LockBit Scenario: Global Logistics Crisis
Planning Resources
Scenario Details for IMs
Detailed Context
Organization Profile
AtlasCorp Logistics is a publicly-traded international container shipping and logistics company founded in 1978, operating 45 container port terminals across 23 countries on five continents with concentrations in major global trade hubs: North America (Los Angeles/Long Beach, Oakland, Seattle, Vancouver, Houston, Miami, New York/Newark), Europe (Rotterdam, Hamburg, Antwerp, Felixstowe, Le Havre, Barcelona), Asia-Pacific (Singapore, Shanghai, Hong Kong, Tokyo, Busan, Sydney), Middle East (Dubai, Abu Dhabi, Jeddah), and Latin America (Santos, Buenos Aires, Cartagena). The company employs 8,500 people globally including port operations (4,200 terminal workers, crane operators, equipment maintenance), logistics coordination (1,800 supply chain analysts, customer service, operations planning), maritime operations (850 vessel schedulers, harbor pilots, nautical staff), IT infrastructure (420 developers, network engineers, security specialists), and corporate management (1,230 executives, finance, legal, HR, compliance).
AtlasCorp handles approximately 2.8 million TEU (twenty-foot equivalent unit containers) annually worth estimated $340B cargo value, providing integrated end-to-end logistics services: ocean shipping (vessel scheduling, cargo booking, documentation), port terminal operations (container offloading, yard storage, customs clearance, intermodal connections), inland transportation (rail drayage, truck delivery), warehousing and distribution, and specialized services for temperature-controlled pharmaceuticals, hazardous materials, oversized equipment, and automotive components requiring just-in-time delivery precision. The company generates $4.2B annual revenue with 8.5% operating margin (industry average 6-7%), serving major customers including global retailers (Walmart, Target, Amazon requiring holiday merchandise delivery), automotive manufacturers (Toyota, Volkswagen, Ford depending on component shipments for production lines), pharmaceutical companies (requiring temperature-controlled supply chains for drug distribution), consumer electronics (Apple, Samsung with seasonal product launches), and agricultural exporters.
The fourth quarter (October-December) represents 42% of annual revenue driven by holiday retail shipping peak, back-to-school consumer goods, agricultural harvest exports, and year-end automotive production supporting new model year launches. December specifically handles 850,000 container moves (30% above annual average) requiring maximum operational capacity, overtime workforce scheduling, extended terminal operating hours, and coordination with vessel schedules where delays create cascading disruptions affecting global trade. AtlasCorp’s IT infrastructure supports all global operations through integrated systems: vessel scheduling and cargo booking platform, container tracking providing real-time location/status for customers, terminal operating system (TOS) coordinating crane operations/yard management/gate processing, customs documentation and regulatory compliance, billing and financial management, warehouse management systems, and communications infrastructure connecting 45 international facilities operating across 15 time zones with different regulatory requirements and languages.
Key Assets & Impact
Global Container Tracking Systems (12,000 Active Containers): AtlasCorp’s competitive advantage depends on real-time container tracking providing customers instant visibility into cargo location, estimated arrival times, customs clearance status, and delivery scheduling through web portal and mobile applications. The tracking system monitors 12,000 containers currently in transit (Monday December 18 snapshot) worth estimated $2.1B total cargo value including: holiday retail merchandise for major retailers ($850M cargo value—toys, electronics, apparel, home goods with absolute December 24 delivery deadline for Christmas sales), automotive components for just-in-time manufacturing ($620M—engine parts, transmissions, electronics requiring precise delivery scheduling where delays shut down assembly lines), pharmaceutical products requiring temperature monitoring ($380M—vaccines, biologics, prescription drugs with cold chain compliance), consumer electronics for product launches ($185M—smartphones, laptops, gaming systems), and agricultural exports ($65M—produce, coffee, cocoa with quality deterioration if delayed). Complete tracking system unavailability means customers cannot determine cargo location, plan receiving operations, coordinate warehouse staffing, schedule delivery appointments, or provide end-customer delivery commitments—creating customer communication crisis where AtlasCorp cannot answer basic “where is my container?” questions that define professional logistics service expectations.
Holiday Peak Operations (Q4 Revenue Concentration): December operations generate $1.47B revenue (35% of quarterly total, 12.3% of annual revenue) through container terminal services, ocean freight charges, inland transportation, warehousing, and value-added services. The holiday peak reflects fundamental supply chain economics: retailers finalize merchandise orders in September for November arrival allowing pre-Thanksgiving inventory stocking, consumers concentrate 40% annual purchasing in November-December creating absolute delivery deadlines, and manufacturing supply chains accelerate component shipments supporting year-end production targets. AtlasCorp’s December terminal capacity is contracted 95% (compared to 75% annual average) through customer commitments made 6-9 months in advance, meaning operational disruptions cannot be absorbed through schedule flexibility or alternative routing—delayed containers miss critical windows where retail shelf space goes to competitors who delivered on time, automotive plants face production shutdowns where component shortages cost $22,000 per minute of assembly line downtime, and pharmaceutical distribution delays affect patient medication availability. Five-to-seven day recovery timeline during December 18-25 window means holiday merchandise arrives after Christmas (eliminating sales value), automotive shipments miss year-end production quotas (affecting manufacturer quarterly earnings), and consumer electronics miss product launch windows (costing hundreds of millions in lost market momentum).
Customer Supply Chain Intelligence (Proprietary Competitive Data): AtlasCorp’s systems contain sensitive competitive intelligence that customers and competitors value more than individual shipment data: proprietary routing algorithms optimizing container movements across multi-modal networks (reducing costs 12-15% compared to standard routing, representing competitive advantage worth hundreds of millions annually), customer-specific pricing contracts revealing negotiated rates and volume discounts (information competitors would exploit to undercut pricing or demand equivalent terms), supply chain routing patterns showing retail distribution strategies (Walmart’s import volumes, regional distribution timing, seasonal inventory positioning revealing retail forecasting and marketing plans), automotive component sourcing revealing manufacturing strategies (which suppliers provide which parts, production volume indicators, new model development timelines from component shipment patterns), pharmaceutical distribution networks showing drug launch timelines and market prioritization, and vulnerability assessments documenting security weaknesses across terminal operations (information enabling targeted attacks). Unauthorized disclosure doesn’t just violate customer confidentiality—it destroys competitive positioning where retailers’ supply chain strategies worth billions in market advantage become visible to competitors, manufacturers’ sourcing decisions reveal product development roadmaps competitors use for strategic planning, and pharmaceutical companies’ distribution patterns telegraph drug launch timing affecting stock prices and competitive positioning.
