LockBit Scenario: Global Logistics Crisis
Planning Resources
Scenario Details for IMs
AtlasCorp Logistics
International shipping company operating 45 ports, 8,500 employees globally
Key Assets At Risk:
- Global supply chain continuity
- Container tracking systems
- Customer cargo security
- International trade operations
Business Pressure
- Holiday shipping peak - any delays affect global supply chains
- Container security and tracking systems down
- Customer cargo at risk
Cultural Factors
- Company prioritized operational efficiency over security, leaving critical port systems vulnerable
- Backup systems were not properly isolated and international recovery coordination is complex
- Attackers accessed sensitive supply chain data including cargo manifests and customer trade secrets
Opening Presentation
“It’s Monday morning during peak holiday shipping season, and AtlasCorp Logistics is managing maximum container capacity across 45 international ports when every operational system displays ransom demands. Container tracking is down, port operations have halted, and 12,000 containers are stranded in transit. Executives receive direct contact from threat actors claiming to have stolen shipping manifests, customer data, and sensitive supply chain intelligence, threatening to disrupt global trade operations.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Major retailer threatens contract cancellation due to delayed holiday merchandise
- Hour 2: Threat actors publish sample shipping manifests revealing competitive supply chain intelligence
- Hour 3: International customs authorities report concerns about cargo security and tracking
- Hour 4: Port workers unable to safely operate without digital tracking and safety systems
Evolution Triggers:
- If ransom payment is made, attackers may target other supply chain companies with stolen intelligence
- If payment is refused, customer shipping data begins appearing on criminal marketplaces
- If recovery exceeds 72 hours, physical port operations face safety and regulatory compliance issues
Resolution Pathways:
Technical Success Indicators:
- Emergency manual operations procedures activated maintaining basic cargo processing
- International coordination established for recovery across multiple jurisdictions
- Supply chain partner security assessment and isolation to prevent reinfection
Business Success Indicators:
- Customer relationships maintained through transparent communication and alternative shipping solutions
- International operations restored with proper security controls and regulatory compliance
- Supply chain integrity protected through coordinated industry response
Learning Success Indicators:
- Team understands supply chain cybersecurity interdependencies and global impact
- Participants recognize international coordination requirements during crisis
- Group demonstrates crisis management balancing operational continuity with security response
Common IM Facilitation Challenges:
If International Coordination Is Overlooked:
“Your recovery plan is solid, but you’re operating across 45 ports in 23 countries with different regulations and law enforcement agencies. How do you coordinate international incident response?”
If Supply Chain Impact Is Underestimated:
“While you’re investigating, major retailers are reporting that holiday merchandise won’t reach stores in time, and automotive manufacturers are facing production shutdowns. How does supply chain responsibility affect your response?”
If Physical Safety Is Ignored:
“Your digital recovery is progressing, but port workers are asking whether it’s safe to operate heavy machinery and handle containers without digital tracking systems. How do you balance operational pressure with safety requirements?”
Success Metrics for Session:
Template Compatibility
Quick Demo (35-40 min)
- Rounds: 1
- Actions per Player: 1
- Investigation: Guided
- Response: Pre-defined
- Focus: Use the “Hook” and “Initial Symptoms” to quickly establish global logistics crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing supply chain ransomware impact and international coordination requirements.
Lunch & Learn (75-90 min)
- Rounds: 2
- Actions per Player: 2
- Investigation: Guided
- Response: Pre-defined
- Focus: This template allows for deeper exploration of supply chain ransomware challenges. Use the full set of NPCs to create realistic holiday shipping pressures and international coordination complexity. The two rounds allow threat actors to escalate with supply chain intelligence releases, raising stakes. Debrief can explore balance between operational continuity and security response.
Full Game (120-140 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing container tracking operations, customer cargo security, international regulatory compliance, and global supply chain continuity. The three rounds allow for full narrative arc including ransomware’s supply-chain-specific impact and international coordination.
