceeds 48 hours, payroll crisis escalates to employee hardship and service disruption

Resolution Pathways:

Technical Success Indicators:

• Emergency service continuity maintained through backup communication systems
• Payroll processing restored through manual procedures or clean backup systems
• Inter-agency coordination established for investigation and recovery support

Business Success Indicators:

• Public services maintained through emergency procedures minimizing citizen impact
• Employee welfare protected through alternative payroll solutions
• Public accountability maintained with transparent communication about incident and response

Learning Success Indicators:

• Team understands government sector cybersecurity requirements and constraints
• Participants recognize public service continuity obligations during crisis
• Group demonstrates crisis management balancing public accountability with security response

Common IM Facilitation Challenges:

If Public Accountability Is Ignored:

“Your technical response is sound, but the city council is demanding to know: how do you justify using taxpayer funds for ransom payment, and what accountability measures are needed for this security failure?”

If Employee Welfare Is Forgotten:

“While you’re investigating, 2,800 city employees are asking when they’ll be paid. Single parents, retirees, and hourly workers depend on timely payroll. How do you balance security response with employee welfare?”

If Essential Services Are Overlooked:

“Your recovery plan is thorough, but the police chief reports that dispatch systems are down and emergency response is compromised. How do you prioritize public safety during recovery?”

Success Metrics for Session:

• Team understands government sector cybersecurity challenges and public accountability
• Public service continuity maintained as priority throughout crisis response
• Employee welfare and citizen data protection properly balanced with security response
• Inter-agency coordination demonstrated for comprehensive incident response
• Learning includes public sector incident management and taxpayer responsibility