International Port Operations (45 Terminals, 23 Regulatory Jurisdictions): AtlasCorp port terminals operate under complex international regulatory framework requiring compliance with: International Ship and Port Facility Security Code (ISPS requiring background checks, access controls, surveillance, security plans approved by national maritime authorities), customs regulations in 23 countries (cargo inspection, documentation, duty collection, restricted goods screening), environmental protections (emissions monitoring, hazardous materials handling, waste management, water quality), labor laws and union agreements (varying by country with different safety requirements, working hour limits, certification requirements), and maritime safety standards (crane operations, heavy equipment, hazardous cargo handling requiring specific certifications and procedures). Terminal operations depend on integrated systems coordinating: vessel arrival scheduling (coordinating ship berth allocation, pilot services, tugboat assistance), container crane operations (loading/unloading requiring precise tracking to prevent misplacement or damage), yard management (organizing container storage for efficient retrieval, separating hazardous materials, maintaining cold chain for refrigerated cargo), gate operations (truck driver check-in, container release authorization, customs clearance verification), and intermodal connections (rail loading, inland transportation scheduling). Complete system unavailability forces emergency manual operations where handwritten manifests replace digital tracking (creating container location errors, cargo misidentification, customs documentation mistakes), radio communications replace integrated dispatch (degrading coordination efficiency), and paper-based customs processing creates clearance delays (causing cargo to miss connecting transportation, incur demurrage charges, and violate regulatory deadlines).
Immediate Business Pressure
Monday December 18, 7:45 AM EST Crisis Discovery—Peak Holiday Shipping Week: Roberto Martinez (CTO) receives overnight alerts from European operations that terminal operating systems across Rotterdam, Hamburg, and Antwerp are displaying LockBit ransom messages. Within 90 minutes, the crisis scales globally: Los Angeles/Long Beach terminals encrypted during Sunday night (affecting largest North American container port complex handling 40% of US imports), Singapore and Shanghai terminals encrypted during Monday morning operations (affecting Asia-Pacific export hub), Dubai terminal encrypted (affecting Middle East transshipment operations), and remaining 40 terminals reporting similar encryption affecting all customer-facing systems (cargo booking, container tracking, billing), terminal operating systems (crane operations, yard management, gate processing), vessel scheduling platforms, customs documentation systems, and internal communications infrastructure. Only isolated safety systems (fire suppression, crane emergency stops, hazardous materials monitoring) remain operational due to network segmentation, preventing immediate safety crisis but leaving all commercial operations dependent on emergency manual protocols.
9:30 AM EST CEO Receives Direct Threat Actor Contact: Alexandra Chen’s personal email receives message from LockBit affiliate providing proof of data exfiltration: sample files containing AtlasCorp’s proprietary routing algorithms (mathematical models optimizing container movements across multi-modal networks worth estimated $400M competitive advantage), customer pricing contracts (Walmart negotiated rates 23% below published tariffs, Amazon volume discounts, automotive manufacturer just-in-time delivery premiums), and shipping manifests revealing competitive intelligence (retail import volumes indicating seasonal inventory strategies, pharmaceutical distribution patterns showing drug launch timing, automotive component sourcing revealing production planning). The threat actor message demonstrates sophisticated understanding of logistics economics: “72-hour deadline. Pay $6.5M or your routing algorithms get published on criminal marketplaces where your competitors will reverse-engineer them, customer contracts get released showing which clients pay premium rates and which get discounts, and supply chain data gets sold revealing retail forecasting strategies worth billions. We already have buyers for this intelligence—your competitors offered $12M but we’re giving you first chance to protect your market position.”
10:15 AM EST Major Customer Escalation—Holiday Delivery Crisis: Sarah Kim (Port Operations Director) receives emergency calls from key customers: Walmart logistics executive reports that 340 containers of holiday merchandise (toys, electronics, home goods) are stranded at Los Angeles terminal with retail distribution centers unable to determine arrival timing, stores facing stockouts for final pre-Christmas shopping weekend, and supply chain leadership demanding immediate resolution or permanent carrier switch to competitors who can provide reliable service. Toyota supply chain manager reports that 85 containers of automotive components (engines, transmissions, electronics modules) are stalled at Long Beach terminal, three North American assembly plants will run out of parts within 48 hours forcing production shutdown costing $22,000 per minute of downtime, and corporate leadership questioning AtlasCorp’s operational resilience and considering contract termination. Pfizer logistics director reports that 12 refrigerated containers of pharmaceutical products requiring temperature-controlled supply chain are somewhere in AtlasCorp’s system without tracking visibility, regulatory compliance requires continuous cold chain monitoring, and any temperature excursion will force $45M product destruction with patient medication shortages during flu season peak demand.
2:00 PM EST Threat Actor Intelligence Publication and Investor Crisis: LockBit affiliate publishes sample shipping manifests on criminal marketplace demonstrating data theft scope: Walmart’s November-December import manifest showing 15,200 containers with product categories, volumes, routing patterns revealing retail inventory positioning and seasonal forecasting strategy (information competitors can exploit for market advantage), automotive manufacturer component sourcing showing which suppliers provide which parts with volume indicators revealing production rates and new model development timelines (enabling competitor intelligence analysis), and pharmaceutical distribution data showing which drugs are being shipped to which regions in what volumes (telegraphing drug launch strategies and market prioritization affecting stock prices). AtlasCorp’s stock price drops 18% in afternoon trading as investors recognize operational crisis during highest-revenue quarter, competitive intelligence exposure threatening long-term market position, and potential customer defections. The company’s investor relations team receives analyst calls demanding: incident scope briefing, revenue impact assessment, customer retention strategy, ransom payment consideration, recovery timeline, and management accountability for cybersecurity failure affecting global operations during critical business period.
Cultural & Organizational Factors
Operational efficiency prioritization creating security-operations tension in competitive logistics market: Container shipping operates on 6-7% average operating margins (AtlasCorp’s 8.5% is above industry average) where minor operational inefficiencies directly reduce profitability in commodity market with fierce price competition. Security measures requiring additional authentication steps, network segmentation limiting system integration, or redundant backup infrastructure consuming operational budget compete against customer-facing investments delivering measurable operational advantages: faster vessel turnaround times (reducing port calls from 18 hours to 14 hours enabling additional weekly vessel rotations generating millions in additional revenue), automated gate processing (reducing truck driver wait times from 45 minutes to 12 minutes improving customer satisfaction and enabling higher throughput), integrated tracking providing real-time visibility (differentiating AtlasCorp from competitors offering basic location updates), and streamlined customs clearance (reducing cargo dwell time from 3.5 days to 2.1 days improving cash flow and customer service). CTO Roberto Martinez proposed $8.2M cybersecurity initiative in February 2024 budget planning (network segmentation isolating critical operational systems, endpoint detection and response tools, security operations center staffing, backup infrastructure with offline isolation, incident response planning) emphasizing ransomware targeting of logistics sector and supply chain dependencies. The proposal faced CFO challenge questioning ROI compared to operational investments: “Your security spending shows zero revenue increase and no customer satisfaction improvement—how do I justify $8.2M that doesn’t contribute to competitive positioning when we could invest in automated equipment generating 15% throughput improvement?” The security initiative was reduced to $3.1M focusing on compliance requirements (customs data protection, ISPS Code security standards, financial audit controls) rather than operational resilience, with executive leadership requiring security investments to demonstrate business value beyond risk mitigation. The decision reflected rational capital allocation in competitive market—investing scarce resources in measurable operational improvements differentiating AtlasCorp from competitors rather than hypothetical security scenarios that hadn’t yet materialized with direct business impact.
Backup isolation failure through operational integration requirements and international complexity: AtlasCorp’s global IT architecture prioritizes integration enabling seamless operations across 45 terminals, 15 time zones, and 23 regulatory jurisdictions—cargo booked in Los Angeles automatically populates vessel scheduling in Shanghai, container tracking updates propagate to customer portals worldwide, customs documentation flows to appropriate national authorities, billing systems consolidate international transactions, and management dashboards provide real-time visibility into global operations. This integration depends on centralized databases, shared application servers, common authentication systems, and high-speed network connectivity linking all facilities—architecture optimized for operational efficiency but creating security challenges where backup isolation conflicts with integration requirements. IT department maintained backups meeting compliance requirements (financial data retention for seven-year audit periods, customs documentation preservation per international trade regulations, customer records for contract disputes) but backup systems required network connectivity for automated data replication across geographic regions (European backup server receiving North American terminal data, Asia-Pacific backup receiving Middle Eastern operations data enabling international disaster recovery). Security architecture team proposed offline backup isolation (air-gapped systems receiving data via physical media transfers, maintaining independent authentication, storing data without network connectivity) but operations leadership rejected proposal because offline backups couldn’t support rapid recovery meeting customer service commitments where 24-hour terminal downtime violates service level agreements and triggers penalty clauses. When LockBit encrypted production systems Monday morning, attackers had already encrypted network-connected backup infrastructure through lateral movement across integrated global network—leaving only compliance-focused tape archives that could restore historical data but couldn’t rapidly rebuild complete operational environment requiring integrated systems coordinated across international facilities. The backup inadequacy wasn’t negligence but architectural trade-off where operational integration supporting customer service excellence created security vulnerability that offline isolation would have mitigated at cost of integration benefits differentiating AtlasCorp from competitors.
Supply chain partner integration creating trusted access pathway for sophisticated compromise: Modern logistics operations depend on extensive partner ecosystem integration where AtlasCorp systems connect directly with: ocean carrier vessel scheduling systems (coordinating container bookings, ship arrival notifications, cargo manifest exchanges), trucking company dispatch systems (automating gate appointments, container pickup authorizations, delivery confirmations), rail operator logistics platforms (coordinating intermodal transfers, track-and-trace integration, billing automation), customs broker documentation systems (enabling electronic cargo clearance, duty payment processing, regulatory compliance), warehouse management systems (coordinating inland storage, inventory management, distribution scheduling), and customer enterprise resource planning systems (providing real-time supply chain visibility, automated shipment notifications, invoice processing). These integrations require API connections, shared authentication, data exchange protocols, and sometimes VPN access to AtlasCorp’s internal networks—architecture enabling seamless supply chain coordination but creating security exposure where partner compromise becomes AtlasCorp vulnerability. October 2024 LockBit affiliate compromised European customs broker (small 45-person firm handling documentation for multiple logistics companies) through conventional phishing attack targeting office manager, used customs broker’s legitimate VPN credentials accessing AtlasCorp’s network for container documentation exchange, moved laterally from customs integration zone into broader corporate network exploiting insufficient segmentation, and spent six weeks mapping AtlasCorp’s global infrastructure identifying high-value data repositories (routing algorithms, customer contracts, competitive intelligence) and preparing encryption campaign. Neither AtlasCorp security monitoring nor customs broker’s limited IT staff detected sophisticated nation-state-quality tradecraft exploiting legitimate business relationship and trusted integration pathway. The compromise mechanism exploited fundamental supply chain reality—logistics efficiency depends on partner integration and trusted data exchange where security measures (strong authentication, network segmentation, partner security audits, integration monitoring) conflict with operational requirements for rapid seamless coordination enabling just-in-time delivery precision and customer service excellence that competitive logistics market demands.
Operational Context
Container terminal operations and integrated system dependencies: Modern container port terminals operate as complex integrated systems coordinating vessel operations, cargo handling, yard management, and intermodal connections through digital automation replacing manual processes. Vessel arrival triggers coordinated sequence: harbor pilot boards ship providing navigation into port berth (requiring vessel scheduling system coordinating berth allocation, tide calculations, tugboat availability), crane operators receive container discharge plan showing which containers to offload in which sequence (optimizing vessel stability during unloading, minimizing crane repositioning, prioritizing time-sensitive cargo), yard management system assigns storage locations (separating hazardous materials, grouping containers for same destination, maintaining refrigerated container power connections, positioning export containers for efficient vessel loading), gate system authorizes truck drivers to retrieve specific containers (verifying customs clearance, confirming payment, ensuring proper chassis and equipment), and customs integration validates regulatory compliance (confirming inspection requirements, duty payment, restricted goods screening). This coordination moves containers from vessel to truck/rail in 36-48 hours (compared to 5-7 days for manual operations) enabling supply chain velocity where retailers receive merchandise days faster, automotive manufacturers maintain just-in-time delivery precision, and pharmaceutical temperature-controlled shipments minimize exposure time. Complete system encryption forces emergency manual operations: handwritten vessel discharge plans created from ship’s manifest (prone to errors causing container misplacement, cargo damage, customs violations), radio communications coordinating crane operations (degrading efficiency from 35 container moves per hour to 18 moves per hour), paper-based yard tracking (creating container location errors where cargo gets “lost” in terminal requiring physical search), manual gate processing (truck driver wait times increase from 12 minutes to 90 minutes causing delivery delays and customer complaints), and customs documentation using paper forms (processing times increase from 2 hours electronic clearance to 8-12 hours manual review creating cargo dwell and demurrage charges). Manual operations might sustain basic cargo movement but cannot support holiday peak volumes, time-sensitive shipments, or customer service expectations defining competitive logistics performance.
International coordination complexity across 45 terminals and 23 regulatory jurisdictions: AtlasCorp incident response requires coordinated recovery across facilities operating under different national authorities, regulatory frameworks, legal systems, languages, and time zones: North American terminals report to US Customs and Border Protection and Canadian Border Services requiring different documentation standards and security protocols, European terminals operate under EU customs union regulations plus individual country requirements for labor law and environmental compliance, Asian terminals navigate different national security requirements (China’s cybersecurity law requiring data localization, Singapore’s critical infrastructure protections, Japan’s privacy regulations), Middle Eastern facilities coordinate with UAE and Saudi authorities having specific requirements for incident reporting and foreign investment oversight, and Latin American terminals work with various national customs agencies and trade regulations. Recovery coordination requires: incident notification to 23 different national maritime authorities (each having different reporting requirements, response expectations, and legal implications), customs agencies in each country must approve resumption of cargo clearance operations (requiring demonstration of data integrity, system security, operational readiness meeting national standards), labor authorities must verify worker safety compliance for manual operations (different countries have different requirements for heavy equipment operation, hazardous materials handling, working hours limits), data protection authorities in GDPR-jurisdiction countries must approve handling of customer personal data (requiring privacy impact assessments, consent verification, cross-border data transfer compliance), and law enforcement coordination spans FBI (US jurisdiction), Europol (EU coordination), Interpol (international cooperation), plus national cyber crime units in 23 countries with different legal frameworks for evidence collection, jurisdiction determination, and criminal prosecution. Incident Commander cannot make unilateral decisions affecting global operations—recovery approach must accommodate legal requirements in 23 jurisdictions, respect cultural expectations for authority and communication, navigate language barriers requiring translation and interpretation, and coordinate across 15 time zones where 24/7 operation means continuous crisis management without natural pause for strategic planning or stakeholder alignment.
Just-in-time supply chain dependencies and cascading disruption across industries: AtlasCorp’s customers operate supply chains minimizing inventory costs through precise delivery timing where 5-7 day shipping delays create compounding economic impacts: Automotive manufacturing (Toyota, Volkswagen, Ford) maintains 2-3 day parts inventory at assembly plants depending on predictable component delivery where shipping delays force production shutdowns costing $22,000 per minute of assembly line downtime, affecting tens of thousands of workers, cascading to tier-1 suppliers who lose production contracts, and reducing quarterly earnings affecting stock prices and investor confidence. Retail distribution (Walmart, Target, Amazon) positions holiday merchandise for December peak sales where delayed arrival after Christmas means full-price sales convert to post-holiday clearance (70% markdown on toys, electronics, apparel), affecting quarterly revenue, disappointing customer expectations reducing brand loyalty, and creating next-year ordering challenges where buyers reduce purchase orders from suppliers who couldn’t deliver. Pharmaceutical distribution operates cold-chain logistics where temperature excursions exceeding 2-8°C for more than 4 hours force product destruction under FDA regulations, affecting patient medication availability, creating drug shortage reportable events, and potentially triggering FDA enforcement actions if supply disruptions affect critical medications. Consumer electronics (Apple, Samsung) coordinate product launches where missing delivery windows means retail shelf space goes to competitors, marketing campaigns lose effectiveness, and market share shifts to brands who executed launch timing. Each customer disruption cascades: automotive production shutdown affects supplier payments triggering their liquidity crisis, retail stockouts shift consumer purchasing to competitors potentially permanently changing shopping habits, pharmaceutical shortages create patient safety risks and regulatory scrutiny, consumer electronics delays affect stock prices and market positioning. AtlasCorp isn’t just managing own operational recovery—they’re managing systemic supply chain crisis where their encryption affects hundreds of businesses, millions of consumers, and billions in economic activity across industries depending on global trade logistics functioning reliably during holiday peak season.
Competitive intelligence in container shipping and proprietary algorithmic advantage: Container logistics profitability depends on routing optimization algorithms that AtlasCorp has developed over 45 years through operational experience, mathematical modeling, machine learning, and proprietary data analysis. These algorithms optimize: multi-modal route selection (determining whether container should move by direct vessel, transshipment through hub port, or intermodal rail considering cost/time trade-offs), empty container repositioning (moving containers from import-heavy regions to export regions minimizing unproductive movements), vessel space allocation (determining which cargo gets priority loading considering profitability, customer relationships, operational constraints), and yard optimization (positioning containers to minimize crane movements, reduce truck wait times, enable efficient vessel loading). AtlasCorp’s routing algorithms achieve 12-15% cost advantage compared to standard industry practices—differences worth hundreds of millions annually in competitive market where 2-3% margin difference determines market leadership versus commodity status. Stolen algorithm disclosure enables competitors to reverse-engineer optimization logic, understand operational strategies, replicate efficiencies that took decades to develop, and eliminate competitive advantage distinguishing AtlasCorp from competitors offering comparable vessel schedules and terminal locations. Customer contract disclosure similarly destroys competitive positioning: revealing which customers pay premium rates for dedicated services (enabling competitors to undercut pricing targeting high-margin accounts), showing volume discounts negotiated with largest retailers (allowing competitors to demand equivalent terms or offer better pricing), and exposing just-in-time delivery premiums automotive manufacturers pay (indicating willingness to pay for reliability that competitors can target). Competitive intelligence exposure doesn’t just violate customer confidentiality—it fundamentally undermines market positioning where operational excellence and relationship management differentiating AtlasCorp from competitors becomes visible playbook that competitors can copy, exploit, and use to systematically erode market share, pricing power, and strategic relationships built over decades.
Key Stakeholders
Alexandra Chen (Chief Executive Officer) - CEO with 22-year logistics industry career managing publicly-traded company with $4.2B revenue serving global customers, confronting highest-stakes crisis during peak revenue quarter (Q4 represents 42% annual revenue), balancing immediate response decisions (ransom payment consideration, customer communications, operational priorities) against shareholder accountability (stock price dropped 18% on crisis news, investor demands for management accountability, board emergency meeting questioning cybersecurity oversight), coordinating recovery across 45 international facilities operating under 23 regulatory jurisdictions with different legal requirements and cultural expectations, managing customer relationships where major retailers and automotive manufacturers threatening permanent carrier switch affecting long-term revenue and market position, protecting competitive intelligence worth hundreds of millions where routing algorithm disclosure enables competitors to reverse-engineer operational advantages built over 45 years, confronting personal liability as CEO whose capital allocation decisions prioritized operational investments over cybersecurity infrastructure that might have prevented incident.
Roberto Martinez (Chief Technology Officer) - Technology executive with 18-year career managing IT infrastructure supporting global logistics operations, coordinating recovery across 45 terminals in 15 time zones with 420-person IT organization operating on manual incident response protocols, assessing backup restoration timeline (5-7 days for international coordination) while facing customer and board pressure demanding faster recovery meeting holiday deadlines, explaining why previous cybersecurity budget proposals (repeatedly reduced from $8.2M to $3.1M favoring operational investments) could have prevented incident through network segmentation and offline backups, coordinating with cyber insurance carrier, FBI, Europol, national cyber crime units in 23 countries, supply chain partner security teams, and incident response consultants while maintaining operational focus on restoring customer service, managing 2TB data exfiltration scope including proprietary algorithms, customer contracts, competitive intelligence affecting company market position and customer trust, confronting professional reputation where cybersecurity failure during peak season will define career despite years advocating for security investments that executive leadership deprioritized favoring operational efficiency and competitive positioning.