Advanced Challenge (150-170 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Complexity: Add red herrings (e.g., legitimate port system updates causing unrelated tracking issues). Make containment ambiguous, requiring players to justify international decisions with incomplete information. Remove access to reference materials to test knowledge recall of ransomware behavior and supply chain security principles.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Clue 1 (Minute 5): “Digital forensics reveal LockBit ransomware with complete encryption of AtlasCorp’s port operations across 45 international locations during peak holiday shipping season. Threat actors contacted executives claiming to have stolen shipping manifests, customer data, and sensitive supply chain intelligence. Container tracking systems are down with 12,000 containers stranded in transit affecting global trade operations.”
Clue 2 (Minute 10): “Network analysis shows attackers maintained persistent access for weeks through supply chain partner email compromise, systematically targeting high-value cargo data and operational intelligence. Backup assessment reveals complex international recovery coordination requirements across multiple jurisdictions and regulatory environments. Timeline indicates attackers chose holiday peak for maximum supply chain disruption and payment pressure.”
Clue 3 (Minute 15): “Threat actors published sample shipping manifests revealing competitive supply chain intelligence and customer trade secrets. Major retailers threatening contract cancellation as holiday merchandise won’t reach stores in time. International customs authorities expressing concerns about cargo security, tracking compliance, and port worker safety without digital systems.”
Pre-Defined Response Options
Option A: Emergency Manual Operations & Recovery Without Payment
- Action: Activate emergency manual cargo processing procedures, restore systems from verified clean backups with international coordination, refuse ransom payment, coordinate with customs authorities and supply chain partners for security assessment.
- Pros: Maintains supply chain security practices; demonstrates responsible global operations; supports international law enforcement cooperation.
- Cons: Recovery requires complex international coordination affecting operations for days; stolen supply chain data will likely be publicly released; potential contract losses and competitive disadvantage.
- Type Effectiveness: Super effective against Ransomware malmon type; clean backups enable recovery without funding criminal enterprise affecting global supply chains.
Option B: Ransom Payment & Rapid Operations Recovery
- Action: Pay ransom to obtain decryption key and prevent supply chain data release, restore systems quickly to minimize holiday shipping disruption, implement enhanced security controls across international operations.
- Pros: Fastest path to container tracking restoration protecting holiday shipping operations; may prevent public release of customer supply chain intelligence.
- Cons: No guarantee attackers will honor agreement or provide working decryption; funds criminal enterprise; may encourage targeting of other supply chain companies.
- Type Effectiveness: Not effective against Ransomware malmon type; addresses encryption but doesn’t guarantee supply chain data protection; funds continued global attacks.
Option C: International Phased Recovery & Supply Chain Coordination
- Action: Coordinate phased recovery across regions prioritizing critical shipping routes, engage with threat actors to delay timeline, simultaneously restore from backups, establish supply chain partner security protocols.
- Pros: Enables targeted recovery for most critical operations; demonstrates supply chain industry leadership; builds coordinated defense across logistics sector.
- Cons: Complex international coordination may slow recovery; negotiation may be interpreted as willingness to pay; lower-priority routes face extended delays.
- Type Effectiveness: Moderately effective against Ransomware threats; delays attack progression while enabling prioritized backup recovery; doesn’t guarantee supply chain intelligence protection.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Holiday Shipping Crisis & Supply Chain Paralysis (30-35 min)
Investigation Clues:
- Clue 1 (Minute 5): Complete encryption across global shipping network - 15 container terminals, 200 distribution centers, 5,000 delivery trucks. VP Sarah Park: “All tracking systems down during peak holiday shipping. $40M revenue at risk per day.”
- Clue 2 (Minute 10): Forensics reveal month-long persistent access, exfiltration of 2TB including customer supply chain routes, pricing contracts, proprietary logistics algorithms, competitive intelligence - attackers mapped entire global operation before encryption.
- Clue 3 (Minute 15): Operations Manager Martinez: “Manual cargo processing at 25% normal capacity. Container ships cannot offload. Retail clients threatening permanent carrier switch if holiday deliveries fail.”
- Clue 4 (Minute 20): Threat actors demand $6.5M within 72 hours showing customer routing data, pricing agreements, logistics algorithms. “Your competitors would pay more for this supply chain intelligence than you’ll pay to protect it.”
Response Options:
- Option A: Emergency manual operations, international backup recovery, refuse payment | Type: Super effective for recovery, supply chain leadership
- Option B: Payment for rapid recovery, minimize holiday disruption | Type: Partially effective, supply chain risk precedent
- Option C: Phased regional recovery, supply chain coordination | Type: Moderately effective, complex coordination
Round 2: Supply Chain Intelligence & Competitive Exposure (30-35 min)
Investigation Clues:
- Clue 5: CISO confirms stolen data includes routing algorithms giving TransGlobal competitive advantage, pricing structures for major retail contracts, vulnerability assessments for competitor analysis - proprietary supply chain intelligence worth hundreds of millions.
- Clue 6: Major retail client: “If our supply chain routes and volumes leak to competitors or public markets, we lose strategic advantage. Consider this in your response decisions.”
- Clue 7: Industry consortium reports similar ransomware attacks against three other global carriers - coordinated targeting of supply chain sector during holiday peak suggesting organized campaign.
- Clue 8: Cyber insurance covers incident response but excludes ransom payments. Total operational losses, recovery costs, and competitive damage estimated $80-120M even without payment.
Response Options:
- Option A: Full transparency, industry coordination, comprehensive security response | Type: Super effective for sector resilience
- Option B: Minimize disclosure, competitive intelligence protection focus | Type: Partially effective, potential customer trust issues
- Option C: Payment reconsideration to prevent competitive intelligence release | Type: Not effective, encourages supply chain targeting
Round Transition: Team’s choice determines whether TransGlobal faces international coordination challenges, competitive intelligence exposure, or customer relationship crisis. Supply chain intelligence theft threatens competitive positioning. Industry-wide attack pattern suggests coordinated targeting. Insurance inadequate. Must balance holiday operations, customer commitments, competitive advantage protection, sector resilience during global ransomware campaign.
Debrief Focus: Double extortion targeting supply chain intelligence; Global operations coordination in ransomware response; Competitive intelligence protection; Supply chain sector resilience; International law enforcement coordination
Full Game Materials (120-140 min, 3 rounds)
[Abbreviated format]
Round 1: Wednesday peak season. 15 terminals encrypted. 2TB supply chain intelligence stolen. Park faces impossible choice between holiday operations and competitive protection.
Investigation: LockBit ransomware, month of persistent access, systematic supply chain mapping, proprietary logistics algorithms exfiltration, international scope
NPCs: Sarah Park (revenue crisis), Carlos Martinez (operations paralysis), Linda Zhang (backup complexity), Customer executives (competitive intelligence concerns)
Pressure: Retail clients threatening carrier switch; Container ships backing up; Competitor carriers taking market share; Holiday timeline absolute
Round 2: Proprietary routing algorithms stolen. Major customer supply chain intelligence compromised. Industry-wide attack pattern. Recovery requires international coordination across 15 terminals.
Round 3: Supply chain sector cybersecurity evolution. Competitive intelligence protection in digital logistics. Industry coordination frameworks. Prevention balancing global operations with security.
Debrief: Ransomware targeting supply chain infrastructure; Global operations resilience; Competitive intelligence in ransomware decisions; Sector-wide coordination; International incident response
Advanced Challenge Materials (150-170 min)
Red Herrings: Equipment malfunctions; Holiday volume strain; Labor disputes; Competitor market activities
Removed Resources: Limited global security expertise; International coordination complexity; Customer approval dependencies; Insurance coverage gaps
Enhanced Pressure: Specific retail client supply chain failures; Competitor exploitation; Regulatory investigations; Industry reputation damage
Ethical Dilemmas: Customer operations vs payment prohibition; Competitive intelligence vs transparency; Regional priority vs global fairness; Sector coordination vs competitive positioning
Advanced Debrief: Supply chain ransomware evolution; Global operations incident response; Competitive intelligence protection frameworks; Industry coordination in cybersecurity; International law enforcement cooperation