LockBit Scenario: Municipality Payroll Crisis

LockBit Scenario: Municipality Payroll Crisis

City of Millbrook: Municipality serving 45,000 residents with 800 employees
Ransomware • LockBit
STAKES
Public service continuity + Employee payroll + Citizen data protection + Government operations
HOOK
Finance and HR teams at City of Millbrook report payroll systems locking up, city workstations displaying extortion notes, and failed access to employee banking files two days before payroll runs. Emergency and public works staff report intermittent outages while threat messages claim municipal records were copied and will be released.
PRESSURE
  • Payroll deadline at Friday 5:00 PM for 800 employees
  • Potential exposure of 38,000 resident records
  • Extortion demand: $2.2 million
  • Emergency spending cap: $100K
FRONT • 120 minutes • Advanced
City of Millbrook: Municipality serving 45,000 residents with 800 employees
Ransomware • LockBit
NPCs
  • Patricia Hoffman (Mayor): Owns public communication and emergency governance decisions
  • Kevin Chen (IT Director): Leads containment and service-restoration sequencing
  • Sandra Williams (Payroll Director): Manages payroll execution risk and employee communications
  • Mark Torres (City Manager): Coordinates cross-department continuity and escalation
SECRETS
  • Security updates were deferred to avoid service downtime during budget cycle
  • Backup validation for payroll and HR systems was incomplete
  • Attackers accessed resident and personnel records before encryption

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

LockBit Municipality Payroll Crisis Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

LockBit Municipality Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “Payroll systems display extortion notes and block direct-deposit processing”
  • “Municipal staff cannot access personnel records or tax-withholding exports”
  • “Service desks report outages across permitting, dispatch support, and finance tools”
  • “Threat messages claim employee and resident records were copied and will be released”

Key Discovery Paths:

Detective Investigation Leads:

  • Timeline analysis shows attacker access prior to encryption and extortion messaging
  • File-access logs indicate targeted collection of payroll and resident data repositories
  • Evidence points to credential compromise and staged privilege escalation

Protector System Analysis:

  • Payroll and HR systems are encrypted, blocking Friday payment workflow
  • Recovery confidence is limited by incomplete backup validation
  • Segmentation gaps allowed spread beyond finance into service-support systems

Tracker Network Investigation:

  • Exfiltration telemetry indicates substantial transfer of personnel and resident files
  • Beaconing patterns align with mature double-extortion operations
  • Internal traffic maps show movement from administrative accounts to core municipal systems

Communicator Stakeholder Interviews:

  • Employee groups need immediate clarity on payroll continuity and financial hardship support
  • Residents request guidance on identity-risk exposure and protective actions
  • Department leaders need a clear sequence for service restoration and public messaging

Mid-Scenario Pressure Points:

  • Hour 1: Payroll batch generation fails, and department heads demand immediate alternatives
  • Hour 2: Threat actors send sample employee records to prove exfiltration claims
  • Hour 3: Emergency-service support workflows degrade as shared systems remain unavailable
  • Hour 4: Media requests confirmation of resident-data exposure and incident scope

Evolution Triggers:

  • If containment is delayed, additional municipal systems lose access and queue critical requests
  • If recovery begins without validation, restored systems may reintroduce compromise
  • If communication is delayed, employee trust and resident confidence decline quickly

Resolution Pathways:

Technical Success Indicators:

  • Verified clean recovery path for payroll, HR, and service-support platforms
  • Evidence package preserved for law-enforcement and regulator coordination
  • Temporary service workflows established for critical municipal operations

Business Success Indicators:

  • Payroll continuity plan executed with transparent employee communication
  • Essential public services maintained with minimal interruption
  • Leadership keeps public trust through timely and factual status updates

Learning Success Indicators:

  • Team recognizes double-extortion leverage in municipal contexts
  • Participants practice balancing public accountability with technical uncertainty
  • Group coordinates operational, legal, and security decision-making under deadline pressure

Common IM Facilitation Challenges:

If Payroll Hardship Is Minimized:

“Which immediate action protects both payroll continuity and evidence integrity by end of day?”

If Public Accountability Is Deferred:

“How will you justify spending choices and response timing to employees, residents, and elected officials?”

If Regulatory Reporting Is Delayed:

Success Metrics for Session:

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 2 investigation rounds, 1 decision round
Focus: Core payroll-continuity and data-exposure discovery
Key Actions: Protect payroll processing, scope exfiltration, issue first public status decision

Lunch & Learn (75-90 minutes)

Structure: 4 investigation rounds, 2 decision rounds
Focus: Parallel containment, communication, and municipal-service prioritization
Key Actions: Build incident timeline, validate recovery path, sequence employee/resident notifications

Full Game (120-140 minutes)

Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end municipal ransomware response under payroll deadline pressure
Key Actions: Coordinate city leadership with technical teams, make spending and disclosure calls, define durable remediation

Advanced Challenge (150-170 minutes)

Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Budget constraints, conflicting service priorities, and political oversight pressure
Additional Challenges: Ambiguous backup integrity, employee hardship escalation, and public records scrutiny

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Pre-Defined Response Options

  • Option A: Service Continuity with No Payment

    • Action: Isolate affected systems, execute emergency payroll fallback, restore from validated backups, and notify stakeholders promptly.
    • Pros: Preserves accountability and reduces dependence on attacker promises.
    • Cons: Short-term disruption may still delay selected municipal functions.
    • Type Effectiveness: Super effective for long-term resilience and trust.

