WannaCry Scenario: Municipality Payroll Crisis
Planning Resources
Scenario Details for IMs
Springfield City Government: Municipal Operations During Quarterly Payroll Processing
Organization Profile
- Type: Small city municipal government
- Size: 1,200 employees across 15 departments (250 public safety personnel, 180 public works staff, 120 administrative staff, 650 department and service employees)
- Operations: City administration, police and fire departments, emergency dispatch services, public utilities management (water, power), municipal finance and payroll, public works, community services
- Critical Services: 24/7 emergency services (police, fire, 911 dispatch), utility management systems (water treatment, power distribution), payroll processing for 1,200 employees, public safety records and databases, inter-governmental communication networks
- Technology: Shared municipal network connecting all 15 departments, Windows-based government systems, finance and payroll processing software, police records management system (RMS), 911 dispatch computer-aided dispatch (CAD), utility control systems, inter-governmental network connections to county and state agencies
Springfield City Government is a small municipal government serving 45,000 residents in a mid-sized American city. The city operates essential public services including police, fire, emergency dispatch, utilities, and community programs with constrained public budget. Current status: Thursday morning 24 hours before quarterly payroll processing deadline, finance department working to finalize paychecks for 1,200 city employees, many living paycheck-to-paycheck with Friday direct deposit expectation.
Key Assets & Impact
What’s At Risk:
- Employee Payroll & Welfare: Quarterly payroll processing for 1,200 city employees expecting Friday paychecks—finance systems encryption prevents direct deposit completion, affecting employees with rent payments, medical bills, and financial obligations dependent on timely government paychecks, triggering employee welfare crisis and union grievances
- Public Safety Infrastructure: Police dispatch CAD system, 911 emergency call handling, criminal records database, fire department communications—ransomware worm spreading through shared municipal network threatens emergency response capabilities affecting 45,000 residents, officer safety without warrant information access, community protection during degraded public safety operations
- Municipal Operations & Government Services: Utility management systems controlling water treatment and power distribution, public works coordination, city administration—worm propagation toward critical infrastructure systems risks community services, inter-governmental communication breakdown, and potential state emergency assistance requirement demonstrating municipal governance failure
Immediate Business Pressure
Thursday morning, 24 hours before quarterly payroll deadline. Springfield City Hall operations in crisis mode. Finance Director Maria Rodriguez arrived early Thursday to finalize payroll for 1,200 employees. Instead of financial spreadsheets, every computer screen in finance department displays ransom demands—systems encrypted by WannaCry ransomware overnight. Staff worked late Wednesday on payroll reconciliation when systems began failing.
Police Chief Robert Taylor reporting critical public safety impact—dispatch center experiencing 911 call handling failures, criminal records database inaccessible, officers cannot run warrant checks or access suspect information during field operations. Fire department reporting communication system failures affecting emergency response coordination between stations. IT Director William Harrison discovering worm is spreading autonomously through Springfield’s shared municipal network—all 15 city departments connected without proper segmentation. Systems exploiting EternalBlue vulnerability (MS17-010) in unpatched Windows systems throughout city government.
Mayor Diana Foster receiving calls from employee union representatives demanding Friday payroll confirmation, state emergency management agency asking whether Springfield can maintain essential services or needs state assistance, local media preparing stories about “city computers held hostage.” Utility management systems showing infection signs. Friday payroll represents employee welfare obligation—many city workers live paycheck-to-paycheck and depend on timely payment. Political accountability pressure mounting as media reports government cybersecurity failures.
Critical Timeline:
- Current moment (Thursday 9am): WannaCry encrypting systems in real-time, worm spreading autonomously through shared municipal network, Friday payroll deadline in 24 hours
- Stakes: 1,200 employees expecting paychecks, public safety emergency response degraded, municipal operations compromised, state government oversight triggered, media scrutiny of city cybersecurity
- Dependencies: Employees dependent on Friday paychecks for rent and bills, 45,000 residents dependent on police and fire emergency services, inter-governmental networks connecting to county and state agencies at risk, public trust in municipal government capability challenged
Cultural & Organizational Factors
Why This Vulnerability Exists:
- Budget-driven network architecture sacrificed security for efficiency: Springfield designed municipal network for departmental convenience and cost savings—all 15 departments share single network infrastructure to minimize IT expenses. Network segmentation proposals rejected as “too expensive” for small city budget. Finance systems, police records, fire communications, and utility controls all accessible from shared network. Cost-efficiency culture created perfect conditions for worm propagation—single vulnerable system in finance department provides access to entire municipal infrastructure.
- Operational dependencies prevented Windows security patching: IT department aware of EternalBlue vulnerability (MS17-010) and available patches for months. Legacy Windows systems throughout city departments cannot accept immediate patches due to operational dependencies on aging municipal software. Payroll system vendor requires Windows 7 with specific configurations. Police records management system incompatible with current Windows updates. Finance software requires vendor coordination for patch validation. Patching normally requires procurement processes, vendor testing periods, and budget approvals. Delayed patches to maintain operational continuity created widespread vulnerability.
- Small government IT capacity stretched impossibly thin: William Harrison manages IT for entire city government—1,200 employees, 15 departments, emergency services, utility systems—as essentially solo IT director with minimal staff. No dedicated cybersecurity personnel, no network security specialists, no 24/7 monitoring. Proposed security improvements postponed due to budget constraints and competing municipal priorities (schools, roads, public safety staffing). IT security becomes “when we have time” during normal municipal operations (which means never during payroll cycles, budget seasons, or emergency response periods).
- Late-night payroll work created minimal-monitoring vulnerability window: Finance staff working late Wednesday on quarterly payroll reconciliation—standard practice during payroll cycles to meet Friday deadline. Attacker exploited understanding that municipal government networks have reduced IT security monitoring during evening hours. Late-night payroll preparation created infection opportunity when security oversight minimal and IT staff off-duty. By Thursday morning detection, worm had 12+ hours of autonomous propagation through unsegmented city network.
Operational Context
How This Municipal Government Actually Works:
Springfield operates under perpetual budget constraints—voter expectations for low taxes create pressure for efficient government spending, making expensive IT security investments politically difficult to justify when competing with visible community needs like police staffing, road repairs, and public programs. City Council budget decisions prioritize direct community services over “invisible” infrastructure like network segmentation. The $15,000 annual IT security budget covers basic antivirus subscriptions and emergency vendor support—nothing remains for network redesign, security monitoring, or dedicated cybersecurity staff. Network architecture reflects 15 years of incremental department additions without security redesign—“just connect new department to existing network” approach created shared infrastructure spanning police, fire, finance, utilities, and administration. The gap between government IT security best practices (network segmentation, 24/7 monitoring, dedicated security staff) and small city budget reality (single IT director, shared networks, delayed patching) created vulnerability that sophisticated ransomware worm exploited during critical payroll processing period.
Key Stakeholders (For IM Facilitation)
- Maria Rodriguez (City Finance Director) - Desperate to complete Friday payroll processing, watching financial systems encrypt in real-time, represents 1,200 employees dependent on timely paychecks
- Chief Robert Taylor (Police Chief) - Police dispatch and records systems affected, concerned about public safety impact and emergency response capability degradation
- William Harrison (IT Director) - Discovering city’s shared network infrastructure enables worm propagation throughout municipal government, overwhelmed by municipal-scale incident response
- Mayor Diana Foster (Mayor) - Fielding calls from employees about paychecks, media about service disruptions, state officials about emergency assistance, represents public accountability and government credibility
Why This Matters
You’re not just responding to ransomware—you’re protecting a community’s essential government services while 1,200 families wait for paychecks that may not arrive. Police dispatchers cannot reliably handle 911 emergency calls while the worm spreads through public safety networks. Finance systems are encrypted 24 hours before payroll deadline—city employees facing rent payments and medical bills depend on Friday paychecks. Utility management systems controlling water treatment and power distribution are at risk. The mayor must decide whether to request state emergency assistance, acknowledging municipal cybersecurity failure. Media is reporting “city computers held hostage.” This is public sector incident response where technical decisions have immediate community impact, political consequences, and demonstrate whether small-city government can protect residents during cybersecurity crisis.
IM Facilitation Notes
- This is government accountability, not just technical response: Players often focus purely on containment—remind them Mayor Foster faces public scrutiny, employee welfare obligations, and potential state intervention. Municipal decisions have democratic accountability and political consequences unlike private sector incidents.
- Budget constraints are authentic municipal reality: Don’t let players dismiss lack of network segmentation or delayed patching as incompetence. Small city governments face voter pressure for low taxes, Council budget priorities favoring visible services over IT infrastructure. $15,000 annual IT security budget is realistic for small municipality—this is systemic public sector cybersecurity challenge.
- Employee payroll is government obligation, not convenience: City workers depend on Friday paychecks for rent, groceries, medical bills. Missing payroll triggers union grievances, employee hardship, and government breach of employment contract. Unlike private sector where payroll delays create inconvenience, government payroll failure is political and legal crisis.
- Public safety impact is community-wide: Degraded 911 dispatch and police records affects 45,000 residents, not just city employees. Emergency response failures during ransomware response create public safety risks. Force players to balance technical containment with community protection.
- WannaCry kill switch is double-edged sword: If players discover kill switch mechanism, it stops encryption but infected systems remain throughout municipal infrastructure. Elegant technical solution (register domain) versus comprehensive remediation (patch every city system) creates interesting decision point about short-term fixes versus long-term security.
Opening Presentation
“It’s Thursday morning at Springfield City Hall, and what started as routine payroll preparation has become a municipal crisis. Finance staff working late Wednesday night began seeing ransom messages on their screens, and by morning, the attack has spread to police dispatch, fire department communications, and utility management systems. With 1,200 city employees expecting paychecks tomorrow and public safety systems affected, this cybersecurity incident has become a city-wide emergency.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Police dispatch center reports intermittent system failures affecting emergency response
- Hour 2: Mayor receives calls from employees asking about paycheck delays
- Hour 3: Fire department loses access to building inspection and safety records
- Hour 4: Local media reports “city computer systems held hostage” affecting public services
Evolution Triggers:
- If public safety systems are compromised, emergency response capabilities become unreliable
- If payroll processing cannot be completed, 1,200 employees miss critical paychecks
- If utility systems are affected, water and power services to citizens are threatened
Resolution Pathways:
Technical Success Indicators:
- Team implements emergency network segmentation protecting critical public safety systems
- Worm propagation contained through strategic network isolation and rapid patching
- Backup systems activated to maintain essential city services during recovery
Business Success Indicators:
- Payroll processing completed through alternative methods ensuring employee payments
- Public safety services maintained throughout cybersecurity incident response
- Municipal operations continue with minimal disruption to citizen services
Learning Success Indicators:
- Team understands worm mechanics and cross-network propagation in shared infrastructure
- Participants recognize public sector cybersecurity challenges and resource constraints
- Group demonstrates coordination between IT security, public safety, and municipal operations
Common IM Facilitation Challenges:
If Public Safety Impact Is Minimized:
“While you’re analyzing the technical details, Chief Park reports that police dispatch is experiencing delays in emergency calls. How do you ensure public safety while containing the cybersecurity threat?”
If Employee Impact Is Ignored:
“Your containment strategy is sound, but Maria just calculated that 1,200 city employees won’t receive paychecks tomorrow if payroll systems aren’t restored. What’s your plan for the human impact?”
If Municipal Complexity Is Overwhelming:
“The Mayor needs a simple answer: can the city continue to provide essential services to citizens, or should emergency protocols be activated?”
Success Metrics for Session:
Template Compatibility
Quick Demo (35-40 min)
- Rounds: 1
- Actions per Player: 1
- Investigation: Guided
- Response: Pre-defined
- Focus: Use the “Hook” and “Initial Symptoms” to quickly establish municipal payroll crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing worm propagation patterns and public service impact vulnerabilities.
Lunch & Learn (75-90 min)
- Rounds: 2
- Actions per Player: 2
- Investigation: Guided
- Response: Pre-defined
- Focus: This template allows for deeper exploration of public sector cybersecurity challenges. Use the full set of NPCs to create realistic municipal operation pressures. The two rounds allow WannaCry to spread toward emergency services, raising stakes. Debrief can explore balance between public safety and security controls.
Full Game (120-140 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing payroll deadlines, public safety services, municipal operations, and employee welfare. The three rounds allow for full narrative arc including worm’s municipal-infrastructure-specific propagation and critical service impact.
Advanced Challenge (150-170 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Complexity: Add red herrings (e.g., legitimate municipal system updates causing unrelated service disruptions). Make containment ambiguous, requiring players to justify public-facing decisions with incomplete information. Remove access to reference materials to test knowledge recall of worm behavior and public infrastructure security principles.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Clue 1 (Minute 5): “Network forensics reveal WannaCry ransomware worm exploiting unpatched Windows SMB vulnerability (MS17-010) in finance department systems. The worm is spreading autonomously through Springfield’s shared municipal network, which connects all 15 city departments including police dispatch, fire communications, and utility management systems without proper segmentation.”
Clue 2 (Minute 10): “File system analysis shows systematic encryption of payroll databases, personnel records, and public safety information. Timeline analysis reveals the attack began Wednesday evening during late-night payroll processing, and the worm has now spread to affect police dispatch systems experiencing intermittent failures during emergency calls.”
Clue 3 (Minute 15): “Network monitoring reveals WannaCry propagating toward fire department communications and utility control systems. Infrastructure assessment shows the city delayed Windows security patches due to budget constraints and operational dependencies, creating widespread vulnerability across critical municipal services and emergency response capabilities.”
Pre-Defined Response Options
Option A: Emergency Network Segmentation & Public Safety Priority
- Action: Immediately implement network segmentation isolating public safety systems (police, fire, emergency services), stop worm propagation through strategic disconnection, prioritize payroll recovery from offline backups, establish alternative communication systems for emergency response.
- Pros: Completely stops worm spread and protects critical public safety infrastructure; enables payroll processing through secure isolated systems.
- Cons: Requires rapid network isolation affecting inter-department communication; some municipal services experience temporary disruption during emergency response.
- Type Effectiveness: Super effective against Worm type malmons like WannaCry; prevents autonomous propagation through network isolation and segmentation.
Option B: Selective System Isolation & Service Continuity Focus
- Action: Quarantine confirmed infected departments, implement enhanced monitoring on public safety networks, maintain essential city services using verified clean systems while accelerating malware removal and payroll recovery.
- Pros: Allows continued municipal operations and public service delivery; protects employee welfare through payroll continuity.
- Cons: Risks continued worm propagation in connected municipal areas; may not fully protect emergency services during selective isolation.
- Type Effectiveness: Moderately effective against Worm threats; reduces but doesn’t eliminate autonomous spread across interconnected infrastructure.
Option C: Ransom Payment & Rapid Municipal Recovery
- Action: Pay ransomware demand to obtain decryption key, attempt rapid system recovery to restore payroll and public services while implementing long-term security improvements.
- Pros: Potentially fastest path to system recovery for payroll deadline and public service restoration; maintains employee welfare and citizen services.
- Cons: No guarantee decryption will work or complete before Friday; funds criminal enterprise and may violate public spending regulations; doesn’t address underlying worm propagation or systemic security weaknesses.
- Type Effectiveness: Not effective against Worm malmon type; addresses encryption symptom but not worm propagation; ethically and legally problematic for public sector.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Rapid Worm Containment & Public Safety (30-35 min)
Investigation Clues:
- Clue 1 (Minute 5): Network monitoring systems show unprecedented SMB traffic surge across city government networks. IT Director William Harrison reports, “We’re seeing automated port 445 scanning from infected finance department systems spreading to police, fire, and utility networks - this is autonomous worm propagation across our shared municipal infrastructure.”
- Clue 2 (Minute 10): Security logs reveal successful exploitation of EternalBlue vulnerability (MS17-010) on unpatched Windows systems throughout city departments. The worm spreads without user interaction - every unpatched municipal system is vulnerable.
- Clue 3 (Minute 15): Police Chief Robert Taylor reports critical public safety impact: “Our dispatch center is experiencing system failures affecting 911 emergency response times. Officers in the field cannot access criminal records or warrant information. This is compromising community safety.”
- Clue 4 (Minute 20): Finance Director Maria Rodriguez discovers payroll processing deadline threat: “Our payroll systems are encrypted - 1,200 city employees expecting Friday paychecks. Many live paycheck-to-paycheck. If we cannot restore financial systems, this becomes an employee welfare crisis affecting public services.”
Response Options:
- Option A: Emergency Network Segmentation with Public Safety Priority - Immediately segment the city network isolating critical public safety systems (police, fire, emergency dispatch), disconnect non-essential administrative systems, prioritize protection of emergency service infrastructure.
- Pros: Halts worm propagation to public safety systems; protects emergency response capabilities; enables police and fire departments to continue operations.
- Cons: Requires rapid network isolation affecting inter-department communication; payroll and administrative functions severely disrupted; creates operational silos across municipal services.
- Type Effectiveness: Super effective against Worm - prevents autonomous spread to emergency services but creates municipal operational challenges.
- Option B: Deploy Kill Switch with Unified Network Recovery - Register or access the domain found in WannaCry malware code to activate kill switch, halting encryption while maintaining municipal network connectivity for coordinated recovery efforts.
- Pros: Immediately stops encryption and further spread without network disruption; allows continued inter-department coordination; elegant technical solution enabling municipal operations.
- Cons: Only effective against this specific WannaCry variant; doesn’t remove existing infections; requires quick execution during multi-department crisis.
- Type Effectiveness: Highly effective against WannaCry Ransomware specifically; elegant solution for this variant but doesn’t address all worm characteristics.
- Option C: Payroll Priority with Selective Recovery - Focus resources on recovering finance department systems for Friday payroll deadline, implement targeted containment in finance while allowing temporary worm spread in lower-priority administrative areas.
- Pros: Ensures employee welfare through payroll continuity; addresses immediate municipal obligation to workers; demonstrates employee-first municipal values.
- Cons: Worm continues propagating toward public safety systems; may compromise emergency services; prioritizes employee payments over community safety.
- Type Effectiveness: Partially effective - addresses employee impact but allows continued worm propagation threatening critical municipal services.
Round 2: Municipal Recovery & Government Accountability (30-35 min)
Investigation Clues:
- Clue 5 (Minute 30): If Option A (segmentation) was chosen: Fire Chief reports communication breakdown between fire department and dispatch affecting emergency response coordination. “We need integrated systems for effective emergency management - but safely.”
- Clue 5 (Minute 30): If Option B (kill switch) was chosen: While encryption has stopped, infected systems throughout city government still contain the worm and will reactivate if kill switch domain becomes unavailable. Comprehensive patching across all departments still required.
- Clue 5 (Minute 30): If Option C (payroll focus) was chosen: The worm has now spread to utility management systems controlling water treatment and power distribution. Public infrastructure services are at risk affecting entire community.
- Clue 6 (Minute 40): Mayor Diana Foster receives inquiries from state government about municipal operational capability and cybersecurity incident management. “The state emergency management agency is asking whether Springfield can maintain essential services or needs state assistance. This is a public accountability issue.”
- Clue 7 (Minute 50): IT assessment reveals that city backup systems were not properly isolated due to budget constraints, and some backup data may also be encrypted. Recovery strategy must account for potential backup compromise while meeting Friday payroll deadline.
- Clue 8 (Minute 55): Local media has learned about the ransomware attack and is preparing stories about city government cybersecurity failures affecting employee paychecks and public safety. Communications strategy needed to maintain public trust and employee confidence.
Response Options:
- Option A: Comprehensive Government Emergency Response - Activate city emergency operations center, request state government cybersecurity assistance, implement full network remediation across all departments, establish interim manual procedures for payroll and public safety operations.
- Pros: Full municipal incident response with proper government coordination; ensures public safety through state-level support; demonstrates responsible public sector security practices.
- Cons: Major operational disruption requiring emergency protocols; public disclosure of municipal security failures; potential political consequences for city leadership.
- Type Effectiveness: Super effective for Government Worm Incidents - comprehensive response ensuring public safety and maintaining government accountability.
- Option B: Staged Municipal Recovery with Service Continuity - Maintain essential public services using manual procedures, implement phased network restoration prioritizing emergency services then payroll then administrative functions, coordinate vendor support for comprehensive municipal patching.
- Pros: Balances public service continuity with security recovery; minimizes community impact through manual backup procedures; targeted approach to complex multi-department challenges.
- Cons: Extended recovery timeline affecting multiple municipal functions; staff burden from manual procedures during payroll crisis; potential service quality impacts.
- Type Effectiveness: Moderately effective - maintains public services while enabling gradual secure municipal recovery.
- Option C: Accelerated Patch Deployment with Accept Risk - Immediately deploy EternalBlue patches to all city systems regardless of testing requirements, accept short-term operational risks to prevent continued worm spread, implement enhanced monitoring for system stability issues.
- Pros: Fastest path to closing vulnerability across all municipal departments; demonstrates decisive security action; minimizes worm propagation window.
- Cons: May cause system stability issues in critical public safety infrastructure; potential service disruptions from unvalidated patching; risk to emergency response capabilities.
- Type Effectiveness: Effective against Worm propagation but creates significant municipal operational and public safety risks.
Round Transition Narrative
After Round 1 → Round 2:
The team’s initial response determines whether Springfield City faces network isolation challenges (segmentation approach), kill switch dependency concerns (domain-based solution), or continued worm propagation threats (selective approach). Regardless of choice, the situation evolves when Mayor Foster receives state government inquiries about municipal operational capability and whether Springfield requires emergency assistance. The incident has attracted media attention, creating public accountability pressure regarding employee paychecks and public safety services. IT assessment reveals that budget constraints led to inadequate backup isolation, complicating recovery strategies. The team discovers that this is not just a technical incident but a test of municipal government’s ability to protect employees, serve citizens, maintain public safety, and demonstrate responsible stewardship of public resources - all while containing a rapidly spreading worm across interconnected city infrastructure with Friday’s payroll deadline approaching.
Debrief Focus:
- Recognition of worm propagation mechanics across shared municipal infrastructure
- Balance between employee welfare, public safety, and community service obligations
- Government-specific challenges including budget constraints, public accountability, and multi-department coordination
- Kill switch discovery and deployment as emergency response technique for municipal environments
- Importance of network segmentation and backup isolation in public sector IT architecture
Full Game Materials (120-140 min, 3 rounds)
Round 1: Initial Municipal Crisis & Emergency Coordination (35-40 min)
Opening Scenario:
It’s Thursday morning at Springfield City Hall, exactly 24 hours before the city’s quarterly payroll processing deadline. Finance Director Maria Rodriguez arrived early to finalize payroll for 1,200 city employees, but instead of spreadsheets, she’s staring at ransom demands covering every computer screen in her department.
“This started last night,” Maria explains to IT Director William Harrison as he rushes into the finance office. “My team was working late on payroll reconciliation when systems began failing. Now I cannot access any financial data, and employees expect paychecks tomorrow.”
Before William can respond, Police Chief Robert Taylor arrives with urgent news. “Our dispatch center is experiencing system failures affecting 911 emergency response. Criminal records database is down. Officers cannot run warrant checks. How widespread is this attack?”
Mayor Diana Foster calls an emergency meeting. “I need to understand what we’re dealing with. We have employees expecting paychecks, police operations affected, and I’m getting calls from fire department, utilities, and every city department. What is happening to our municipal infrastructure?”
Team Action: Each player takes 2 actions to investigate the incident using their role’s capabilities. The IM should track what the team discovers based on their investigation choices.
Investigation Discoveries (based on role and approach):
Detective-focused investigations:
- Network forensics reveal WannaCry ransomware worm exploiting EternalBlue vulnerability (MS17-010) in unpatched Windows systems throughout city government
- File analysis shows systematic encryption of payroll data, personnel records, public safety databases, and municipal operational systems
- Timeline reconstruction indicates initial infection in finance department Wednesday evening, followed by rapid autonomous propagation through shared city network
- Malware analysis discovers embedded kill switch domain name that could halt WannaCry encryption if properly activated
Protector-focused investigations:
- Real-time monitoring shows worm spreading faster than containment efforts - dozens of city systems infected per hour across all departments
- Critical system assessment reveals police dispatch, fire communications, and utility management systems at imminent risk
- Network architecture review shows inadequate segmentation between departments due to budget constraints and operational convenience
- Backup integrity assessment discovers some municipal backup systems may already be compromised due to inadequate isolation
Tracker-focused investigations:
- Traffic analysis reveals automated SMB vulnerability exploitation creating network storm affecting municipal government connectivity
- Propagation mapping shows worm moving systematically from finance toward public safety systems and utility control infrastructure
- External communication analysis indicates potential spread to county government and state agency networks through inter-governmental connections
- Network topology assessment reveals legacy Windows systems throughout city departments cannot be easily patched due to operational dependencies
Communicator-focused investigations:
- Finance staff interviews reveal Wednesday late-night payroll work created infection opportunity when security monitoring was minimal
- Police and fire department staff describe increasing operational impact on emergency response capabilities and public safety
- IT staff explain budget constraints forced network design compromises, delayed security patching, and inadequate departmental segmentation
- Mayor’s office reveals political pressure regarding employee paychecks, media scrutiny of municipal cybersecurity, and state government oversight concerns
NPC Interactions:
- Maria Rodriguez (Finance Director): Focuses desperately on payroll deadline. “1,200 city employees are expecting paychecks tomorrow - many live paycheck-to-paycheck and depend on this income. If the city fails to pay employees on time, we face employee welfare crisis and potential union grievances.”
- Chief Robert Taylor (Police Chief): Concerned about public safety impact. “My dispatch center cannot reliably handle 911 calls. Officers lack access to criminal records and warrant information. Community safety is being compromised by this cybersecurity incident.”
- William Harrison (IT Director): Overwhelmed by municipal scope. “The worm is spreading through our shared city network faster than we can isolate it. Budget constraints meant we couldn’t implement proper network segmentation between departments. Now every city system is vulnerable.”
- Mayor Diana Foster (Mayor): Managing political and public accountability. “I need clear answers: Can the city continue to function? Will employees receive paychecks? Are public safety services reliable? State government is asking whether Springfield needs emergency assistance. This is a municipal governance crisis.”
Pressure Events:
- Minute 10: Fire department reports communication system failures affecting emergency response coordination between stations
- Minute 20: Employee union representative calls Mayor demanding confirmation about Friday payroll processing
- Minute 30: Utility management reports water treatment facility systems showing worm infection signs
- Minute 35: Local media calls city communications office asking about “ransomware attack affecting government operations”
Round 1 Response Strategy:
Teams must develop initial response balancing immediate worm containment with municipal service continuity. Options might include emergency network segmentation, kill switch deployment, selective departmental isolation, or prioritizing specific city functions. The team must decide whether to recommend state emergency assistance or attempt municipal-level incident response.
Facilitation Questions:
- “How do you balance stopping worm propagation with maintaining critical public safety and municipal services?”
- “What is your recommendation to Mayor Foster about city operational capability and state assistance?”
- “How do you address the Friday payroll deadline while the worm is actively spreading through city infrastructure?”
Victory Conditions:
- Worm propagation contained before reaching all critical municipal systems
- Public safety services maintained throughout incident response
- Clear communication established with city leadership about operational status and employee payroll
Round 2: Public Safety Infrastructure & Government Coordination (35-40 min)
Opening Scenario:
The team’s Round 1 response has created a new municipal reality. If they chose network segmentation, city departments are now isolated from each other, creating inter-governmental coordination challenges. If they deployed the kill switch, encryption has stopped but infected systems remain throughout city infrastructure. If they chose selective isolation, the worm continues spreading toward utility management systems.
Mayor Foster convenes an emergency operations meeting. “State emergency management agency has contacted me about whether Springfield can maintain essential services or needs state-level assistance. We need to address payroll, public safety, utilities, and government accountability simultaneously. What is our comprehensive municipal response strategy?”
Investigation Clues:
- Clue 1 (Minute 45): Analysis reveals that many city systems cannot accept immediate Windows patches due to operational dependencies on legacy software used for municipal functions. “We need vendor coordination for critical government applications - that normally requires procurement processes and testing periods.”
- Clue 2 (Minute 50): Police Chief Taylor reports that even with containment efforts, criminal records database is unusable and 911 dispatch reliability is questionable. “We’re operating emergency services with significantly degraded capabilities affecting community safety.”
- Clue 3 (Minute 55): Finance department discovers that payroll processing requires multiple interconnected systems currently isolated or encrypted. “We need finance, HR, banking integration, and employee verification systems all working together to complete Friday payroll.”
- Clue 4 (Minute 60): Fire Chief contacts emergency operations center reporting that building inspection records and fire safety data are inaccessible. “We cannot verify building occupancy limits or fire suppression system status - this creates liability and public safety risks.”
NPC Interactions:
- Maria Rodriguez: Calculating payroll alternatives. “We could process emergency partial payments using manual procedures, but that requires bank coordination, council approval, and significant staff overtime. It addresses immediate employee needs but creates accounting complexity.”
- Chief Robert Taylor: Assessing public safety capabilities. “We can maintain emergency response using manual dispatch procedures and paper-based records, but response times will be slower and officer safety potentially compromised without real-time information access.”
- William Harrison: Planning technical recovery. “Comprehensive remediation requires patching every city system, rebuilding compromised servers, and implementing proper network segmentation - that’s weeks of work. We need to decide between quick operational fixes or thorough security recovery.”
