LockBit Scenario: Municipality Payroll Crisis
Planning Resources
Scenario Details for IMs
Detailed Context
Organization Profile
The Town of Brookfield is a mid-sized suburban municipality incorporated in 1872, serving 95,000 residents across 42 square miles of residential neighborhoods, commercial districts, industrial parks, and protected conservation land. The town operates with 1,450 full-time employees organized across seven departments: Police (285 sworn officers + 45 civilian staff), Fire & EMS (195 firefighters/paramedics + 12 civilian staff), Public Works (320 employees managing roads, water, sewer, sanitation), Parks & Recreation (85 employees + 200 seasonal workers), Planning & Development (55 employees handling permits, inspections, zoning), Administration (180 employees for finance, HR, legal, IT, clerk’s office), and Municipal Utilities (270 employees operating water treatment, wastewater, stormwater).
The town operates on a $185M annual operating budget funded primarily through property taxes ($125M), utility service fees ($38M), state aid ($15M), and various permits/licenses ($7M). Brookfield maintains AAA municipal bond rating enabling favorable borrowing rates for infrastructure projects, though recent economic pressures and state aid reductions have created budget constraints affecting discretionary spending including IT modernization and cybersecurity investments.
The IT department consists of 12 employees (CIO Steve Rodriguez, 3 system administrators, 4 help desk technicians, 2 network engineers, 2 database administrators) supporting infrastructure serving all municipal operations: financial management system (15 years old running on legacy servers), HR/payroll system (cloud-hosted SaaS implemented 2018), police CAD/RMS (critical 911 dispatch and criminal records database), fire department emergency response system, GIS mapping for utilities and planning, citizen service portal, public records management, email and collaboration tools. The department operates on $2.8M annual budget (1.5% of total town budget), significantly below the 3-4% recommended for municipalities of Brookfield’s size and complexity.
Key Assets & Impact
Bi-Weekly Payroll Processing ($3.2M per pay period): Brookfield processes payroll every other Friday for 1,450 full-time employees plus 200 seasonal/temporary workers, totaling approximately $3.2M per pay period including base salaries, overtime (particularly for police and fire departments requiring 24/7 coverage), shift differentials, longevity bonuses, and employer tax withholdings. The payroll cycle requires timesheet submission by Tuesday noon, supervisor approval by Wednesday 5 PM, payroll processing Thursday, and direct deposit posting Friday morning before 6 AM when many employees check accounts and rely on timely payment for rent, mortgages, childcare, car payments, and essential expenses. The workforce includes single parents depending on predictable income, hourly public works employees living paycheck-to-paycheck, retirees working part-time supplementing fixed incomes, and employees with garnishments or child support obligations requiring precise withholding calculations. Municipal employees cannot be paid “late” without violating civil service employment contracts and triggering union grievance procedures, creating absolute deadline pressure with significant legal and employee relations consequences.
Emergency Services Systems (911 Dispatch & Criminal Justice): Brookfield’s Police Department operates 24/7 dispatch center handling 65,000 calls annually (178 calls per day average, spiking to 300+ during major incidents), utilizing Computer-Aided Dispatch (CAD) system integrated with county-wide emergency services, state criminal databases (NCIC/NLETS), license plate readers, body camera evidence management, criminal records management system containing active investigation files, witness statements, evidence chain-of-custody documentation, arrest records, case prosecution materials provided to district attorney’s office. The Fire Department relies on integrated CAD for structure fires, medical emergencies, hazmat responses, rescue operations, requiring instant access to building floor plans, hydrant locations, hazardous materials databases, medical history for frequent 911 callers. Complete system unavailability forces emergency paper-based dispatch protocols degrading response times, preventing criminal history checks during traffic stops (officer safety risk), eliminating access to active warrant information, losing evidence documentation for ongoing prosecutions, and compromising community safety during the transition to manual operations.
Citizen Data Protection (85,000 Records): Town systems contain sensitive personal information for all 95,000 residents plus former residents with historical records: property tax assessments and payment history (including financial hardship applications and payment plans revealing economic circumstances), water/sewer utility accounts with consumption patterns and delinquency records, building permits showing home improvements and property valuations, business licenses and health inspection records, zoning variance applications revealing property development plans, parking tickets and code enforcement violations, dog licenses and pet registrations, marriage licenses and vital records, police incident reports and 911 call logs (domestic violence, mental health crises, juvenile contacts), and law enforcement intelligence files on organized crime and drug trafficking investigations. Unauthorized disclosure violates state public records laws distinguishing public information from protected personal data, creates identity theft risks for 85,000 citizens whose tax and financial information could be exploited, exposes domestic violence victims whose addresses and protective orders are confidential, compromises ongoing criminal investigations where witness cooperation depends on confidentiality, and destroys public trust in government’s data stewardship obligations.
Public Service Continuity (Essential Municipal Functions): Town operations provide 24/7 water treatment and distribution (32 million gallons daily to 28,000 households and businesses), wastewater treatment (preventing environmental contamination and EPA violations), emergency services dispatch, building inspections required for construction permits, planning department review of development applications with strict regulatory deadlines, tax collection and financial management, public works road maintenance and snow removal, parks and recreation programs serving 12,000 participants annually, and citizen service portal for permit applications, bill payments, and records requests. Prolonged system unavailability forces manual paper-based operations degrading service quality, creates compliance risks for regulated activities (water quality testing, EPA reporting, state financial audits), eliminates citizen self-service capabilities requiring in-person transactions during business hours (excluding working residents), prevents permit processing affecting construction projects and business openings, and damages town’s reputation for responsive professional government services.
Immediate Business Pressure
Wednesday 10:15 AM Crisis Discovery—48 Hours Before Payroll Deadline: Steve Rodriguez (CIO) receives simultaneous help desk reports that all administrative workstations are displaying LockBit ransom messages demanding $2.2M in cryptocurrency within 72 hours. Within 30 minutes, the scope becomes clear: complete encryption of financial management servers (preventing payroll processing, accounts payable, tax collection), HR systems containing employee records and benefits administration, police CAD/RMS (disabling 911 dispatch integration and criminal records access), fire department response systems, GIS mapping servers, email and collaboration tools, citizen service portal, and backup file servers. Only water/wastewater treatment SCADA systems remained operational due to network segmentation, preventing immediate public health crisis but leaving all administrative and emergency services dependent on manual paper-based protocols.
11:45 AM Mayor Receives Direct Threat Actor Contact: Mayor Linda Chen’s personal email receives message from LockBit affiliate providing proof of data exfiltration: sample files containing 150 citizen tax returns with full names, addresses, social security numbers, income details, and property assessments, plus internal police intelligence report on organized crime investigation with confidential informant identities, surveillance photographs, and undercover officer information. The threat actor message explicitly threatens: “72-hour deadline. Pay $2.2M or ALL 400GB of your citizens’ tax records, police files, and employee data gets published. We already sold samples to identity theft networks. Clock is ticking, Mayor.” The message demonstrates sophisticated knowledge of Brookfield’s operations, mentioning upcoming Friday payroll, ongoing criminal prosecutions depending on evidence integrity, and recent town council discussions about cybersecurity budget cuts.
Thursday 9 AM Escalating Stakeholder Pressure—32 Hours to Payroll: Karen Williams (HR Director) reports that employee inquiries are overwhelming her skeleton staff operating on paper systems: single mothers asking whether Friday direct deposits will process because rent is due Monday, public works hourly employees who cannot afford missed paychecks, retirees working part-time depending on predictable income for medication costs, and employees with child support garnishments requiring precise withholding to avoid legal violations. The police union representative formally notifies the mayor that contract provisions require timely payment and any delays constitute breach of civil service employment agreements triggering formal grievance procedures and potential work actions. Simultaneously, Police Chief reports that dispatch operations are degraded to 1990s-era paper logging, criminal history checks are unavailable (forcing officers to approach traffic stops without warrant information or suspect criminal background), active investigation evidence is inaccessible affecting tomorrow’s court testimony in major drug trafficking prosecution, and confidential informant safety is at risk if intelligence files are published.
Thursday 2 PM Public Disclosure and Political Accountability Crisis: Local news reports that Brookfield government systems are “experiencing technical difficulties affecting services,” prompting citizen social media speculation about cyberattack. The town council chair demands emergency executive session to understand the situation, asking pointed questions about previous cybersecurity budget requests that were deferred due to other priorities, questioning why backups are inadequate for recovery, and expressing concern about taxpayer fund liability if ransom payment is considered. The state’s municipal bond rating agency contacts the town’s finance director requesting incident briefing because prolonged service disruption or ransom payment using public funds could trigger credit rating review affecting Brookfield’s AAA status and increasing future borrowing costs for infrastructure projects. The cyber insurance carrier confirms $10M policy covers incident response costs but explicitly excludes ransom payments from public funds per state law prohibiting taxpayer money funding criminal enterprises.
Cultural & Organizational Factors
Municipal budget approval process delaying critical security investments: Local government cybersecurity spending requires public approval through annual budget town meeting where 250-500 residents vote on every line item exceeding $50,000. IT modernization proposals compete against visible community priorities: road repairs that voters drive on daily, new fire truck that citizens see responding to emergencies, playground equipment that families use at parks, police officers providing visible community presence. CIO Steve Rodriguez proposed $380,000 cybersecurity initiative in March 2023 (endpoint detection and response tools, security awareness training, backup infrastructure upgrade, incident response planning), explaining ransomware risks and municipal sector targeting trends. The proposal faced skeptical questions at town meeting: “Why do we need this when we’ve never been hacked?” and “Can’t we use free antivirus instead of paying consultants?” and “This seems like IT asking for toys rather than essential services.” The initiative was tabled for “further research and cost reduction,” with council suggesting IT department “explore more affordable options” and “coordinate with county government for shared services.” The delay was rational democratic governance—elected officials balancing competing constituent priorities with limited tax revenue, requiring visible justification for technical spending that prevents invisible threats, operating in political environment where cybersecurity incidents seem like distant possibilities rather than immediate risks affecting Brookfield specifically.
Backup system inadequacy arising from compliance-focused rather than recovery-focused mindset: Brookfield’s backup strategy was designed to satisfy state records retention regulations and audit compliance requirements rather than enable rapid operational recovery from ransomware. The town maintained tape backups for seven-year financial record retention (meeting state comptroller requirements), image-based backups of critical servers rotated weekly (meeting auditor recommendations), and cloud backups of email and documents (meeting public records law preservation obligations). However, backup testing focused on “can we retrieve specific files for legal discovery or audit requests?” rather than “can we restore complete operational capability within 24-48 hours after total system encryption?” Monthly backup tests verified that specific archived emails could be retrieved for public records requests and that historical financial transactions could be produced for audits—successfully demonstrating compliance with retention regulations but never testing whether complete server environments could be rebuilt, whether application configurations would be preserved, whether database consistency would be maintained, or whether restoration could meet critical operational deadlines like bi-weekly payroll processing. IT staff operating with limited budget focused backup resources on compliance requirements with clear regulatory consequences rather than disaster recovery scenarios that seemed hypothetical. When ransomware struck, backups could restore individual files but couldn’t rapidly rebuild complete operational infrastructure, forcing 7-10 day recovery timeline affecting multiple payroll cycles and extended service disruption.
Municipal email security and phishing susceptibility through high-turnover seasonal workforce: Brookfield’s workforce includes 200 seasonal and temporary employees hired for summer parks and recreation programs, winter snow removal operations, election support, temporary administrative assistance during peak permit season, and special project support. These employees receive town email accounts providing access to shared drives, calendar systems, and internal communications but typically work 3-6 month assignments before turning over, creating continuous cycle of new employees requiring security training, onboarding, and access provisioning. IT department provides 30-minute general orientation covering password policies and basic computer use but has limited capacity for comprehensive security awareness training given constant turnover. September 2024 seasonal employee working in planning department received convincing spear-phishing email appearing to originate from Public Works Director requesting urgent review of “updated contractor insurance certificates” for road repair project, including link to “secure document portal” requiring town network credentials. The email exploited realistic context—planning department routinely reviews contractor documentation, public works frequently coordinates with planning on infrastructure projects, insurance certificate verification is standard procedure, and urgent requests are common in municipal government where regulatory deadlines and public meetings create time pressures. The employee, two weeks into temporary assignment and unfamiliar with phishing tactics targeting government operations, entered credentials providing LockBit affiliate initial access to town network. Neither the seasonal employee nor IT department could identify sophisticated nation-state-quality phishing exploiting legitimate municipal workflows and realistic inter-department coordination patterns.
Operational Context
Municipal payroll processing workflow and civil service employment protections: Brookfield’s bi-weekly payroll cycle operates under strict civil service regulations and collective bargaining agreements establishing employee payment as contractual obligation rather than discretionary business function. The process begins Tuesday noon when department supervisors submit approved timesheets through HR system, including regular hours, overtime (pre-approved by department heads), shift differentials (police and fire 24/7 coverage), longevity bonuses (tenure-based increases), specialty pay (K9 handlers, EMT certifications, hazmat training), and deductions (health insurance, retirement contributions, union dues, wage garnishments, child support withholdings calculated by court orders, tax levies, 401k contributions). Wednesday through Thursday, HR staff (Karen Williams directing 8 payroll specialists) process 1,650 individual payment calculations verifying timesheet accuracy, confirming budget authority for overtime, calculating employer tax obligations (Social Security, Medicare, unemployment insurance, workers compensation), applying voluntary deductions, processing new hire enrollments and termination final payments, and generating direct deposit ACH files transmitted to bank Thursday 6 PM for Friday morning posting. The civil service contracts negotiated with five separate unions (police, fire, DPW, clerical, professional) specify that payroll must process “no later than 6 AM on designated pay date” and any delays constitute contract violations triggering union grievance procedures, potential arbitration, back-pay calculations including interest, and damaged employee relations affecting recruitment and retention in competitive labor market. Municipal employees cannot be asked to “wait until next week” like private sector might negotiate—civil service protections treating timely payment as fundamental employment right with legal consequences for violations.
Emergency services dependencies on integrated criminal justice systems: Brookfield Police Department operates 24/7 dispatch center handling average 178 calls daily (911 emergencies, non-emergency requests, alarm responses, traffic accidents, domestic disturbances, medical assists, welfare checks, suspicious activity reports) requiring instant access to Computer-Aided Dispatch (CAD) system integrated with county-wide emergency services, state criminal databases (NCIC providing nationwide warrant information, criminal history, stolen vehicle/property records, missing persons, sex offender registry), license plate reader network (12 fixed cameras plus 8 mobile units on patrol vehicles capturing 2,500 plate reads daily), body camera evidence management (18 months retention per state law, chain-of-custody documentation for prosecutions), criminal records management system containing 15 years of incident reports, investigation files, witness statements, evidence photographs, arrest documentation, and case prosecution materials provided to district attorney. During traffic stops, officers rely on instant criminal history and warrant checks determining whether suspect is armed and dangerous, has outstanding arrest warrants, is on probation/parole with search conditions, or has history of violence against police—information essential for officer safety decisions. Active investigations depend on RMS access: detectives preparing tomorrow’s testimony in major drug trafficking prosecution need evidence photographs, witness statements, surveillance logs, and chain-of-custody documentation; ongoing organized crime investigation requires confidential informant files and intelligence reports; domestic violence cases need protection order history and prior incident documentation. Complete system unavailability forces 1990s-era paper-based dispatch (handwritten call logs, radio-only officer communication, no automated address verification or hazard flags, no pre-arrival intelligence about location history or resident criminal background), eliminates officer safety information during traffic stops and calls, prevents evidence retrieval for court testimony affecting active prosecutions with strict discovery deadlines, and creates prosecution liability if defense attorneys argue that evidence integrity was compromised during system outage.