  • Option B: Payment-Centered Acceleration

    • Action: Prioritize payment negotiation to seek rapid decryption while delaying broad disclosure.
    • Pros: May reduce immediate technical outage if decryption works.
    • Cons: No guarantee of deletion, high legal and trust risk, and weak strategic position.
    • Type Effectiveness: Partially effective and operationally fragile.

  • Option C: Evidence-First Phased Recovery

    • Action: Preserve forensic evidence, stage recovery, and sequence communications after initial scope confidence.
    • Pros: Improves quality of reporting and downstream legal defensibility.
    • Cons: Delay risk for payroll and resident communication commitments.
    • Type Effectiveness: Moderately effective when execution discipline is high.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Payroll Risk and Service Disruption (30-35 min)

Investigation Clues:

  • Clue 1 (Minute 5): Encryption interrupts payroll workflow and service-support operations.
  • Clue 2 (Minute 10): Forensics indicate exfiltration of personnel and resident files before encryption.
  • Clue 4 (Minute 20): Threat messages include sample records to increase payment pressure.

Round 2: Reporting and Governance Decisions (30-35 min)

Investigation Clues:

  • Clue 5 (Minute 30): Leadership receives escalating requests for public disclosure and employee guidance.
  • Clue 7 (Minute 50): Finance warns emergency procurement constraints may limit rapid recovery choices.
  • Clue 8 (Minute 55): Department heads request priority order for service restoration.

Round Transition Narrative

After Round 1 -> Round 2:

Facilitation questions:

  • “What is your minimum evidence threshold before confirming payroll continuity to staff?”
  • “Which decision cannot wait for complete forensic certainty?”
  • “How do you communicate uncertainty without losing employee and resident trust?”

Debrief Focus:

  • Integrating payroll continuity with incident-command priorities
  • Balancing legal defensibility with deadline pressure
  • Preserving trust when service quality changes during containment

Full Game Materials (120-140 min, 3 rounds)

NoteHow Full Game Differs from Lunch & Learn

The Full Game expands from 2 guided rounds to 3 open-ended rounds. Players drive their own investigation using the Key Discovery Paths above rather than timed clues. Round 3 focuses on institutional recovery and municipal governance redesign.

Round 1: Executive Briefing and Scope Discovery (35-40 min)

Players investigate openly using role capabilities. Early findings include targeted exfiltration, payroll workflow encryption, and expanding service impact.

If team stalls: “You can prioritize speed or confidence first. Which path is defensible to employees and residents by end of day?”

Round 2: Regulatory Coordination and Deadline Decisions (35-40 min)

  • Technical teams complete artifact collection and present recovery options with uncertainty bounds.
  • Leadership requests a clear recommendation for payroll processing and disclosure sequence.

Facilitation questions:

  • “What controls must be in place before releasing payroll and resident-facing systems?”
  • “How will you document rationale so choices remain defensible in later review?”

Round 3: Institutional Recovery and Governance Redesign (40-45 min)

Opening: Two weeks later, immediate containment is complete and leadership requests a 90-day remediation roadmap with funding, ownership, and measurable outcomes.

Pressure events:

  • Employee groups request guarantees on payroll reliability and data protection
  • Residents demand evidence of concrete security improvement milestones
  • Budget officials challenge proposed controls against competing service priorities

Victory conditions for full 3-round arc:

  • Verified clean baseline for payroll and service-support platforms
  • Defensible reporting package for regulators and public oversight
  • Sustainable municipal security controls aligned to operational reality

Debrief Questions

  1. “Which early indicator most clearly signaled double-extortion leverage rather than a generic outage?”
  2. “How did payroll deadline pressure alter risk tolerance across leadership teams?”
  3. “What evidence was essential for credibility with employees, residents, and authorities?”
  4. “How can municipalities improve readiness before the next budget cycle forces tradeoff decisions?”

Debrief Focus

  • Municipal ransomware incidents combine service continuity risk with public-accountability pressure
  • Defensible response requires synchronized operational, legal, and technical decision-making
  • Long-term resilience depends on tested recovery, segmentation, and transparent governance

Advanced Challenge Materials (150-170 min)

Red Herrings and Misdirection

  1. A routine finance-system patch window overlaps with attacker activity and confuses timeline analysis.
  2. A separate vendor outage appears related but is operationally independent.
  3. A social-media rumor about insider sabotage diverts attention from concrete forensic evidence.

Removed Resources and Constraints

  • No prebuilt municipal ransomware playbook for payroll continuity
  • Backup inventory documentation is incomplete and partially outdated
  • Emergency procurement for tooling is constrained by spending thresholds

Enhanced Pressure

  • Employee representatives demand same-day payroll confidence statements
  • Residents request immediate details before full forensic scope is available
  • Council oversight requires defensible written rationale for each major decision

Ethical Dilemmas

  1. Delay selected services for stronger evidence confidence, or restore faster with higher residual risk.
  2. Issue broad notifications early, or wait for cleaner scope and risk under-reporting.
  3. Preserve full forensic chain-of-custody, or accelerate operational recovery at attribution cost.

Advanced Debrief Topics

  • Building municipal doctrine for ransomware plus data-extortion incidents
  • Structuring governance when public expectations and technical certainty diverge
  • Sustaining security investment when budgets compete with visible civic services