Sarah Kim (Port Operations Director) - Operations leader responsible for 45 terminal facilities and 4,200 terminal workers managing December peak season with 850,000 scheduled container moves, coordinating emergency manual operations achieving 40-50% normal capacity while customers demand 120% capacity for holiday surge, receiving desperate customer escalations from Walmart logistics (340 containers of holiday merchandise stranded affecting retail operations), Toyota supply chain (85 containers of automotive components with assembly plant shutdown imminent costing $22,000 per minute), Pfizer pharmaceutical logistics (12 refrigerated containers requiring temperature monitoring where compliance failure forces $45M product destruction), managing 12,000 containers in active transit worth $2.1B cargo value where customers cannot determine location or delivery timing affecting their operations and end-customer commitments, balancing customer advocacy (demanding immediate restoration through ransom payment or alternative solutions) with operational reality (manual processes cannot support peak volumes, international coordination requires days not hours, safety requirements limit manual operation capacity), confronting personal accountability to customers where long-term relationships and trust built over years face crisis from security failure affecting operational reliability.
James Peterson (Security Director & Incident Commander) - Security executive managing international incident response across 23 countries with different law enforcement agencies, legal frameworks, data protection regulations, and security requirements, coordinating FBI investigation (US jurisdiction for ransomware as extortion), Europol coordination (EU member state cooperation), Interpol (international criminal investigation), plus national cyber crime units in 23 countries each wanting incident briefing, evidence preservation, and coordination respecting their legal authority, managing data breach notification requirements across different jurisdictions (GDPR in EU requiring 72-hour notification to data protection authorities, various national requirements for customer notification, customs authorities requiring cargo data integrity verification), balancing law enforcement mission (comprehensive investigation, evidence preservation, criminal prosecution support) with business continuity demands (rapid recovery, customer service restoration, competitive intelligence protection), coordinating supply chain partner security assessment where customs broker compromise created initial access requiring partner notification and industry coordination, confronting impossible decision where paying ransom rapidly restores operations protecting customers and revenue but funds criminal enterprise likely violating anti-money-laundering laws, international sanctions, or law enforcement cooperation agreements across multiple jurisdictions with different legal implications.
David Walsh (Walmart Senior Vice President, Global Logistics) - Major customer executive responsible for Walmart’s global supply chain importing $420B annually through multiple logistics providers including AtlasCorp, managing holiday merchandise crisis where 340 containers (toys, electronics, home goods, apparel worth $68M retail value) are stranded at AtlasCorp terminals without tracking visibility, stores facing stockouts for final pre-Christmas shopping weekend representing 35% of toy category annual sales and 22% of electronics annual sales, coordinating with regional distribution centers unable to schedule receiving operations or allocate delivery appointments without cargo arrival timing, balancing immediate crisis (alternative carrier arrangements, customer communication, sales recovery) with long-term relationship assessment (AtlasCorp reliability, operational resilience, competitive intelligence exposure from data theft), evaluating whether AtlasCorp data breach exposes Walmart’s import volumes and supply chain strategies to competitors (Target, Amazon, other retailers who could exploit intelligence for competitive advantage), representing $180M annual Walmart-AtlasCorp contract relationship where operational failure during peak season triggers executive leadership questioning whether to consolidate logistics with more resilient carriers.
Kenji Tanaka (Toyota Motor Corporation, Global Supply Chain Director) - Automotive manufacturer supply chain executive managing just-in-time component logistics for North American assembly plants producing 1.8 million vehicles annually, confronting production crisis where 85 containers of critical automotive components (engines from Japanese suppliers, transmissions from European plants, electronics modules from Asian manufacturers worth $52M) are stalled at AtlasCorp Long Beach terminal, three assembly plants (Kentucky, Texas, Indiana) will exhaust parts inventory within 48 hours forcing production shutdown affecting 12,000 assembly workers plus 45,000 tier-1 supplier employees depending on production contracts, calculating shutdown costs at $22,000 per minute of assembly line downtime ($1.3M per hour, $31M per day) affecting quarterly earnings and production quotas, evaluating whether AtlasCorp data breach exposes Toyota component sourcing strategies to competitors (revealing which suppliers provide which parts, production volume indicators, new model development timelines from component shipment patterns enabling competitor intelligence analysis), coordinating with corporate leadership in Japan requiring cultural sensitivity where crisis explanation, accountability demonstration, and recovery commitment follow different communication protocols than Western business practices, representing $420M annual Toyota-AtlasCorp logistics contract where operational failure raises fundamental questions about carrier operational resilience, security posture, and suitability for precision just-in-time manufacturing requirements.
Board of Directors Chair Margaret Stevens - Publicly-traded company board chair with fiduciary responsibility to shareholders managing corporate governance crisis, convening emergency board meeting to understand incident scope and management response while stock price dropped 18% on crisis news, questioning CEO and CTO about previous cybersecurity decisions where board approved budgets prioritizing operational investments over security infrastructure, evaluating ransom payment consideration ($6.5M) against alternatives (customer losses from extended outage, competitive intelligence exposure, investor confidence, regulatory scrutiny), reviewing disclosure obligations to SEC and stock exchanges regarding material business impact and data breach affecting operations, assessing management accountability and potential leadership changes if recovery demonstrates inadequate cybersecurity oversight or operational resilience, coordinating with legal counsel regarding shareholder liability, customer lawsuits, regulatory investigations, and potential securities fraud claims if prior security warnings were inadequate, representing shareholder interests demanding immediate operational recovery but also long-term strategic response preventing recurrence and demonstrating board oversight effectiveness.
Why This Matters
You’re not just managing ransomware encryption—you’re navigating systemic supply chain crisis affecting thousands of businesses depending on global trade logistics. AtlasCorp’s operational disruption cascades across industries: automotive assembly plants shut down within 48 hours affecting 12,000 workers directly plus 45,000 supplier employees, retailers face stockouts for final pre-Christmas shopping weekend affecting hundreds of millions in lost sales and customer satisfaction, pharmaceutical companies risk medication shortages creating patient safety concerns and FDA scrutiny, consumer electronics manufacturers miss product launch windows affecting market positioning and quarterly earnings. You’re not just restoring AtlasCorp’s systems—you’re managing infrastructure failure affecting global commerce where delays compound across interconnected supply chains creating economic impacts far exceeding AtlasCorp’s $4.2B revenue, where just-in-time manufacturing depends on predictable logistics, and where holiday retail economics concentrate in narrow December window that delayed cargo cannot recover.
You’re not just responding to data encryption—you’re protecting competitive intelligence worth hundreds of millions and customer relationships built over decades. The 2TB data theft includes proprietary routing algorithms representing 45 years of operational optimization providing 12-15% cost advantage over competitors (worth hundreds of millions in market differentiation), customer pricing contracts revealing negotiated rates and volume discounts that competitors would exploit to undercut strategic accounts, and supply chain patterns exposing customer strategies (retail inventory positioning, automotive production planning, pharmaceutical launch timing affecting stock prices and competitive positioning). Ransom payment might prevent immediate publication but doesn’t guarantee deletion—stolen algorithms could still leak to competitors, customer contracts could surface in future negotiations, supply chain intelligence could inform competitor strategies. You’re balancing operational recovery (paying ransom rapidly restores holiday season operations protecting revenue and customer relationships) against strategic damage (competitive intelligence exposure fundamentally undermines market positioning built through operational excellence, relationship management, and proprietary analytics differentiating AtlasCorp from commodity logistics providers).
You’re not just making payment decision—you’re establishing precedent for logistics sector targeting during peak vulnerability windows. LockBit affiliate’s message references attacks against three other global carriers during same holiday peak period—suggesting coordinated logistics sector targeting exploiting seasonal revenue concentration and operational pressure creating maximum payment likelihood. Paying ransom demonstrates that holiday peak timing plus supply chain disruption plus competitive intelligence theft creates sufficient pressure for logistics companies to fund criminal enterprises, encouraging sector-wide targeting where December becomes annual “ransomware season” for container shipping. The decision affects not just AtlasCorp but entire logistics industry where precedent-setting payment encourages attacks against competitors, customers, and supply chain partners creating sector-wide vulnerability. You’re balancing AtlasCorp’s immediate crisis (customer relationships, revenue protection, competitive intelligence containment) with industry responsibility (not funding criminal business model targeting critical infrastructure, supporting law enforcement investigation, coordinating sector defense preventing future attacks exploiting supply chain dependencies that global economy relies upon).
IM Facilitation Notes
Emphasize cascading supply chain disruptions with specific industry examples beyond just “business impact”: Players often treat logistics company operational failure as isolated business problem affecting only AtlasCorp, missing that container shipping disruption cascades across dependent industries creating systemic economic crisis. Help players understand concrete examples: Toyota assembly plant in Kentucky runs out of engine parts within 48 hours forcing production shutdown affecting 3,800 assembly workers who get sent home without pay, 12,000 tier-1 supplier workers at companies providing seats/electronics/chassis components who lose production contracts when assembly line stops, and $31M daily shutdown costs affecting Toyota quarterly earnings and stock price. Walmart stores face toy stockouts for final pre-Christmas shopping weekend where 340 containers of holiday merchandise arrive December 26 (after Christmas) converting full-price sales to 70% clearance markdown, costing hundreds of millions in lost revenue, disappointing customers who buy from Target/Amazon instead potentially permanently changing shopping habits. Make supply chain interdependency visceral showing how AtlasCorp’s 5-7 day recovery timeline creates months of economic impact across industries depending on predictable global trade logistics.
Highlight international coordination complexity across 45 terminals in 23 countries with different legal/regulatory frameworks: Players often assume incident commander can make unified decisions for global company, missing that 45 terminals operate under 23 different national sovereignties with different laws, authorities, and requirements. Walk players through scenario: US terminals report to FBI and CBP requiring evidence preservation and incident notification, European terminals must notify national data protection authorities under GDPR within 72 hours with different languages and legal interpretations across Germany/Netherlands/UK/France, Asian terminals navigate China’s cybersecurity law requiring data localization plus Singapore/Japan/Korea having different customs authorities and security requirements, Middle Eastern terminals coordinate with UAE and Saudi authorities having specific requirements for foreign company incident disclosure. Help players understand that “restore backups” requires approval from customs authorities in 23 countries each verifying data integrity meeting their regulatory standards, labor authorities approving worker safety for manual operations under different national requirements, and maritime authorities confirming ISPS Code compliance before resuming operations—creating coordination complexity where 5-7 day recovery reflects international bureaucratic reality not technical incompetence.
Address competitive intelligence exposure as distinct crisis dimension beyond operational recovery: Players often focus exclusively on system restoration and customer service, treating data theft as secondary concern addressed “after we’re back online.” Emphasize that 2TB exfiltration includes routing algorithms worth hundreds of millions in competitive advantage (mathematical models optimizing container movements that took 45 years to develop), customer contracts revealing pricing that competitors would exploit to undercut strategic accounts, and supply chain patterns showing customer strategies (Walmart import volumes, Toyota component sourcing, pharmaceutical launch timing) worth billions in market intelligence. Walk players through implications: competitors reverse-engineer algorithms eliminating AtlasCorp’s operational cost advantage, customers discover peers negotiate better pricing demanding equivalent terms or switching carriers, and supply chain intelligence gets sold showing retail forecasting strategies and manufacturing plans affecting customer stock prices and competitive positioning. The competitive intelligence damage persists long after systems are restored and potentially exceeds operational disruption costs for company whose market differentiation depends on proprietary optimization and customer relationships built through decades of performance and trust.
Confront players with impossible choice between holiday operations recovery and sector-wide targeting precedent: Standard security guidance teaches “never pay ransomware” but global logistics crisis during peak season creates genuine ethical dilemma where refusing payment causes real economic harm to thousands of businesses (retailers losing holiday sales, manufacturers facing production shutdowns, pharmaceutical companies risking patient medication shortages) who did nothing wrong but depend on AtlasCorp’s operational reliability. Help players sit with uncomfortable tension: paying $6.5M ransom rapidly restores operations protecting customers and revenue BUT demonstrates that logistics sector targeting during holiday peak plus competitive intelligence theft creates sufficient pressure for payment, encouraging coordinated attacks against entire container shipping industry where December becomes annual “ransomware season” exploiting seasonal vulnerability. There’s no “right answer”—only trade-offs with real consequences where players must justify their choice understanding that protecting AtlasCorp’s customers may encourage attacks affecting competitors, supply chain partners, and industry infrastructure that global economy depends upon.
Explore efficiency-security trade-offs through competitive logistics market economics: Players often blame IT incompetence for security failure, missing that AtlasCorp’s decisions reflected rational business strategy in competitive market where 6-7% operating margins mean efficiency investments directly affect profitability and market position. Help players understand context: container shipping is commodity business where operational excellence (faster vessel turnaround, automated gate processing, real-time tracking) differentiates market leaders from competitors offering equivalent vessel schedules and terminal locations. CTO’s $8.2M cybersecurity proposal competed against operational investments delivering measurable competitive advantages—CFO challenged “show me ROI” for security spending that doesn’t increase revenue or improve customer satisfaction versus automated equipment generating 15% throughput improvement. The security budget reduction wasn’t negligence but capital allocation reflecting competitive pressure where scarce resources fund operational differentiation over hypothetical risk mitigation. Help players understand that “just invest in security” ignores business reality where logistics companies compete on thin margins and operational excellence, making security-efficiency balance genuine strategic challenge not simple good/bad management decision.
