LockBit Scenario: Municipality Payroll Crisis
Planning Resources
Scenario Details for IMs
Town of Brookfield
Municipal government serving 95,000 residents with 1,450 employees
Key Assets At Risk:
- Public service continuity
- Employee payroll
- Citizen data protection
- Government operations
Business Pressure
- Payroll deadline approaches - employees depend on timely payment
- Public services cannot be interrupted
- Citizen data exposure risks
Cultural Factors
- City delayed critical security updates due to budget constraints and fear of service disruption
- Backup systems were inadequately maintained and may not support full recovery
- Attackers accessed sensitive citizen data including tax records, permits, and law enforcement information
Opening Presentation
“It’s Wednesday morning at Brookfield Town Hall, and the payroll team is preparing to process payments for 1,450 municipal employees when every government computer screen displays ransom demands. Within hours, the mayor receives direct contact from threat actors claiming to have stolen employee records, citizen tax data, and sensitive government documents, threatening to publish everything. All town services are affected, payroll cannot be processed, and essential services are at risk.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Police and fire departments report system connectivity issues affecting emergency response
- Hour 2: Threat actors publish sample of stolen citizen tax records to demonstrate data theft
- Hour 3: Local media reports government systems down affecting all public services
- Hour 4: Employee union representatives demand immediate payroll resolution and data protection
Evolution Triggers:
- If ransom payment is made using taxpayer funds, public accountability questions arise
- If payment is refused, citizen data begins appearing on criminal marketplaces
- If recovery exceeds 48 hours, payroll crisis escalates to employee hardship and service disruption
Resolution Pathways:
Technical Success Indicators:
- Emergency service continuity maintained through backup communication systems
- Payroll processing restored through manual procedures or clean backup systems
- Inter-agency coordination established for investigation and recovery support
Business Success Indicators:
- Public services maintained through emergency procedures minimizing citizen impact
- Employee welfare protected through alternative payroll solutions
- Public accountability maintained with transparent communication about incident and response
Learning Success Indicators:
- Team understands government sector cybersecurity requirements and constraints
- Participants recognize public service continuity obligations during crisis
- Group demonstrates crisis management balancing public accountability with security response
Common IM Facilitation Challenges:
If Public Accountability Is Ignored:
“Your technical response is sound, but the city council is demanding to know: how do you justify using taxpayer funds for ransom payment, and what accountability measures are needed for this security failure?”
If Employee Welfare Is Forgotten:
“While you’re investigating, 2,800 city employees are asking when they’ll be paid. Single parents, retirees, and hourly workers depend on timely payroll. How do you balance security response with employee welfare?”
If Essential Services Are Overlooked:
“Your recovery plan is thorough, but the police chief reports that dispatch systems are down and emergency response is compromised. How do you prioritize public safety during recovery?”
Success Metrics for Session:
Template Compatibility
Quick Demo (35-40 min)
- Rounds: 1
- Actions per Player: 1
- Investigation: Guided
- Response: Pre-defined
- Focus: Use the “Hook” and “Initial Symptoms” to quickly establish municipal payroll crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing ransomware impact on government services and public accountability.
Lunch & Learn (75-90 min)
- Rounds: 2
- Actions per Player: 2
- Investigation: Guided
- Response: Pre-defined
- Focus: This template allows for deeper exploration of public sector ransomware challenges. Use the full set of NPCs to create realistic payroll deadline and public service pressures. The two rounds allow threat actors to escalate with citizen data samples, raising stakes. Debrief can explore balance between employee welfare and taxpayer responsibility.
Full Game (120-140 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing payroll deadlines, public service continuity, citizen data protection, and public accountability. The three rounds allow for full narrative arc including ransomware’s government-sector-specific impact and inter-agency coordination.
Advanced Challenge (150-170 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Complexity: Add red herrings (e.g., legitimate system updates causing unrelated issues). Make containment ambiguous, requiring players to justify taxpayer-funded decisions with incomplete information. Remove access to reference materials to test knowledge recall of ransomware behavior and public sector security principles.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Clue 1 (Minute 5): “Digital forensics reveal LockBit ransomware with complete encryption of Brookfield municipal government systems 48 hours before payroll deadline for 1,450 employees. Threat actors contacted mayor claiming to have stolen employee records, citizen tax data, and sensitive government documents including law enforcement information. All town services including police, fire, and utilities are affected.”
Clue 2 (Minute 10): “Network analysis shows attackers maintained persistent access for months through compromised municipal email system, systematically collecting sensitive citizen data and government documents. Backup assessment reveals inadequate disaster recovery capabilities due to budget constraints. Timeline indicates attackers chose payroll week for maximum operational impact and payment pressure.”
**Clue 3 (Minute 15):” “Threat actors published samples of stolen citizen tax records as proof of data theft. Employee union representatives demanding immediate payroll resolution as single parents and hourly workers face financial hardship. Police chief reports emergency dispatch systems are compromised affecting public safety response capabilities.”
Pre-Defined Response Options
Option A: Emergency Services & Recovery Without Payment
- Action: Activate emergency paper-based public services, restore systems from available backups, coordinate with county/state for payroll processing assistance, refuse ransom payment using taxpayer funds, initiate citizen data breach notifications.
- Pros: Maintains public accountability for taxpayer fund use; demonstrates responsible government cybersecurity practices; supports law enforcement.
- Cons: Recovery may take several days affecting employee payroll and public services; stolen citizen data will likely be publicly released; potential liability and public criticism.
- Type Effectiveness: Super effective against Ransomware malmon type; clean backups enable recovery without funding criminal enterprise with taxpayer money.
Option B: Ransom Payment & Rapid Service Restoration
- Action: Pay ransom using emergency funds or insurance to obtain decryption key and prevent data release, restore systems quickly to meet payroll deadline, implement enhanced security controls while managing public accountability questions.
- Pros: Fastest path to payroll processing protecting employee welfare; may prevent public release of citizen tax and law enforcement data.
- Cons: No guarantee attackers will honor agreement; uses taxpayer funds to fund criminal enterprise; may violate public spending regulations and accountability standards.
- Type Effectiveness: Not effective against Ransomware malmon type; addresses encryption but doesn’t guarantee citizen data protection; funds continued attacks against government.
Option C: Inter-Agency Collaboration & Phased Recovery
- Action: Coordinate with county and state government for emergency payroll processing, engage with threat actors to delay timeline, simultaneously restore from backups, seek federal law enforcement assistance.
- Pros: Protects employee welfare through inter-agency support; buys time for proper backup recovery; demonstrates government cooperation and resource sharing.
- Cons: Extends crisis timeline affecting public services; negotiation may be interpreted as willingness to pay; inter-agency coordination may be slow.
- Type Effectiveness: Moderately effective against Ransomware threats; delays attack progression while enabling backup recovery; doesn’t guarantee citizen data protection.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Emergency Payroll & Public Safety (30-35 min)
Investigation Clues:
- Clue 1 (Minute 5): Complete system encryption across all city departments including finance, police, fire, utilities. Finance Director Maria Rodriguez: “All payroll systems encrypted. 1,200 employees expecting Friday paychecks. Public services paralyzed.”
- Clue 2 (Minute 10): Forensics reveal attackers had persistent access for two weeks, exfiltrating citizen tax records, employee personnel files, police investigation data - estimated 400GB of sensitive government data stolen.
- Clue 3 (Minute 15): Police Chief Taylor: “Dispatch systems down, criminal records inaccessible. Active investigations compromised. Community safety at risk.”
- Clue 4 (Minute 20): Threat actors demand $2.2M from municipal budget within 72 hours or release all stolen data including tax returns, police files, employee social security numbers.
Response Options:
- Option A: Emergency paper protocols, backup recovery, refuse payment, breach notifications | Type: Super effective for recovery, ethical government response
- Option B: Negotiate payment using emergency funds, prioritize employee payroll | Type: Partially effective, questionable use of taxpayer funds
- Option C: State government assistance for payroll, simultaneous backup recovery | Type: Moderately effective, inter-agency collaboration
Round 2: Citizen Data & Government Accountability (30-35 min)
Investigation Clues:
- Clue 5: City Manager confirms 85,000 citizen records compromised including tax data, utility accounts, law enforcement contacts. Mandatory breach notification required.
- Clue 6: Mayor Foster faces city council emergency meeting. “Taxpayers demanding answers. Media investigating. State auditor reviewing incident response.”
- Clue 7: Backup assessment reveals some financial systems may be compromised; full recovery timeline 7-10 days affecting multiple payroll cycles.
- Clue 8: Cyber insurance policy covers incident response but excludes ransom payments from public funds. Total breach costs estimated $8-12M.
Response Options:
- Option A: Comprehensive breach response, full transparency, regulatory cooperation | Type: Super effective for compliance and public trust
- Option B: Selective notification, minimize public disclosure, focus on recovery | Type: Partially effective, potential compliance issues
- Option C: Reconsider payment to prevent citizen data release | Type: Not effective, violates public accountability
Round Transition: Team’s choice determines whether Springfield faces transparency crisis, employee welfare challenges, or inter-agency coordination needs. CISO reveals full breach scope including sensitive law enforcement data. Council demands accountability. Insurance confirms multi-million dollar costs even without payment. Must balance employee needs, citizen privacy, public trust, regulatory compliance during crisis.
Debrief Focus: Double extortion in government context; Taxpayer fund accountability in payment decisions; Citizen data protection obligations; Inter-agency collaboration; Public trust maintenance
Full Game Materials (120-140 min, 3 rounds)
[Abbreviated format]
Round 1: City hall paralysis during payroll week. All systems encrypted. Attackers show proof of stolen citizen/employee data. Mayor faces impossible choice between employee welfare and taxpayer accountability.
Investigation: LockBit ransomware, weeks of access, 400GB government data exfiltration, backup compromise assessment, public safety impact
NPCs: Maria Rodriguez (payroll crisis), Chief Taylor (public safety), IT Director Harrison (backup integrity), Mayor Foster (political accountability)
Pressure: Employee union demands payroll certainty; Police operations degraded; Media investigation; State oversight inquiry
Round 2: 85,000 citizen records compromised. Mandatory breach notifications. Council emergency meeting. Payment decision scrutiny. Recovery timeline affects multiple pay periods.
Round 3: Government cybersecurity culture. Public accountability frameworks. Citizen trust rebuilding. Prevention strategies balancing security with public budget constraints.
Debrief: Double extortion evolution; Government payment ethics; Citizen data stewardship; Public accountability in crisis; Municipal cybersecurity resilience
Advanced Challenge Materials (150-170 min)
Red Herrings: Legitimate system updates; Budget cycle pressures; Political motivations; Employee concerns
Removed Resources: Limited federal guidance; Inexperienced municipal IT; Council approval delays; Budget constraints
Enhanced Pressure: Individual citizen impact stories; Employee financial hardship; Political opposition exploitation; Media investigation
Ethical Dilemmas: Employee welfare vs taxpayer accountability; Transparency vs reputation; Selective notification to reduce costs; Inter-agency assistance vs municipal autonomy
Advanced Debrief: Municipal payment frameworks; Citizen data protection obligations; Public accountability standards; Inter-governmental security cooperation; Resource-constrained government cybersecurity