Public accountability frameworks and government transparency requirements: Municipal government operates under Massachusetts Public Records Law and Open Meeting Law establishing citizen rights to access government information and observe decision-making processes. Major incident response decisions (ransom payment consideration, emergency spending authorizations, service disruption communications, data breach notifications) require public deliberation at noticed meetings where citizens can attend, comment, and request records. Town council emergency executive session discussing cybersecurity incident must follow strict procedures: posting meeting notice 48 hours in advance (except true emergencies), conducting preliminary discussion in public session before executive session, stating specific legal exemption justifying closed discussion (cybersecurity details, litigation strategy, contract negotiations), and releasing executive session minutes after threat resolution. Any expenditure exceeding town manager’s $50,000 emergency authority requires council vote at public meeting, meaning $2.2M ransom payment decision cannot be made unilaterally by mayor or IT director—requiring public deliberation where citizens, media, and political opposition can scrutinize decision. State public records law provides 10-day response deadline for citizen information requests, meaning media outlets and transparency advocates can demand “all emails and documents related to cybersecurity incident response” creating public accountability paper trail. These transparency requirements serve essential democratic governance functions preventing backroom deals and ensuring constituent oversight, but create operational complexity during crisis response where speed and confidentiality might enable more effective negotiation, technical investigation, or law enforcement coordination—forcing incident commanders to balance democratic accountability obligations with tactical response effectiveness.
Inter-agency coordination and regional emergency management: Brookfield incident response depends on relationships with state and federal agencies providing resources that individual municipalities cannot maintain: Massachusetts Cybersecurity Command Center (offering incident response guidance, threat intelligence, and coordination with state police cyber crimes unit), FBI Boston Field Office (federal investigation jurisdiction for ransomware as computer fraud and extortion, access to national threat intelligence), CISA (Cybersecurity and Infrastructure Security Agency providing federal incident response expertise, malware analysis, and recovery support), county emergency management (regional disaster coordination, mutual aid agreements with neighboring towns, emergency communications backup), and state comptroller’s office (guidance on public funds management during crisis, budget authority for emergency spending, oversight of municipal bond rating implications). These relationships require ongoing coordination through regular meetings, joint training exercises, memoranda of understanding, and resource sharing agreements—meaning effective crisis response depends not just on technical capabilities but on organizational relationships, trusted communications channels, and established procedures for requesting and receiving assistance. However, inter-agency coordination also creates complexity: state auditor will scrutinize ransomware response for proper use of taxpayer funds, federal law enforcement wants case prosecution over rapid business recovery, cyber insurance carrier has conflicting incentives from municipality’s service continuity needs, and political oversight bodies demand transparency while investigators request confidentiality. Incident Commander must navigate multiple stakeholder priorities and reporting requirements while maintaining operational focus on restoring essential services.
Key Stakeholders
Mayor Linda Chen (Chief Executive Officer) - Elected official serving second four-year term facing November re-election, managing highest-profile crisis of political career affecting 95,000 constituents, balancing immediate response decisions (ransom payment consideration, public disclosure, emergency spending) against political accountability (explaining cybersecurity budget cuts, justifying taxpayer fund use, maintaining public trust), coordinating with town council requiring public meeting deliberations while managing media coverage and citizen concerns, confronting personal liability as elected official whose previous budget decisions contributed to backup inadequacy and delayed security investments, protecting town’s AAA bond rating essential for infrastructure financing while addressing employee welfare crisis affecting 1,450 workers and their families.
Steve Rodriguez (Chief Information Officer) - IT Director with 15 years municipal technology experience operating department on $2.8M budget (1.5% of town spending—half the recommended percentage), managing complete infrastructure encryption affecting all administrative and emergency services while coordinating recovery with 12-person team operating on manual paper-based incident response, assessing backup restoration timeline (7-10 days affecting multiple payroll cycles) while facing stakeholder pressure demanding faster recovery, explaining to council why previous cybersecurity budget proposals (repeatedly deferred or reduced) could have prevented incident, coordinating with cyber insurance carrier, FBI, state cyber command, and incident response consultants while maintaining operational focus, confronting professional reputation impact where cybersecurity failure will define career despite years advocating for security investments that elected officials deprioritized.
Karen Williams (Human Resources Director) - HR leader responsible for employee welfare including payroll, benefits, employee relations, union contract compliance, managing 1,450 full-time employees plus 200 seasonal workers facing Friday payroll crisis with all systems encrypted, receiving desperate employee inquiries from single parents whose rent is due Monday, hourly workers living paycheck-to-paycheck, retirees depending on predictable income for medical expenses, employees with child support garnishments requiring precise withholding to avoid legal violations, coordinating with five separate unions whose contracts specify timely payment as fundamental employment right with grievance procedures for violations, managing employee data breach notification (social security numbers, health information, personnel files, salary history, disciplinary records exposed), balancing employee advocacy (demanding rapid payroll restoration through alternative processing or ransom payment) with organizational responsibility (avoiding precedent-setting ransom payment encouraging future attacks), confronting personal connection to employees facing real financial hardship from decisions beyond their control.
Robert Jackson (Emergency Services Coordinator & Fire Chief) - Public safety leader coordinating police and fire departments through system outage affecting 911 dispatch, CAD integration, criminal records, evidence management, coordinating emergency paper-based dispatch protocols degrading response times and eliminating officer safety information during traffic stops and calls, managing fire department response capability without integrated CAD providing building floor plans, hydrant locations, hazmat databases, and medical history for frequent 911 callers, balancing public safety mission (maintaining emergency services protecting 95,000 residents) with incident response coordination (supporting IT recovery while continuing operational duties), addressing community concerns about degraded emergency response and potential safety risks during extended outage, confronting ethical dilemma where paying ransom might rapidly restore systems protecting public safety but violates law enforcement principles of never funding criminal enterprises.
