LockBit Scenario: Global Logistics Crisis

AtlasCorp Logistics: International shipping company operating 45 ports, 8,500 employees globally

Ransomware • LockBit

STAKES

Global supply chain continuity + Container tracking systems + Customer cargo security + International trade operations

HOOK

AtlasCorp Logistics is managing peak holiday shipping season with containers at maximum capacity across 45 international ports when all operational systems display ransom demands. Threat actors contact executives claiming to have stolen shipping manifests, customer data, and supply chain intelligence, threatening to disrupt global trade operations. With thousands of containers in transit and ports unable to process cargo, the company faces complete operational shutdown during their most critical revenue period.

PRESSURE

Holiday shipping peak - any delays affect global supply chains + Container security and tracking systems down + Customer cargo at risk

FRONT • 120 minutes • Advanced

AtlasCorp Logistics: International shipping company operating 45 ports, 8,500 employees globally

Ransomware • LockBit

NPCs

• Alexandra Chen (CEO): Managing global operations crisis while coordinating with international authorities, must balance shareholder interests with supply chain responsibility
• Roberto Martinez (CTO): Dealing with complete system encryption affecting port operations worldwide, assessing data theft scope while coordinating recovery across multiple time zones
• Sarah Kim (Port Operations Director): Cannot track or process 12,000 containers currently in transit, managing customer communications while coordinating manual operations
• James Peterson (Security Director): Managing international incident response including customs authorities and supply chain partners, coordinating with multiple law enforcement agencies

SECRETS

• Company prioritized operational efficiency over security, leaving critical port systems vulnerable
• Backup systems were not properly isolated and international recovery coordination is complex
• Attackers accessed sensitive supply chain data including cargo manifests and customer trade secrets

---

Scenario Details for IMs

Opening Presentation

“It’s Monday morning during peak holiday shipping season, and AtlasCorp Logistics is managing maximum container capacity across 45 international ports when every operational system displays ransom demands. Container tracking is down, port operations have halted, and 12,000 containers are stranded in transit. Executives receive direct contact from threat actors claiming to have stolen shipping manifests, customer data, and sensitive supply chain intelligence, threatening to disrupt global trade operations.”

Initial Symptoms to Present:

• “All port operational systems displaying ransom demands with supply chain specific threats”
• “Container tracking systems completely encrypted affecting 12,000 containers in transit”
• “Threat actors contacted executives claiming to have stolen shipping manifests and customer data”
• “International ports unable to process incoming or outgoing cargo”

Key Discovery Paths:

Detective Investigation Leads:

• Digital forensics reveal systematic targeting of supply chain data and operational intelligence
• Analysis shows initial compromise through supply chain partner email system
• Timeline indicates attackers maintained access across multiple international systems for weeks

Protector System Analysis:

• Complete encryption of port operations affecting global cargo processing
• Backup assessment reveals complex international recovery requirements
• Network analysis shows lateral movement across multiple countries and regulatory jurisdictions

Tracker Network Investigation:

• Data exfiltration analysis reveals theft of sensitive shipping manifests and customer trade data
• Communication analysis shows professional operation with supply chain industry knowledge
• Evidence of reconnaissance targeting specific high-value cargo and trade routes

Communicator Stakeholder Interviews:

• Customer communications regarding delayed cargo and potential data exposure
• International coordination with customs authorities and port management agencies
• Supply chain partner notifications about potential compromise and operational impact

Mid-Scenario Pressure Points:

• Hour 1: Major retailer threatens contract cancellation due to delayed holiday merchandise
• Hour 2: Threat actors publish sample shipping manifests revealing competitive supply chain intelligence
• Hour 3: International customs authorities report concerns about cargo security and tracking
• Hour 4: Port workers unable to safely operate without digital tracking and safety systems

Evolution Triggers:

• If ransom payment is made, attackers may target other supply chain companies with stolen intelligence
• If payment is refused, customer shipping data begins appearing on criminal marketplaces
• If recovery exceeds 72 hours, physical port operations face safety and regulatory compliance issues

Resolution Pathways:

Technical Success Indicators:

• Emergency manual operations procedures activated maintaining basic cargo processing
• International coordination established for recovery across multiple jurisdictions
• Supply chain partner security assessment and isolation to prevent reinfection

Business Success Indicators:

• Customer relationships maintained through transparent communication and alternative shipping solutions
• International operations restored with proper security controls and regulatory compliance
• Supply chain integrity protected through coordinated industry response

Learning Success Indicators:

• Team understands supply chain cybersecurity interdependencies and global impact
• Participants recognize international coordination requirements during crisis
• Group demonstrates crisis management balancing operational continuity with security response

Common IM Facilitation Challenges:

If International Coordination Is Overlooked:

“Your recovery plan is solid, but you’re operating across 45 ports in 23 countries with different regulations and law enforcement agencies. How do you coordinate international incident response?”

If Supply Chain Impact Is Underestimated:

“While you’re investigating, major retailers are reporting that holiday merchandise won’t reach stores in time, and automotive manufacturers are facing production shutdowns. How does supply chain responsibility affect your response?”

If Physical Safety Is Ignored:

“Your digital recovery is progressing, but port workers are asking whether it’s safe to operate heavy machinery and handle containers without digital tracking systems. How do you balance operational pressure with safety requirements?”

Success Metrics for Session:

• Team understands supply chain cybersecurity interdependencies and cascading impact
• International coordination demonstrated for complex global incident response
• Customer and supply chain partner relationships maintained through crisis communication
• Physical safety and regulatory compliance balanced with operational recovery needs
• Learning includes global supply chain resilience and interdependency management