WannaCry Scenario: Morrison & Associates Case Crisis

Morrison & Associates Law Firm: 150 attorneys across 3 offices, specialized litigation
Worm • WannaCry
STAKES
Client case files + Attorney-client privilege + Court deadline compliance
HOOK
Morrison & Associates is 72 hours from filing critical motions in their biggest class-action lawsuit ever, representing 10,000 plaintiffs against a major corporation. The legal team has been working around the clock to meet court deadlines when ransomware begins encrypting case files, depositions, and expert witness reports that cannot be recreated before the filing deadline.
PRESSURE
Court filing deadline Monday 5 PM - missing deadline dismisses $500M class-action case
FRONT • 120 minutes • Advanced
Morrison & Associates Law Firm: 150 attorneys across 3 offices, specialized litigation
Worm • WannaCry
NPCs
  • Patricia Morrison (Managing Partner): Leading $500M class-action case with Monday filing deadline, watching years of legal work encrypt in real-time, must balance case preservation with security response
  • James Liu (IT Director): Discovering that law firm's case management systems lack proper network segmentation, watching worm spread through client files and legal databases
  • Dr. Sarah Kim (Expert Witness): Critical economic analysis stored on law firm servers, report needed for Monday filing cannot be reconstructed in time, represents years of specialized research
  • Michael Rodriguez (Opposing Counsel): Will argue for case dismissal if filing deadline is missed, represents corporate defendant with billions at stake
SECRETS
  • Law firm delayed security updates on case management systems to avoid disrupting ongoing litigation
  • Client files, depositions, and expert reports stored on interconnected systems without proper access controls
  • Network designed for attorney convenience with minimal security segmentation between practice areas

Scenario Details for IMs

Opening Presentation

“It’s Friday morning at Morrison & Associates, and the law firm is in the final sprint toward Monday’s critical court filing deadline. The $500M class-action case represents two years of work by 20 attorneys, and the case management systems contain irreplaceable depositions, expert witness reports, and legal research. But since Thursday evening, computers throughout the firm have been displaying ransom messages, and critical case files are being encrypted faster than they can be backed up. In the legal profession, missing a court deadline can mean losing a case entirely.”

Initial Symptoms to Present:

  • “Case management systems displaying ransom demands instead of legal documents”
  • “Attorney workstations losing access to client files and litigation materials”
  • “Document servers encrypting depositions and expert witness reports”
  • “New systems failing across different practice areas and client matters”

Key Discovery Paths:

Detective Investigation Leads:

  • Network forensics reveal worm spreading through document management and case file systems
  • File analysis shows systematic encryption of legal documents, depositions, and client communications
  • Timeline analysis reveals attack began during late-night document preparation for Monday deadline

Protector System Analysis:

  • Real-time monitoring shows ransomware spreading through attorney work files and client databases
  • System integrity analysis reveals potential compromise of attorney-client privileged communications
  • Network architecture assessment shows inadequate segmentation between client matters and practice areas

Tracker Network Investigation:

  • Traffic analysis reveals worm exploiting shared network infrastructure across law firm offices
  • Propagation patterns show movement toward email servers containing client communications
  • Network scanning shows potential spread to cloud-based legal research and e-filing systems

Communicator Stakeholder Interviews:

  • Attorneys report loss of access to critical case documents needed for Monday filing
  • IT staff explain security update delays due to concerns about disrupting ongoing litigation
  • Expert witnesses describe irreplaceable research data stored on compromised systems

Mid-Scenario Pressure Points:

  • Hour 1: Senior associate reports inability to access key depositions needed for motion drafting
  • Hour 2: Expert witness calls reporting economic analysis files are inaccessible
  • Hour 3: Opposing counsel files motion requesting dismissal due to “plaintiff preparation failures”
  • Hour 4: Court clerk confirms no extensions available - Monday 5 PM deadline is absolute

Evolution Triggers:

  • If document recovery fails, two years of legal work becomes inaccessible before deadline
  • If network isolation affects e-filing systems, court submissions cannot be completed
  • If attorney-client communications are compromised, ethical violations and malpractice claims arise

Resolution Pathways:

Technical Success Indicators:

  • Team implements emergency document recovery protecting critical case files
  • Worm containment prevents spread to email servers and attorney-client communications
  • Network segmentation preserves legal research and court filing capabilities

Business Success Indicators:

  • Critical case documents recovered enabling Monday court filing deadline compliance
  • Attorney-client privilege maintained throughout cybersecurity incident response
  • Law firm operations continue without malpractice exposure or ethical violations

Learning Success Indicators:

  • Team understands worm propagation through professional service networks and shared file systems
  • Participants recognize unique cybersecurity challenges in legal profession and privileged communications
  • Group demonstrates coordination between IT security, legal operations, and professional compliance

Common IM Facilitation Challenges:

If Attorney-Client Privilege Is Ignored:

“While you’re containing the worm, James just realized that encrypted systems may contain privileged attorney-client communications. How do you ensure professional ethical compliance during incident response?”

If Professional Service Context Is Missed:

“Dr. Kim’s expert economic analysis represents two years of specialized research that cannot be recreated by Monday. What’s your strategy for protecting irreplaceable professional work product?”

Success Metrics for Session: