LockBit Scenario: Transport and Shipping Crisis

LockBit Scenario: Transport and Shipping Crisis

Pacific Coast Logistics: Shipping and logistics company with 1,200 employees and 50 vessels
Ransomware • LockBit
STAKES
Supply chain continuity + Cargo integrity + Crew and port safety + Contractual reliability
HOOK
Operations teams at Pacific Coast Logistics report vessel-scheduling consoles locking up, cargo-tracking dashboards failing across terminals, and dispatch workstations displaying extortion notes. Network telemetry shows abnormal outbound transfers from shipment-manifest repositories, while threat messages claim customer shipping records and route-planning data were copied and will be released.
PRESSURE
  • Deadline for stabilized operations: Friday 6:00 PM
  • Cargo units at risk: 11,500
  • Active fleet exposure: 50 vessels
  • Extortion demand: $6.5 million
FRONT • 120 minutes • Advanced
Pacific Coast Logistics: Shipping and logistics company with 1,200 employees and 50 vessels
Ransomware • LockBit
NPCs
  • Captain James Archer (CEO): Owns executive decisions on continuity, payment posture, and customer confidence
  • Maria Santos (CTO): Leads containment and technical recovery sequencing
  • Frank Morrison (Fleet Operations Director): Manages vessel movement and terminal workflow under disruption
  • Jennifer Park (CISO): Coordinates evidence handling, reporting, and cyber-authority engagement
SECRETS
  • Security hardening on legacy terminal systems was deferred to avoid operational slowdowns
  • Backup restoration testing for dispatch infrastructure was incomplete
  • Attackers accessed route and manifest repositories before encryption

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

LockBit Global Logistics Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

LockBit Transport/Shipping Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “Dispatch and berth-allocation consoles display extortion notes and reject operator input”
  • “Cargo-tracking dashboards fail across terminals, leaving shipment status uncertain”
  • “Operations teams report manifest exports inaccessible for customs and handoff workflows”
  • “Threat messages claim copied shipping records will be released unless payment is made”

Key Discovery Paths:

Detective Investigation Leads:

  • Timeline analysis shows staged privilege escalation before encryption
  • Access logs indicate targeted collection of manifest and route-planning datasets
  • Initial vector traces to compromised credentials used in operations support workflows

Protector System Analysis:

  • Dispatch, scheduling, and cargo-tracking systems are encrypted across multiple hubs
  • Recovery confidence is reduced by incomplete validation of backup integrity
  • Segmentation gaps allowed spread from administrative systems into operational tooling

Tracker Network Investigation:

  • Exfiltration telemetry confirms outbound transfers from manifest and routing repositories
  • External infrastructure patterns align with organized double-extortion operations
  • Lateral movement indicates deliberate targeting of high-impact maritime workflows

Communicator Stakeholder Interviews:

  • Customers request immediate guidance on cargo delays and documentation integrity
  • Terminal leaders need safe-operating guidance while digital systems remain degraded
  • Legal and commercial teams require a clear disclosure and contractual-response sequence

Mid-Scenario Pressure Points:

  • Hour 1: Vessel sequencing fails at multiple terminals and backlog grows rapidly
  • Hour 2: Threat actors publish sample manifest records to prove exfiltration
  • Hour 3: Key customers request formal assurance on cargo-location integrity
  • Hour 4: Port safety teams warn that degraded digital support raises operational risk

Evolution Triggers:

  • If containment is delayed, additional terminal systems lose visibility and control functions
  • If recovery starts without validation, compromised systems may re-enter production
  • If communication lags, customer trust and contractual flexibility decline sharply

Resolution Pathways:

Technical Success Indicators:

  • Verified clean recovery path for dispatch, manifest, and tracking infrastructure
  • Evidence package preserved for authority and investigative coordination
  • Safe interim operating procedures established for high-priority routes

Business Success Indicators:

  • Customer commitments are reprioritized using transparent, risk-based criteria
  • Safety and compliance obligations remain intact while systems recover
  • Leadership preserves confidence through timely and factual status updates

Learning Success Indicators:

  • Team recognizes how ransomware pressure amplifies in maritime logistics networks
  • Participants practice balancing operational urgency with evidence discipline
  • Group coordinates technical, operational, and executive decisions under deadline pressure

Common IM Facilitation Challenges:

If Safety Is Treated as Secondary:

“Which operations continue safely right now, and which must pause until tracking and manifest integrity are verified?”

If Customer Communication Is Delayed:

“What minimum evidence threshold lets you issue credible route and delay guidance by end of day?”

If Reporting Is Deferred:

Success Metrics for Session:

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 2 investigation rounds, 1 decision round
Focus: Core dispatch disruption and exfiltration discovery
Key Actions: Protect safe operations, scope data exposure, issue first customer status posture

Lunch & Learn (75-90 minutes)

Structure: 4 investigation rounds, 2 decision rounds
Focus: Parallel containment, route prioritization, and disclosure sequencing
Key Actions: Build incident timeline, validate recovery path, align operational and legal messaging

Full Game (120-140 minutes)

Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end maritime ransomware response under active shipping pressure
Key Actions: Coordinate leadership and fleet operations, make payment/disclosure calls, define durable remediation

Advanced Challenge (150-170 minutes)

Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Multi-jurisdiction constraints, contractual disputes, and safety-governance conflicts
Additional Challenges: Uncertain backup trust, cascading route delays, and rising commercial pressure

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Pre-Defined Response Options

  • Option A: Safety-First Recovery Without Payment

    • Action: Isolate affected systems, activate safe interim maritime operations, restore from validated backups, and notify stakeholders promptly.
    • Pros: Preserves safety governance and reduces dependence on attacker promises.
    • Cons: Short-term throughput reduction and contract pressure may increase.
    • Type Effectiveness: Super effective for durable operational recovery.

  • Option B: Payment-Centered Acceleration

    • Action: Prioritize payment negotiation to seek rapid decryption while delaying broader disclosure.
    • Pros: May shorten outage duration if decryption succeeds.
    • Cons: No guarantee on deletion or decryption quality, with high legal and trust risk.
    • Type Effectiveness: Partially effective and strategically unstable.

  • Option C: Evidence-First Phased Recovery

    • Action: Preserve forensic evidence, sequence route restoration by criticality, and communicate after initial scope confidence.
    • Pros: Improves legal and contractual defensibility of decisions.
    • Cons: Delay risk for lower-priority lanes and customer commitments.
    • Type Effectiveness: Moderately effective when execution discipline is strong.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Dispatch Failure and Route Risk (30-35 min)

Investigation Clues:

  • Clue 1 (Minute 5): Encryption disrupts dispatch, scheduling, and cargo-tracking workflows.
  • Clue 2 (Minute 10): Forensics identify exfiltration of manifests and route data before encryption.
  • Clue 4 (Minute 20): Threat messages include sample records to increase pressure.

Round 2: Reporting and Commercial Decisions (30-35 min)

Investigation Clues:

  • Clue 5 (Minute 30): Leadership receives escalating customer demands for route-status assurance.
  • Clue 7 (Minute 50): Legal and commercial teams request defensible communication thresholds.
  • Clue 8 (Minute 55): Operations leaders request priority lane sequencing for recovery.

Round Transition Narrative

After Round 1 -> Round 2:

Facilitation questions:

  • “What minimum evidence is required before asserting cargo-status confidence to customers?”
  • “Which decision must be made now rather than deferred for full certainty?”
  • “How do you preserve safety and credibility while communicating uncertainty?”

Debrief Focus:

  • Integrating maritime safety constraints into incident-command decision-making
  • Balancing route continuity with legal and contractual obligations
  • Maintaining trust when technical confidence evolves across recovery phases

Full Game Materials (120-140 min, 3 rounds)

NoteHow Full Game Differs from Lunch & Learn

The Full Game expands from 2 guided rounds to 3 open-ended rounds. Players drive their own investigation using the Key Discovery Paths above rather than timed clues. Round 3 focuses on institutional recovery and maritime-governance redesign.

Round 1: Executive Briefing and Scope Discovery (35-40 min)

Players investigate openly using role capabilities. Early findings include targeted exfiltration, dispatch encryption, and expanding route risk.

If team stalls: “You can prioritize speed or confidence first. Which path is defensible to customers, crews, and authorities by end of day?”

Round 2: Regulatory Coordination and Deadline Decisions (35-40 min)

  • Technical teams complete artifact collection and present route-restoration options with uncertainty bounds.
  • Leadership requests a clear recommendation for disclosure timing and operational posture.

Facilitation questions:

  • “What controls must be in place before resuming full-volume terminal operations?”
  • “How will you document rationale so later review supports your decisions?”

Round 3: Institutional Recovery and Sector Resilience (40-45 min)

Opening: Two weeks later, immediate containment is complete and leadership requests a 90-day remediation roadmap with measurable safety, security, and continuity outcomes.

Pressure events:

  • Strategic customers request proof of sustained control improvements
  • Insurers and auditors request owner-assigned milestones with measurable risk reduction
  • Operations teams request controls that preserve throughput without compromising safety

Victory conditions for full 3-round arc:

  • Verified clean baseline for dispatch, manifest, and tracking systems
  • Defensible reporting package for authorities, customers, and insurers
  • Durable maritime-security controls aligned to operational reality

Debrief Questions

  1. “Which early indicator most clearly signaled coordinated extortion leverage rather than isolated outage?”
  2. “How did shipping deadline pressure alter risk tolerance across executive and operations teams?”
  3. “What evidence was essential for credibility with authorities and major customers?”
  4. “How can maritime operators strengthen readiness without sacrificing operational efficiency?”

Debrief Focus

  • Maritime ransomware incidents combine commercial pressure with safety-critical operational risk
  • Defensible response requires synchronized technical, operational, and governance decisions
  • Long-term resilience depends on tested recovery, segmentation, and transparent accountability

Advanced Challenge Materials (150-170 min)

Red Herrings and Misdirection

  1. Routine terminal-maintenance changes overlap with attacker activity and complicate timeline analysis.
  2. A weather-driven delay appears cyber-related but is operationally independent.
  3. A rumored insider compromise diverts focus from high-confidence forensic evidence.

Removed Resources and Constraints

  • No prebuilt playbook for simultaneous multi-terminal ransomware response
  • Backup inventory and restoration runbooks are incomplete across regions
  • Emergency procurement for tooling is constrained by governance and approval windows

Enhanced Pressure

  • Customers demand same-day confidence statements on cargo integrity and delays
  • Port partners request immediate detail before full forensic scope is established
  • Executive leadership requires written rationale for every high-impact decision

Ethical Dilemmas

  1. Delay selected routes for stronger evidence confidence, or restore faster with higher residual risk.
  2. Issue broad notifications early, or wait for cleaner scope and risk under-reporting.
  3. Preserve full forensic integrity, or accelerate operational recovery at attribution cost.

Advanced Debrief Topics

  • Building maritime doctrine for ransomware plus data-extortion incidents
  • Structuring governance when commercial urgency and technical certainty diverge
  • Sustaining security investment in safety-critical transport operations