- Mayor Diana Foster: Managing government accountability. “The City Council wants answers. State government is offering assistance but that means acknowledging we cannot handle this independently. Media is reporting on municipal cybersecurity failures. Public trust in city government is at stake.”
Pressure Events:
- Minute 70: Utility management reports water treatment facility control systems may be affected, requiring manual oversight of critical infrastructure
- Minute 80: State cybersecurity officials arrive offering resources but requiring incident command authority transfer
- Minute 85: Employee union holds emergency meeting and threatens grievance action if Friday payroll is missed
- Minute 90: County government contacts city asking whether inter-governmental network connections should be severed to prevent worm spread
Round 2 Response Strategy:
Teams must develop comprehensive municipal recovery strategy addressing technical remediation, public safety continuity, employee welfare, government coordination, and public accountability. The response should balance immediate operational needs with long-term infrastructure security.
Facilitation Questions:
- “How do you coordinate recovery across multiple city departments with competing priorities and dependencies?”
- “What is your recommendation to Mayor Foster about accepting state assistance versus municipal-led incident response?”
- “How do you ensure public safety and employee welfare while implementing comprehensive security remediation?”
Victory Conditions:
- Comprehensive municipal response strategy balancing all stakeholder needs
- Clear governance structure for incident management and inter-governmental coordination
- Path forward addressing immediate operational needs and long-term municipal security
Round 3: Municipal Recovery & Government Resilience (35-40 min)
Opening Scenario:
The incident has evolved from immediate crisis into complex municipal recovery operation. The team’s previous responses have shaped the current situation, but now they must address fundamental questions about government infrastructure resilience, public accountability, and long-term municipal cybersecurity.
Mayor Foster addresses the team directly. “We need to make decisions that affect Springfield’s future. How do we restore operations? How do we prevent this from happening again? How do we maintain public trust? And how do we do all of this with the budget constraints of a small city government?”
Investigation Clues:
- Clue 1 (Minute 100): Comprehensive assessment reveals the worm exploited systemic municipal IT weaknesses: shared networks for budget efficiency, delayed patching for operational continuity, inadequate backup isolation due to resource constraints, and minimal cybersecurity staffing.
- Clue 2 (Minute 110): Financial analysis shows that proper municipal network segmentation, comprehensive security monitoring, and adequate IT security staffing would require significant budget increases that must be approved by City Council and potentially voters.
- Clue 3 (Minute 115): Review of government best practices reveals that many municipalities face similar cybersecurity challenges balancing security investments with limited public budgets and competing community needs (schools, public safety, infrastructure).
- Clue 4 (Minute 120): State government officials indicate that accepting state cybersecurity assistance creates ongoing oversight requirements and may influence municipal IT governance autonomy.
NPC Interactions:
- Maria Rodriguez: Analyzing budget implications. “Implementing proper security infrastructure could cost hundreds of thousands of dollars annually - money that could fund community programs, public safety positions, or infrastructure maintenance. How do we justify cybersecurity investments to taxpayers?”
- Chief Robert Taylor: Considering operational changes. “Public safety requires reliable IT systems, but my department budget is already stretched. If IT security needs more resources, where do those come from without reducing police, fire, or emergency services?”
- William Harrison: Planning IT transformation. “I can design a resilient municipal network architecture, but implementation requires funding, staff, and operational changes across all city departments. This is a multi-year transformation project requiring sustained political and budgetary commitment.”
- Mayor Diana Foster: Weighing governance decisions. “The City Council will ask why this happened, what we’re doing to prevent recurrence, and what it will cost. I need to balance cybersecurity improvements with community expectations for efficient government and low taxes. This is ultimately a public policy decision.”
Pressure Events:
- Minute 125: City Council schedules emergency meeting demanding answers about incident cause, response effectiveness, and prevention strategy
- Minute 130: Local media publishes story about municipal cybersecurity failures and employee paycheck delays
- Minute 135: State auditor indicates potential review of municipal IT security practices and governance
- Minute 138: Community groups begin attending public meetings asking questions about government data protection and service reliability
Round 3 Response Strategy:
Teams must develop recommendations addressing not just technical recovery but broader questions of municipal governance, public resource allocation, government accountability, and sustainable cybersecurity for resource-constrained local government.
Facilitation Questions:
- “How do you recommend Springfield balance cybersecurity investments with other community needs in limited public budgets?”
- “What governance changes would prevent similar incidents while respecting municipal autonomy and democratic accountability?”
- “How should small city governments approach cybersecurity given resource constraints and complex operational requirements?”
Victory Conditions:
- Comprehensive recovery plan restoring all municipal services securely
- Sustainable cybersecurity strategy appropriate for municipal budget and governance realities
- Clear communication to public and government stakeholders about incident response and prevention
- Recommendations addressing systemic municipal cybersecurity challenges beyond immediate technical fixes
Debrief Focus:
- Technical understanding of worm propagation across interconnected government infrastructure
- Recognition of municipal cybersecurity’s unique challenges: public budgets, democratic accountability, competing community needs
- Balance between immediate incident response and long-term government resilience
- Coordination between IT security, public safety, employee welfare, and citizen services
- Government-specific considerations in cybersecurity decision-making and resource allocation
Advanced Challenge Materials (150-170 min)
Additional Complexity Elements:
Red Herrings & Misdirection
- Unrelated Service Disruption: City’s internet service provider is experiencing coincidental outages in some municipal buildings, creating confusion about whether network connectivity issues are attack-related or external infrastructure problems.
- Legitimate System Updates: IT department had scheduled routine software updates for several city systems this week, making it harder to distinguish between planned changes and worm-related system modifications.
- Employee Concerns: Some city employees are calling about missing files and slow systems that are actually unrelated to the attack but create noise in the incident investigation.
- Political Distraction: City Council members are calling with questions and concerns that pull leadership attention away from technical incident response.
Removed Resources & Constraints
- No External Threat Intelligence: Remove access to pre-existing WannaCry knowledge - team must deduce worm behavior, kill switch mechanism, and EternalBlue vulnerability details from investigation alone.
- Limited Technical Expertise: IT Director Harrison is relatively inexperienced with sophisticated malware incidents - team cannot rely on NPC technical guidance.
- Budget Constraints: Mayor Foster makes clear that emergency expenditures require City Council approval - expensive solutions (security vendors, emergency staffing, state assistance) have political and budgetary barriers.
- Backup Uncertainty: Complete uncertainty about backup integrity due to inadequate testing and documentation of municipal backup procedures.
Enhanced Pressure & Consequences
- Employee Financial Hardship: Specific stories of city employees facing rent payments, medical bills, or other financial obligations dependent on Friday paycheck - personalizes the payroll deadline pressure.
- Public Safety Incident: During the scenario, a significant emergency occurs (major traffic accident, structure fire, serious crime) that tests degraded emergency response capabilities and creates real-time consequence demonstration.
- Media Escalation: Local media coverage intensifies with each round, creating public accountability pressure and political consequences for city leadership.
- State Intervention Threat: State government becomes increasingly insistent about either accepting state assistance or demonstrating municipal competence - creates authority and autonomy pressure.
Ethical Dilemmas
- Resource Allocation: Should the city prioritize employee paychecks (welfare) or public safety systems (community protection) when resources cannot address both simultaneously?
- Risk Acceptance: Is it acceptable to deploy unvalidated security patches if there’s a risk of breaking critical municipal systems?
- Public Disclosure: Should the city immediately disclose the extent of the attack to the public and media, or manage communications to prevent panic while recovery is underway?
- State Assistance: Should Springfield accept state government help acknowledging municipal limitations, or attempt independent response to preserve city autonomy and demonstrate competence?
Advanced Investigation Challenges
- Multi-Variant Complexity: Investigation reveals evidence suggesting multiple ransomware variants may be present, creating uncertainty about whether all infections are WannaCry or if additional threats exist.
- Attribution Confusion: Some forensic evidence suggests potential insider involvement due to late-night finance department infection timing - team must distinguish between exploitation of opportunity versus malicious employee scenario.
- Inter-Governmental Spread: Evidence emerges that the worm may have spread through network connections to county government, state agencies, or other municipalities - expanding scope beyond Springfield city limits.
- Supply Chain Questions: Some municipal software vendors report similar infections in other client cities, raising questions about potential supply chain compromise versus coincidental targeting.
Complex Recovery Scenarios
- Backup Complications: Backup restoration reveals data integrity issues requiring decisions about accepting potentially corrupted data versus extending recovery timeline.
- Vendor Dependencies: Critical municipal systems require vendor support for recovery, but vendors are overwhelmed with similar incidents nationwide creating availability and timeline challenges.
- Regulatory Requirements: Municipal financial systems must meet specific audit and compliance requirements creating constraints on recovery procedures and timeline.
- Infrastructure Interdependencies: Recovery of one city system requires other systems to be functional first, creating complex dependency mapping and sequencing challenges.
Advanced Debrief Topics
- Municipal Governance & Cybersecurity: How should democratic local government balance cybersecurity investments with other community needs and voter expectations?
- Public Sector Constraints: What unique challenges do government organizations face in cybersecurity compared to private sector organizations with similar infrastructure?
- Resource-Constrained Security: How can small organizations with limited budgets approach cybersecurity realistically and sustainably?
- Public Accountability: How should government organizations communicate about cybersecurity incidents balancing transparency with operational security?
- Ethical Priorities: What framework should guide decisions when security, employee welfare, public safety, and community services create competing demands?
Advanced Challenge Debrief Questions:
- “How did budget constraints and political considerations affect your incident response decision-making?”
- “What different approaches might private sector versus public sector organizations take to similar ransomware worm incidents?”
- “How do you balance democratic accountability and public transparency with effective incident response?”
- “What systemic changes would make municipal governments more resilient to cybersecurity threats while respecting budgetary and governance realities?”