Police Chief David Martinez - Law enforcement executive commanding 285 sworn officers plus 45 civilian staff managing complete criminal justice system outage affecting active investigations, court testimony, evidence integrity, and officer safety information, coordinating with detective preparing tomorrow testimony in major drug trafficking prosecution who lost access to evidence photographs, witness statements, surveillance logs, and chain-of-custody documentation essential for legal proceedings with strict discovery deadlines, addressing officer safety concerns where traffic stops and domestic calls proceed without criminal history checks, warrant information, or location hazard flags that normally inform tactical approach, managing confidential informant safety risk where organized crime intelligence files threatened with public release could expose cooperating witnesses to retaliation, balancing law enforcement mission (never negotiate with criminals, cooperate with FBI investigation, maintain evidence integrity) with practical reality (degraded police operations affecting community safety, potential CI deaths if intelligence published, months-long recovery affecting criminal justice system), coordinating with FBI, state police, and district attorney while maintaining operational focus and officer morale.
Thomas Park (Town Council Chair & Finance Committee) - Elected council president with finance background and constituent accountability responsibilities, convening emergency executive session to understand incident scope and response options while managing public meeting transparency requirements and media coverage, reviewing previous cybersecurity budget decisions where council deferred IT security proposals favoring visible community priorities (roads, fire equipment, parks, police staffing), questioning why backup systems are inadequate for rapid recovery and what accountability measures are appropriate for security failure, weighing ransom payment consideration ($2.2M taxpayer funds) against employee welfare (payroll crisis affecting 1,450 workers) and public safety (degraded emergency services), coordinating with state comptroller regarding emergency spending authority and municipal bond rating implications, confronting political dimension where opposition party will exploit cybersecurity incident in November elections questioning council’s fiscal management and security oversight.
Jennifer Walsh (Police Union President & Detective) - Union representative for 330 police department employees (sworn officers and civilian staff) managing contract compliance during payroll crisis, formal notification to mayor that civil service agreements require timely payment with specific grievance procedures for violations, advocating for employee welfare including officers working overtime on critical investigations expecting Friday payment, coordinating with four other municipal unions (fire, DPW, clerical, professional) on unified position regarding payment obligations and data breach employee notification, balancing union advocacy (demanding immediate payroll restoration protecting member interests) with law enforcement mission (opposing ransom payment funding criminal enterprise), representing officers concerned about evidence integrity, investigation continuity, and public safety during extended system outage, confronting conflicting loyalties where union members need payroll but law enforcement principles oppose negotiating with criminals.
Why This Matters
You’re not just managing ransomware encryption—you’re navigating public accountability crisis where every decision faces democratic scrutiny. Private sector incident response happens behind closed doors with executive authority enabling rapid tactical decisions, but municipal government operates under public records laws and open meeting requirements where ransom payment consideration, emergency spending authorization, and service disruption communications require noticed public meetings where citizens, media, and political opposition observe deliberations and request documentation. The $2.2M payment decision cannot be made by IT director or even mayor—requiring town council vote at public meeting creating permanent public record of deliberations, justifications, and dissenting opinions that will be scrutinized by voters, auditors, media investigations, and November election opponents. You’re balancing democratic transparency obligations (constituent right to observe government decision-making and access public records) with tactical response effectiveness (confidential negotiation, rapid technical decisions, law enforcement coordination requesting operational security), where every email and meeting minute becomes public record analyzed for accountability and political implications.
You’re not just restoring systems—you’re protecting 1,450 employee livelihoods with civil service contract obligations creating absolute deadline pressure. Private companies facing ransomware can negotiate delayed payroll with employees or advance emergency funds with flexible procedures, but municipal workers operate under collective bargaining agreements treating timely payment as contractual right enforced through formal grievance procedures and potential arbitration. The workforce includes single parents whose rent is due Monday depending on Friday direct deposit, hourly public works employees living paycheck-to-paycheck without financial cushion to absorb delayed payment, retirees working part-time whose medication costs depend on predictable income, and employees with court-ordered child support garnishments requiring precise withholding calculations where delays create legal violations and family hardship beyond the employee’s household. You cannot ask employees to “wait until next week” or “we’ll make it right later”—civil service protections establish payment timing as fundamental employment right with consequences (union grievances, damaged employee relations, recruitment and retention impact in competitive labor market) creating organizational pressure beyond just technical recovery timeline.
You’re not just containing data breach—you’re maintaining essential services that 95,000 citizens depend on for public safety and community welfare. The encryption doesn’t just affect administrative convenience or business efficiency—it degrades 911 dispatch capability during emergencies, eliminates criminal history and warrant information officers need for safe traffic stops and domestic calls, prevents building inspections required for construction permits affecting local economy, disrupts water quality testing and EPA compliance preventing environmental violations, blocks citizen access to vital records and permitting needed for real estate transactions and business operations, and damages public trust in government’s competence and data stewardship. Extended outage doesn’t just cost money or reputation—it creates real community safety risks where delayed emergency response or compromised officer safety information could result in preventable deaths or injuries, where published confidential informant files could lead to witness retaliation, where suspended building permits halt construction employment affecting working families, where identity theft from stolen tax records creates years of financial damage for 85,000 citizens trusting government to protect their personal information.
IM Facilitation Notes
Emphasize absolute payroll deadline pressure with employee financial hardship stories—not just abstract “business impact”: Players often treat municipal payroll as routine administrative function where “just process it manually” seems viable, missing that civil service contracts establish payment as legal obligation with strict deadlines and that 7-10 day recovery timeline affects multiple pay cycles creating real family financial crises. Help players understand single mother asking HR director “will my direct deposit post Friday because my rent is due Monday and I’ll be evicted if the check bounces,” hourly public works employee living paycheck-to-paycheck who cannot absorb week delay, retiree whose medication costs depend on predictable income, employees with child support garnishments where delayed withholding creates legal violations affecting their children’s welfare. Make payroll pressure visceral and immediate—not technical problem but human crisis where incident response timeline directly determines whether families make rent, buy groceries, or face financial catastrophe from decisions beyond their control.
Highlight public accountability and transparency requirements creating democratic governance complexity during crisis response: Players often assume incident commanders can make rapid tactical decisions like private sector executives, missing that municipal government operates under open meeting laws and public records requirements where major decisions require noticed public meetings with citizen observation and permanent documentation. Walk players through scenario: Town council must convene emergency executive session to discuss $2.2M ransom payment, requiring 48-hour public meeting notice (or emergency declaration with specific legal justification), preliminary discussion in public session before closed deliberation, formal vote with dissenting opinions entered into public record, meeting minutes released after threat resolution becoming permanent public record for media investigation and political opposition exploitation. Help players understand that democratic accountability serves essential governance functions (preventing corruption, ensuring constituent oversight, maintaining public trust) but creates operational complexity during crisis where confidential negotiation or rapid technical decisions might enable more effective response—forcing incident commanders to balance transparency obligations with tactical effectiveness.
Address law enforcement coordination complexity where FBI and state police have different priorities than municipal service restoration: Players often suggest “call the FBI” expecting federal law enforcement to solve ransomware crisis, missing that federal investigators prioritize criminal prosecution over rapid business recovery and that investigation timelines (months of evidence collection, international cooperation, case building) don’t align with Friday payroll deadline or Monday emergency services restoration. Help players understand Police Chief Martinez’s dilemma: FBI wants preserved evidence and extended forensic analysis for eventual criminal charges, state cyber command provides general guidance but limited hands-on recovery assistance, cyber insurance carrier covers incident response costs but won’t pay ransom with public funds, and district attorney needs evidence integrity maintained for active prosecutions—creating multiple stakeholder priorities where law enforcement coordination is essential but doesn’t directly solve operational crisis requiring system restoration within 48-72 hours.
Confront players with impossible choice between employee welfare and law enforcement principles—no clean resolution: Standard incident response training teaches “never pay ransomware” as security best practice, but municipal payroll crisis creates genuine ethical dilemma where refusing payment causes real financial hardship for 1,450 employees (and their families) who did nothing wrong but will face rent/mortgage payment failures, childcare disruptions, medication cost challenges, and weeks of financial stress from organizational security failure. Help players sit with uncomfortable tension: paying $2.2M ransom uses taxpayer funds to fund criminal enterprise encouraging future attacks against government (violating law enforcement principles and likely state law), BUT refusing payment based on principle means explaining to single mothers and hourly workers why their families must suffer financial hardship protecting abstract policy position. There’s no “right answer”—only trade-offs with real human consequences where players must justify their choice understanding the damage caused either way.
Explore backup strategy inadequacy arising from compliance-focused rather than recovery-focused mindset: Players often blame IT incompetence for backup failure, missing that Brookfield’s backup strategy was rational government behavior optimized for different success criteria (regulatory compliance, audit requirements, public records retention) rather than rapid operational recovery from total encryption. Help players understand cultural context: IT department maintained tape backups for seven-year financial record retention meeting state comptroller requirements, image-based weekly backups meeting auditor recommendations, cloud email/document backups meeting public records preservation obligations—successfully demonstrating compliance with clear regulatory mandates but never testing rapid complete infrastructure restoration capability because disaster recovery scenarios seemed hypothetical compared to immediate audit compliance requirements with real consequences (state auditor findings, regulatory violations, failed inspections). The inadequacy wasn’t negligence but resource allocation reflecting compliance-driven bureaucratic culture where tested recovery capability competed against visible community priorities (roads, fire trucks, police officers) with measurable constituent impact.
Use citizen data breach as distinct crisis dimension beyond operational recovery: Players often focus exclusively on system restoration and payroll processing, treating data theft as secondary concern addressed “after we’re back online.” Emphasize that 85,000 citizen records (tax returns, utility accounts, police intelligence files, domestic violence victim addresses, confidential informant identities) were exfiltrated BEFORE encryption and that restoration doesn’t prevent publication—creating separate crisis requiring immediate breach notification, identity theft monitoring, law enforcement witness protection, and public trust rebuilding regardless of system recovery timeline. Walk players through implications: citizen tax records sold to identity theft networks enabling years of fraud, confidential informant files published exposing cooperating witnesses to organized crime retaliation potentially causing deaths, domestic violence victim addresses revealed compromising safety, ongoing criminal investigations compromised affecting prosecutions—creating harm that persists long after systems are restored and potentially exceeds encryption impact for vulnerable populations trusting government to protect their sensitive information.
Challenge assumptions that government can operate on extended manual procedures without cascade failures: Players often suggest “use paper-based processes temporarily while we rebuild” underestimating compound effects of prolonged system outage on interconnected municipal services. Help players understand cascade: 7-10 day recovery affects three payroll cycles creating employee financial crisis and potential union work actions, extended 911 dispatch degradation increases emergency response times potentially causing preventable deaths or injuries, manual building permit processing halts construction projects affecting local employment and economic activity, suspended water quality testing creates EPA compliance violations and potential enforcement actions, degraded police criminal records access affects officer safety and active investigation continuity, public service disruption damages government credibility affecting voter support for future budgets and bond authorizations. Manual procedures might sustain operations for 24-48 hours but week-plus outage creates systemic failures affecting community welfare, public safety, regulatory compliance, and political sustainability—making recovery timeline not just technical project plan but crisis determinant with consequences extending beyond IT systems to community safety and economic vitality.
Hook
“It’s Wednesday morning at Brookfield Town Hall, and the payroll team is preparing to process payments for 1,450 municipal employees when every government computer screen displays ransom demands. Within hours, the mayor receives direct contact from threat actors claiming to have stolen employee records, citizen tax data, and sensitive government documents, threatening to publish everything. All town services are affected, payroll cannot be processed, and essential services are at risk.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Police and fire departments report system connectivity issues affecting emergency response
- Hour 2: Threat actors publish sample of stolen citizen tax records to demonstrate data theft
- Hour 3: Local media reports government systems down affecting all public services
- Hour 4: Employee union representatives demand immediate payroll resolution and data protection
Evolution Triggers:
- If ransom payment is made using taxpayer funds, public accountability questions arise
- If payment is refused, citizen data begins appearing on criminal marketplaces
- If recovery exceeds 48 hours, payroll crisis escalates to employee hardship and service disruption
Resolution Pathways:
Technical Success Indicators:
- Emergency service continuity maintained through backup communication systems
- Payroll processing restored through manual procedures or clean backup systems
- Inter-agency coordination established for investigation and recovery support
Business Success Indicators:
- Public services maintained through emergency procedures minimizing citizen impact
- Employee welfare protected through alternative payroll solutions
- Public accountability maintained with transparent communication about incident and response
Learning Success Indicators:
- Team understands government sector cybersecurity requirements and constraints
- Participants recognize public service continuity obligations during crisis
- Group demonstrates crisis management balancing public accountability with security response
Common IM Facilitation Challenges:
If Public Accountability Is Ignored:
“Your technical response is sound, but the city council is demanding to know: how do you justify using taxpayer funds for ransom payment, and what accountability measures are needed for this security failure?”
If Employee Welfare Is Forgotten:
“While you’re investigating, 2,800 city employees are asking when they’ll be paid. Single parents, retirees, and hourly workers depend on timely payroll. How do you balance security response with employee welfare?”
If Essential Services Are Overlooked:
“Your recovery plan is thorough, but the police chief reports that dispatch systems are down and emergency response is compromised. How do you prioritize public safety during recovery?”
Success Metrics for Session:
Template Compatibility
Quick Demo (35-40 min)
- Rounds: 1
- Actions per Player: 1
- Investigation: Guided
- Response: Pre-defined
- Focus: Use the “Hook” and “Initial Symptoms” to quickly establish municipal payroll crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing ransomware impact on government services and public accountability.
Lunch & Learn (75-90 min)
- Rounds: 2
- Actions per Player: 2
- Investigation: Guided
- Response: Pre-defined
- Focus: This template allows for deeper exploration of public sector ransomware challenges. Use the full set of NPCs to create realistic payroll deadline and public service pressures. The two rounds allow threat actors to escalate with citizen data samples, raising stakes. Debrief can explore balance between employee welfare and taxpayer responsibility.
Full Game (120-140 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing payroll deadlines, public service continuity, citizen data protection, and public accountability. The three rounds allow for full narrative arc including ransomware’s government-sector-specific impact and inter-agency coordination.
Advanced Challenge (150-170 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Complexity: Add red herrings (e.g., legitimate system updates causing unrelated issues). Make containment ambiguous, requiring players to justify taxpayer-funded decisions with incomplete information. Remove access to reference materials to test knowledge recall of ransomware behavior and public sector security principles.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Clue 1 (Minute 5): “Digital forensics reveal LockBit ransomware with complete encryption of Brookfield municipal government systems 48 hours before payroll deadline for 1,450 employees. Threat actors contacted mayor claiming to have stolen employee records, citizen tax data, and sensitive government documents including law enforcement information. All town services including police, fire, and utilities are affected.”
Clue 2 (Minute 10): “Network analysis shows attackers maintained persistent access for months through compromised municipal email system, systematically collecting sensitive citizen data and government documents. Backup assessment reveals inadequate disaster recovery capabilities due to budget constraints. Timeline indicates attackers chose payroll week for maximum operational impact and payment pressure.”
**Clue 3 (Minute 15):” “Threat actors published samples of stolen citizen tax records as proof of data theft. Employee union representatives demanding immediate payroll resolution as single parents and hourly workers face financial hardship. Police chief reports emergency dispatch systems are compromised affecting public safety response capabilities.”
Pre-Defined Response Options
Option A: Emergency Services & Recovery Without Payment
- Action: Activate emergency paper-based public services, restore systems from available backups, coordinate with county/state for payroll processing assistance, refuse ransom payment using taxpayer funds, initiate citizen data breach notifications.
- Pros: Maintains public accountability for taxpayer fund use; demonstrates responsible government cybersecurity practices; supports law enforcement.
- Cons: Recovery may take several days affecting employee payroll and public services; stolen citizen data will likely be publicly released; potential liability and public criticism.
- Type Effectiveness: Super effective against Ransomware malmon type; clean backups enable recovery without funding criminal enterprise with taxpayer money.
Option B: Ransom Payment & Rapid Service Restoration
- Action: Pay ransom using emergency funds or insurance to obtain decryption key and prevent data release, restore systems quickly to meet payroll deadline, implement enhanced security controls while managing public accountability questions.
- Pros: Fastest path to payroll processing protecting employee welfare; may prevent public release of citizen tax and law enforcement data.
- Cons: No guarantee attackers will honor agreement; uses taxpayer funds to fund criminal enterprise; may violate public spending regulations and accountability standards.
- Type Effectiveness: Not effective against Ransomware malmon type; addresses encryption but doesn’t guarantee citizen data protection; funds continued attacks against government.
Option C: Inter-Agency Collaboration & Phased Recovery
- Action: Coordinate with county and state government for emergency payroll processing, engage with threat actors to delay timeline, simultaneously restore from backups, seek federal law enforcement assistance.
- Pros: Protects employee welfare through inter-agency support; buys time for proper backup recovery; demonstrates government cooperation and resource sharing.
- Cons: Extends crisis timeline affecting public services; negotiation may be interpreted as willingness to pay; inter-agency coordination may be slow.
- Type Effectiveness: Moderately effective against Ransomware threats; delays attack progression while enabling backup recovery; doesn’t guarantee citizen data protection.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Emergency Payroll & Public Safety (30-35 min)
Investigation Clues:
- Clue 1 (Minute 5): Complete system encryption across all city departments including finance, police, fire, utilities. Finance Director Maria Rodriguez: “All payroll systems encrypted. 1,200 employees expecting Friday paychecks. Public services paralyzed.”
- Clue 2 (Minute 10): Forensics reveal attackers had persistent access for two weeks, exfiltrating citizen tax records, employee personnel files, police investigation data - estimated 400GB of sensitive government data stolen.
- Clue 3 (Minute 15): Police Chief Taylor: “Dispatch systems down, criminal records inaccessible. Active investigations compromised. Community safety at risk.”
- Clue 4 (Minute 20): Threat actors demand $2.2M from municipal budget within 72 hours or release all stolen data including tax returns, police files, employee social security numbers.
Response Options:
- Option A: Emergency paper protocols, backup recovery, refuse payment, breach notifications | Type: Super effective for recovery, ethical government response
- Option B: Negotiate payment using emergency funds, prioritize employee payroll | Type: Partially effective, questionable use of taxpayer funds
- Option C: State government assistance for payroll, simultaneous backup recovery | Type: Moderately effective, inter-agency collaboration
Round 2: Citizen Data & Government Accountability (30-35 min)
Investigation Clues:
- Clue 5: City Manager confirms 85,000 citizen records compromised including tax data, utility accounts, law enforcement contacts. Mandatory breach notification required.
- Clue 6: Mayor Foster faces city council emergency meeting. “Taxpayers demanding answers. Media investigating. State auditor reviewing incident response.”
- Clue 7: Backup assessment reveals some financial systems may be compromised; full recovery timeline 7-10 days affecting multiple payroll cycles.
- Clue 8: Cyber insurance policy covers incident response but excludes ransom payments from public funds. Total breach costs estimated $8-12M.
Response Options:
- Option A: Comprehensive breach response, full transparency, regulatory cooperation | Type: Super effective for compliance and public trust
- Option B: Selective notification, minimize public disclosure, focus on recovery | Type: Partially effective, potential compliance issues
- Option C: Reconsider payment to prevent citizen data release | Type: Not effective, violates public accountability
Round Transition: Team’s choice determines whether Springfield faces transparency crisis, employee welfare challenges, or inter-agency coordination needs. CISO reveals full breach scope including sensitive law enforcement data. Council demands accountability. Insurance confirms multi-million dollar costs even without payment. Must balance employee needs, citizen privacy, public trust, regulatory compliance during crisis.
Debrief Focus: Double extortion in government context; Taxpayer fund accountability in payment decisions; Citizen data protection obligations; Inter-agency collaboration; Public trust maintenance
Full Game Materials (120-140 min, 3 rounds)
[Abbreviated format]
Round 1: City hall paralysis during payroll week. All systems encrypted. Attackers show proof of stolen citizen/employee data. Mayor faces impossible choice between employee welfare and taxpayer accountability.
Investigation: LockBit ransomware, weeks of access, 400GB government data exfiltration, backup compromise assessment, public safety impact
NPCs: Maria Rodriguez (payroll crisis), Chief Taylor (public safety), IT Director Harrison (backup integrity), Mayor Foster (political accountability)
Pressure: Employee union demands payroll certainty; Police operations degraded; Media investigation; State oversight inquiry
Round 2: 85,000 citizen records compromised. Mandatory breach notifications. Council emergency meeting. Payment decision scrutiny. Recovery timeline affects multiple pay periods.
Round 3: Government cybersecurity culture. Public accountability frameworks. Citizen trust rebuilding. Prevention strategies balancing security with public budget constraints.
Debrief: Double extortion evolution; Government payment ethics; Citizen data stewardship; Public accountability in crisis; Municipal cybersecurity resilience
Advanced Challenge Materials (150-170 min)
Red Herrings: Legitimate system updates; Budget cycle pressures; Political motivations; Employee concerns
Removed Resources: Limited federal guidance; Inexperienced municipal IT; Council approval delays; Budget constraints
Enhanced Pressure: Individual citizen impact stories; Employee financial hardship; Political opposition exploitation; Media investigation
Ethical Dilemmas: Employee welfare vs taxpayer accountability; Transparency vs reputation; Selective notification to reduce costs; Inter-agency assistance vs municipal autonomy
Advanced Debrief: Municipal payment frameworks; Citizen data protection obligations; Public accountability standards; Inter-governmental security cooperation; Resource-constrained government cybersecurity