WannaCry Scenario: Municipality Payroll Crisis

Springfield City Government: 1,200 employees across 15 departments
Worm • WannaCry
STAKES
Employee payroll + Public services + Municipal operations continuity
HOOK
Springfield City is in the final 48 hours before quarterly payroll processing, with 1,200 city employees depending on Friday paychecks. The attack began Wednesday evening when finance staff were working late to finalize payroll calculations, and the worm is now spreading rapidly through city networks connecting police, fire, utilities, and administrative systems.
PRESSURE
Payroll processing deadline Friday - missing payroll affects all city employees and public services
FRONT • 120 minutes • Advanced
Springfield City Government: 1,200 employees across 15 departments
Worm • WannaCry
NPCs
  • Maria Rodriguez (City Finance Director): Desperate to complete payroll processing, watching financial systems encrypt in real-time, must balance employee needs with security response
  • Chief Robert Taylor (Police Chief): Police dispatch and records systems affected, concerned about public safety impact, needs immediate assessment of emergency service capabilities
  • William Harrison (IT Director): Discovering that city's shared network infrastructure connects all departments, realizes worm spread threatens entire municipal operation
  • Mayor Diana Foster: Fielding calls from employees about paychecks, media about city services, and state officials about emergency response capabilities
SECRETS
  • City network was designed for convenience with minimal segmentation between departments
  • Legacy Windows systems in multiple departments lack security patches due to budget constraints and operational dependencies
  • Shared file servers contain both payroll data and critical public safety information

Scenario Details for IMs

Opening Presentation

“It’s Thursday morning at Springfield City Hall, and what started as routine payroll preparation has become a municipal crisis. Finance staff working late Wednesday night began seeing ransom messages on their screens, and by morning, the attack has spread to police dispatch, fire department communications, and utility management systems. With 1,200 city employees expecting paychecks tomorrow and public safety systems affected, this cybersecurity incident has become a city-wide emergency.”

Initial Symptoms to Present:

  • “Finance department computers showing ransom demands instead of payroll data”
  • “Police dispatch systems experiencing connectivity issues affecting emergency response”
  • “Fire department reporting communication system failures”
  • “Utility management networks showing signs of compromise and system encryption”

Key Discovery Paths:

Detective Investigation Leads:

  • Network forensics reveal worm exploitation of shared municipal network infrastructure
  • File system analysis shows encryption of payroll, personnel, and public safety databases
  • Timeline analysis reveals attack origin in finance department during late-night payroll processing

Protector System Analysis:

  • Network monitoring shows rapid lateral movement across city department boundaries
  • Critical system assessment reveals public safety and emergency services at risk
  • Infrastructure analysis shows minimal network segmentation between municipal departments

Tracker Network Investigation:

  • Traffic analysis reveals worm scanning and exploitation across all city network segments
  • Propagation mapping shows attack moving toward emergency services and utility control systems
  • Communication pattern analysis indicates potential spread to county and state government networks

Communicator Stakeholder Interviews:

  • Finance staff describe working late on payroll when systems began failing
  • Police and fire departments report increasing operational impact on emergency services
  • IT staff explain budget constraints and operational needs that prevented network segmentation

Mid-Scenario Pressure Points:

  • Hour 1: Police dispatch center reports intermittent system failures affecting emergency response
  • Hour 2: Mayor receives calls from employees asking about paycheck delays
  • Hour 3: Fire department loses access to building inspection and safety records
  • Hour 4: Local media reports “city computer systems held hostage” affecting public services

Evolution Triggers:

  • If public safety systems are compromised, emergency response capabilities become unreliable
  • If payroll processing cannot be completed, 1,200 employees miss critical paychecks
  • If utility systems are affected, water and power services to citizens are threatened

Resolution Pathways:

Technical Success Indicators:

  • Team implements emergency network segmentation protecting critical public safety systems
  • Worm propagation contained through strategic network isolation and rapid patching
  • Backup systems activated to maintain essential city services during recovery

Business Success Indicators:

  • Payroll processing completed through alternative methods ensuring employee payments
  • Public safety services maintained throughout cybersecurity incident response
  • Municipal operations continue with minimal disruption to citizen services

Learning Success Indicators:

  • Team understands worm mechanics and cross-network propagation in shared infrastructure
  • Participants recognize public sector cybersecurity challenges and resource constraints
  • Group demonstrates coordination between IT security, public safety, and municipal operations

Common IM Facilitation Challenges:

If Public Safety Impact Is Minimized:

“While you’re analyzing the technical details, Chief Park reports that police dispatch is experiencing delays in emergency calls. How do you ensure public safety while containing the cybersecurity threat?”

If Employee Impact Is Ignored:

“Your containment strategy is sound, but Maria just calculated that 1,200 city employees won’t receive paychecks tomorrow if payroll systems aren’t restored. What’s your plan for the human impact?”

If Municipal Complexity Is Overwhelming:

“The Mayor needs a simple answer: can the city continue to provide essential services to citizens, or should emergency protocols be activated?”

Success Metrics for Session: