WannaCry Scenario: Law Firm Case Crisis

WannaCry Scenario: Law Firm Case Crisis

Crawford & Associates: UK law firm with 80 solicitors handling high-stakes litigation
Legal Operations Disruption • WannaCry
STAKES
Case continuity + Privileged data protection + Court-deadline execution + Professional duty
HOOK
Legal teams report sudden loss of access to pleadings, deposition bundles, and expert report folders, while document systems begin locking files and showing recovery demands. Workstations across litigation teams become unreliable, and shared matter repositories stop synchronizing minutes before key filing work is due.
PRESSURE
  • Filing decision deadline: Monday 17:00
  • Case exposure: GBP 450 million class-action case
  • Firm profile: UK law firm with 80 solicitors handling high-stakes litigation
FRONT • 120 minutes • Intermediate
Crawford & Associates: UK law firm with 80 solicitors handling high-stakes litigation
Legal Operations Disruption • WannaCry
NPCs
  • Victoria Crawford (Senior Partner): Owns filing strategy and legal-risk decisions
  • Raj Patel (IT Director): Leads containment and document-system recovery sequencing
  • Eleanor Blackwood (Lead Case Counsel): Prioritizes recoverability of filing-critical materials
  • James Mitchell (Office Manager): Coordinates continuity workflows for filing teams
SECRETS
  • Matter repositories relied on convenience-oriented sharing paths without strong segmentation
  • Endpoint patching and maintenance windows were repeatedly deferred during filing crunch periods
  • Filing-critical documents and privileged material shared identical storage risk boundaries

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

WannaCry Law Firm Case Crisis Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

WannaCry Law Firm Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “Document-management workspaces are locking active pleadings and deposition bundles”
  • “Matter repositories fail to synchronize across teams and offices”
  • “Attorney workstations can open indexes but not linked filing attachments”
  • “Priority filing folders are becoming inaccessible faster than recovery efforts can keep pace”

Key Discovery Paths:

Detective Investigation Leads:

  • Timeline reconstruction links disruption onset to vulnerable document-management endpoints
  • Artifact analysis confirms targeted encryption of filing-critical repositories first
  • Access-path review highlights trusted sharing routes as key propagation accelerants

Protector System Analysis:

  • Priority matter inventories identify which records are indispensable for deadline filing
  • Segmentation review reveals insufficient isolation between practice and casework domains
  • Recovery sequencing must preserve privilege boundaries while restoring critical access

Tracker Network Investigation:

  • Session analysis identifies high-impact encryption spread through shared legal-storage pathways
  • Endpoint telemetry reveals coordinated execution patterns across time-compressed filing windows
  • Threat pattern indicates strategic leverage focused on procedural deadline failure

Communicator Stakeholder Interviews:

  • Litigation leads require a clear threshold for filing viability under partial data recovery
  • Operations and security teams need aligned messaging for clients and courts
  • Governance teams require evidence-backed status updates for external authorities

Mid-Scenario Pressure Points:

  • Hour 1: Case teams confirm that key exhibits and affidavits remain inaccessible
  • Hour 2: Opposing counsel signals intent to challenge any late or incomplete filing
  • Hour 3: Backup restoration attempts reveal inconsistent version histories on priority matters
  • Hour 4: Leadership must decide whether to file with constrained evidence or seek emergency relief

Evolution Triggers:

  • If restoration priorities are unclear, filing-critical evidence may remain unavailable at deadline
  • If privilege controls are bypassed during recovery, legal and ethical exposure increases
  • If external communication lags, procedural leverage shifts rapidly to opposing counsel

Resolution Pathways:

Technical Success Indicators:

  • Filing-critical repositories are restored with verifiable chain-of-custody confidence
  • Encryption spread is contained before additional matter domains are impacted
  • Access controls are rebuilt to protect privilege and reduce repeat compromise risk

Business Success Indicators:

  • Deadline strategy remains legally defensible under documented evidence constraints
  • External authority updates remain timely and consistent with verified incident scope
  • Client trust is protected through clear, accurate communication during disruption

Learning Success Indicators:

  • Team demonstrates operational prioritization for legal deadlines under cyber pressure
  • Participants balance privilege protection, restoration speed, and procedural risk
  • Group coordinates legal, technical, and governance roles with explicit decision criteria

Common IM Facilitation Challenges:

If Teams Focus on Full Restoration Over Filing Priorities:

“Complete recovery may take longer than the court allows. Which document set is non-negotiable for a defensible filing today?”

If Teams Ignore Privilege Boundaries During Recovery:

“Rapid access restoration can expose sensitive client material. How are privilege controls maintained while recovering on deadline?”

If Teams Delay External Coordination:

“Authorities and court stakeholders request immediate status. What do you report now with confidence, and what remains unverified?”

Success Metrics for Session:

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 3 investigation rounds, 1 decision round
Focus: Detect filing-window disruption and establish immediate continuity priorities
Key Actions: Scope critical evidence, contain spread, and define filing go/no-go criteria

Lunch & Learn (75-90 minutes)

Structure: 5 investigation rounds, 2 decision rounds
Focus: Balance legal procedural risk, technical containment, and authority reporting
Key Actions: Prioritize recoveries, protect privilege boundaries, and align deadline strategy

Full Game (120-140 minutes)

Structure: 7 investigation rounds, 3 decision rounds
Focus: End-to-end legal-operations incident response under procedural pressure
Key Actions: Coordinate legal and technical workflows, preserve case integrity, and sustain client trust

Advanced Challenge (150-170 minutes)

Structure: 8-9 investigation rounds, 4 decision rounds
Expert Elements: Ambiguous document integrity, contested filing thresholds, and privilege tradeoffs
Additional Challenges: Multi-office coordination, active opposing-counsel pressure, and compressed court timelines

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Pre-Defined Response Options

  • Option A: Filing-Critical Evidence First

    • Action: Isolate affected systems, restore only filing-critical materials first, and defer nonessential recovery.
    • Pros: Maximizes deadline survivability and decision clarity.
    • Cons: Noncritical practice work remains disrupted longer.
    • Type Effectiveness: Super effective for deadline defense under constrained time.

  • Option B: Parallel Recovery Across Matter Domains

    • Action: Recover multiple matter areas concurrently with distributed teams and shared infrastructure.
    • Pros: Broader restoration scope and faster general business recovery.
    • Cons: Can dilute focus on filing-critical evidence and increase coordination errors.
    • Type Effectiveness: Moderately effective when governance remains strict.

  • Option C: Court-Relief Preparation with Controlled Recovery

    • Action: Prepare emergency court relief strategy while running controlled recovery and privilege verification.
    • Pros: Adds procedural fallback if restoration misses deadline.
    • Cons: Opposing counsel may exploit relief request and challenge preparedness.
    • Type Effectiveness: Moderately effective with strong legal strategy alignment.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Case Material Triage and Containment (30-35 min)

Round 2: Filing Decision and Authority Coordination (30-35 min)

Debrief Focus

  • How cyber disruption shifts procedural leverage in deadline-driven litigation
  • Which restoration priorities preserve legal viability under time pressure
  • How privilege controls and evidence confidence should shape filing decisions
  • Which long-term controls harden legal document workflows during litigation sprints