Use manual operations safety limitations challenging “just operate without systems” assumptions: Players often suggest “use manual processes temporarily while we rebuild” underestimating safety requirements for container terminal operations. Help players understand that modern terminals move 35 containers per hour using integrated systems coordinating crane operations, yard positioning, and safety monitoring—manual operations achieve 18 moves per hour (50% capacity) with increased safety risks where handwritten discharge plans cause container misplacement, radio communications degrade coordination efficiency, paper-based tracking creates location errors, and manual gate processing increases truck wait times from 12 minutes to 90 minutes. Emphasize that terminals cannot simply “work harder”—labor laws in 23 countries limit working hours, union agreements specify safety requirements and equipment certification, maritime authorities require specific protocols for heavy machinery operation and hazardous cargo handling, and insurance carriers won’t cover manual operations exceeding safety design parameters. Walk players through cascade: manual operations at 50% capacity during 120% demand season means 70% of scheduled cargo cannot move, creating compounding backlogs where delayed containers block berth space preventing vessel unloading affecting global shipping schedules, and safety incidents from rushed manual operations could cause worker deaths or cargo disasters creating regulatory shutdowns worse than encryption.
Challenge assumptions about law enforcement solving operational crisis: Players often suggest “call FBI” expecting federal law enforcement to solve ransomware affecting global logistics, missing that FBI investigates crimes for prosecution (months-long process requiring evidence preservation, international cooperation, case building) rather than provides operational recovery services meeting 48-hour customer deadlines. Help players understand different stakeholder priorities: FBI wants comprehensive forensic analysis and evidence preservation for eventual criminal charges, Europol coordinates EU member state investigations across different legal frameworks, 23 national cyber crime units each want incident briefing respecting their jurisdiction, cyber insurance carrier covers incident response costs but excludes ransom payments, customs authorities in each country must verify data integrity before resuming cargo clearance, and maritime authorities require ISPS Code security compliance before approving terminal operations. Law enforcement coordination is essential for investigation and potential prosecution but doesn’t directly solve operational crisis requiring system restoration, customer communication, competitive intelligence protection, and international coordination meeting business continuity requirements where Friday recovery deadline doesn’t align with months-long investigation timeline—forcing incident commanders to balance comprehensive investigation support with immediate operational recovery affecting thousands of businesses depending on global trade logistics.
Hook
“It’s Monday morning during peak holiday shipping season, and AtlasCorp Logistics is managing maximum container capacity across 45 international ports when every operational system displays ransom demands. Container tracking is down, port operations have halted, and 12,000 containers are stranded in transit. Executives receive direct contact from threat actors claiming to have stolen shipping manifests, customer data, and sensitive supply chain intelligence, threatening to disrupt global trade operations.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Major retailer threatens contract cancellation due to delayed holiday merchandise
- Hour 2: Threat actors publish sample shipping manifests revealing competitive supply chain intelligence
- Hour 3: International customs authorities report concerns about cargo security and tracking
- Hour 4: Port workers unable to safely operate without digital tracking and safety systems
Evolution Triggers:
- If ransom payment is made, attackers may target other supply chain companies with stolen intelligence
- If payment is refused, customer shipping data begins appearing on criminal marketplaces
- If recovery exceeds 72 hours, physical port operations face safety and regulatory compliance issues
Resolution Pathways:
Technical Success Indicators:
- Emergency manual operations procedures activated maintaining basic cargo processing
- International coordination established for recovery across multiple jurisdictions
- Supply chain partner security assessment and isolation to prevent reinfection
Business Success Indicators:
- Customer relationships maintained through transparent communication and alternative shipping solutions
- International operations restored with proper security controls and regulatory compliance
- Supply chain integrity protected through coordinated industry response
Learning Success Indicators:
- Team understands supply chain cybersecurity interdependencies and global impact
- Participants recognize international coordination requirements during crisis
- Group demonstrates crisis management balancing operational continuity with security response
Common IM Facilitation Challenges:
If International Coordination Is Overlooked:
“Your recovery plan is solid, but you’re operating across 45 ports in 23 countries with different regulations and law enforcement agencies. How do you coordinate international incident response?”
If Supply Chain Impact Is Underestimated:
“While you’re investigating, major retailers are reporting that holiday merchandise won’t reach stores in time, and automotive manufacturers are facing production shutdowns. How does supply chain responsibility affect your response?”
If Physical Safety Is Ignored:
“Your digital recovery is progressing, but port workers are asking whether it’s safe to operate heavy machinery and handle containers without digital tracking systems. How do you balance operational pressure with safety requirements?”
Success Metrics for Session:
Template Compatibility
Quick Demo (35-40 min)
- Rounds: 1
- Actions per Player: 1
- Investigation: Guided
- Response: Pre-defined
- Focus: Use the “Hook” and “Initial Symptoms” to quickly establish global logistics crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing supply chain ransomware impact and international coordination requirements.
Lunch & Learn (75-90 min)
- Rounds: 2
- Actions per Player: 2
- Investigation: Guided
- Response: Pre-defined
- Focus: This template allows for deeper exploration of supply chain ransomware challenges. Use the full set of NPCs to create realistic holiday shipping pressures and international coordination complexity. The two rounds allow threat actors to escalate with supply chain intelligence releases, raising stakes. Debrief can explore balance between operational continuity and security response.
Full Game (120-140 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing container tracking operations, customer cargo security, international regulatory compliance, and global supply chain continuity. The three rounds allow for full narrative arc including ransomware’s supply-chain-specific impact and international coordination.
Advanced Challenge (150-170 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Complexity: Add red herrings (e.g., legitimate port system updates causing unrelated tracking issues). Make containment ambiguous, requiring players to justify international decisions with incomplete information. Remove access to reference materials to test knowledge recall of ransomware behavior and supply chain security principles.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Clue 1 (Minute 5): “Digital forensics reveal LockBit ransomware with complete encryption of AtlasCorp’s port operations across 45 international locations during peak holiday shipping season. Threat actors contacted executives claiming to have stolen shipping manifests, customer data, and sensitive supply chain intelligence. Container tracking systems are down with 12,000 containers stranded in transit affecting global trade operations.”
Clue 2 (Minute 10): “Network analysis shows attackers maintained persistent access for weeks through supply chain partner email compromise, systematically targeting high-value cargo data and operational intelligence. Backup assessment reveals complex international recovery coordination requirements across multiple jurisdictions and regulatory environments. Timeline indicates attackers chose holiday peak for maximum supply chain disruption and payment pressure.”
Clue 3 (Minute 15): “Threat actors published sample shipping manifests revealing competitive supply chain intelligence and customer trade secrets. Major retailers threatening contract cancellation as holiday merchandise won’t reach stores in time. International customs authorities expressing concerns about cargo security, tracking compliance, and port worker safety without digital systems.”
Pre-Defined Response Options
Option A: Emergency Manual Operations & Recovery Without Payment
- Action: Activate emergency manual cargo processing procedures, restore systems from verified clean backups with international coordination, refuse ransom payment, coordinate with customs authorities and supply chain partners for security assessment.
- Pros: Maintains supply chain security practices; demonstrates responsible global operations; supports international law enforcement cooperation.
- Cons: Recovery requires complex international coordination affecting operations for days; stolen supply chain data will likely be publicly released; potential contract losses and competitive disadvantage.
- Type Effectiveness: Super effective against Ransomware malmon type; clean backups enable recovery without funding criminal enterprise affecting global supply chains.
Option B: Ransom Payment & Rapid Operations Recovery
- Action: Pay ransom to obtain decryption key and prevent supply chain data release, restore systems quickly to minimize holiday shipping disruption, implement enhanced security controls across international operations.
- Pros: Fastest path to container tracking restoration protecting holiday shipping operations; may prevent public release of customer supply chain intelligence.
- Cons: No guarantee attackers will honor agreement or provide working decryption; funds criminal enterprise; may encourage targeting of other supply chain companies.
- Type Effectiveness: Not effective against Ransomware malmon type; addresses encryption but doesn’t guarantee supply chain data protection; funds continued global attacks.
Option C: International Phased Recovery & Supply Chain Coordination
- Action: Coordinate phased recovery across regions prioritizing critical shipping routes, engage with threat actors to delay timeline, simultaneously restore from backups, establish supply chain partner security protocols.
- Pros: Enables targeted recovery for most critical operations; demonstrates supply chain industry leadership; builds coordinated defense across logistics sector.
- Cons: Complex international coordination may slow recovery; negotiation may be interpreted as willingness to pay; lower-priority routes face extended delays.
- Type Effectiveness: Moderately effective against Ransomware threats; delays attack progression while enabling prioritized backup recovery; doesn’t guarantee supply chain intelligence protection.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Holiday Shipping Crisis & Supply Chain Paralysis (30-35 min)
Investigation Clues:
- Clue 1 (Minute 5): Complete encryption across global shipping network - 15 container terminals, 200 distribution centers, 5,000 delivery trucks. VP Sarah Park: “All tracking systems down during peak holiday shipping. $40M revenue at risk per day.”
- Clue 2 (Minute 10): Forensics reveal month-long persistent access, exfiltration of 2TB including customer supply chain routes, pricing contracts, proprietary logistics algorithms, competitive intelligence - attackers mapped entire global operation before encryption.
- Clue 3 (Minute 15): Operations Manager Martinez: “Manual cargo processing at 25% normal capacity. Container ships cannot offload. Retail clients threatening permanent carrier switch if holiday deliveries fail.”
- Clue 4 (Minute 20): Threat actors demand $6.5M within 72 hours showing customer routing data, pricing agreements, logistics algorithms. “Your competitors would pay more for this supply chain intelligence than you’ll pay to protect it.”
Response Options:
- Option A: Emergency manual operations, international backup recovery, refuse payment | Type: Super effective for recovery, supply chain leadership
- Option B: Payment for rapid recovery, minimize holiday disruption | Type: Partially effective, supply chain risk precedent
- Option C: Phased regional recovery, supply chain coordination | Type: Moderately effective, complex coordination
Round 2: Supply Chain Intelligence & Competitive Exposure (30-35 min)
Investigation Clues:
- Clue 5: CISO confirms stolen data includes routing algorithms giving TransGlobal competitive advantage, pricing structures for major retail contracts, vulnerability assessments for competitor analysis - proprietary supply chain intelligence worth hundreds of millions.
- Clue 6: Major retail client: “If our supply chain routes and volumes leak to competitors or public markets, we lose strategic advantage. Consider this in your response decisions.”
- Clue 7: Industry consortium reports similar ransomware attacks against three other global carriers - coordinated targeting of supply chain sector during holiday peak suggesting organized campaign.
- Clue 8: Cyber insurance covers incident response but excludes ransom payments. Total operational losses, recovery costs, and competitive damage estimated $80-120M even without payment.
Response Options:
- Option A: Full transparency, industry coordination, comprehensive security response | Type: Super effective for sector resilience
- Option B: Minimize disclosure, competitive intelligence protection focus | Type: Partially effective, potential customer trust issues
- Option C: Payment reconsideration to prevent competitive intelligence release | Type: Not effective, encourages supply chain targeting
Round Transition: Team’s choice determines whether TransGlobal faces international coordination challenges, competitive intelligence exposure, or customer relationship crisis. Supply chain intelligence theft threatens competitive positioning. Industry-wide attack pattern suggests coordinated targeting. Insurance inadequate. Must balance holiday operations, customer commitments, competitive advantage protection, sector resilience during global ransomware campaign.
Debrief Focus: Double extortion targeting supply chain intelligence; Global operations coordination in ransomware response; Competitive intelligence protection; Supply chain sector resilience; International law enforcement coordination
Full Game Materials (120-140 min, 3 rounds)
[Abbreviated format]
Round 1: Wednesday peak season. 15 terminals encrypted. 2TB supply chain intelligence stolen. Park faces impossible choice between holiday operations and competitive protection.
Investigation: LockBit ransomware, month of persistent access, systematic supply chain mapping, proprietary logistics algorithms exfiltration, international scope
NPCs: Sarah Park (revenue crisis), Carlos Martinez (operations paralysis), Linda Zhang (backup complexity), Customer executives (competitive intelligence concerns)
Pressure: Retail clients threatening carrier switch; Container ships backing up; Competitor carriers taking market share; Holiday timeline absolute
Round 2: Proprietary routing algorithms stolen. Major customer supply chain intelligence compromised. Industry-wide attack pattern. Recovery requires international coordination across 15 terminals.
Round 3: Supply chain sector cybersecurity evolution. Competitive intelligence protection in digital logistics. Industry coordination frameworks. Prevention balancing global operations with security.
Debrief: Ransomware targeting supply chain infrastructure; Global operations resilience; Competitive intelligence in ransomware decisions; Sector-wide coordination; International incident response
Advanced Challenge Materials (150-170 min)
Red Herrings: Equipment malfunctions; Holiday volume strain; Labor disputes; Competitor market activities
Removed Resources: Limited global security expertise; International coordination complexity; Customer approval dependencies; Insurance coverage gaps
Enhanced Pressure: Specific retail client supply chain failures; Competitor exploitation; Regulatory investigations; Industry reputation damage
Ethical Dilemmas: Customer operations vs payment prohibition; Competitive intelligence vs transparency; Regional priority vs global fairness; Sector coordination vs competitive positioning
Advanced Debrief: Supply chain ransomware evolution; Global operations incident response; Competitive intelligence protection frameworks; Industry coordination in cybersecurity; International law enforcement cooperation