WannaCry Scenario: Municipality Payroll Crisis

WannaCry Scenario: Municipality Payroll Crisis

London Borough of Greenford: UK local council, 250,000 residents, 3,000 employees
Municipal Ransomware Disruption • WannaCry
STAKES
Employee payroll continuity + Public safety operations + Municipal service reliability
HOOK
London Borough of Greenford is less than 24 hours from payroll transmission when HR and finance screens begin showing ransom notes, shared folders lock, and time-tracking files become unreadable. Help-desk calls spike from multiple council departments, and IT monitoring shows encryption spreading across municipal administrative systems tied to payroll processing.
PRESSURE
  • Payroll transmission deadline is 17:00 Thursday
  • Missed pay for 3,000 employees can disrupt essential municipal services
FRONT • 120 minutes • Intermediate
London Borough of Greenford: UK local council, 250,000 residents, 3,000 employees
Municipal Ransomware Disruption • WannaCry
NPCs
  • Councillor James Forsyth (Council Leader): Managing political pressure over delayed wages and service continuity
  • Priya Sharma (IT Director): Coordinating containment while payroll systems continue to lock
  • Eleanor Davies (Payroll and Finance Lead): Responsible for transmitting GBP 12M before bank cut-off
  • Michael Thornton (Police Operations Lead): Tracking workforce morale risk if salary payments fail
  • Amara Okonkwo (Fire Service Lead): Escalating continuity concerns for emergency staffing
  • Gareth Bowen (CISO): Advising on containment, restoration, and reporting obligations
SECRETS
  • Legacy administrative endpoints missed critical SMB security updates
  • Payroll workflows depend on shared file services with weak segmentation
  • Offline recovery runbooks exist but have not been fully rehearsed with finance and HR teams

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

WannaCry Municipality Payroll Crisis Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

WannaCry Municipality Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “Payroll management systems display ransom notes instead of employee records”
  • “Finance teams cannot export time-tracking and withholding data”
  • “HR shared folders are being encrypted and becoming read-only”
  • “New administrative departments report lockouts every few minutes”

Key Discovery Paths:

Detective Investigation Leads:

  • Network forensics reveal rapid lateral movement through SMB across municipal administrative subnets
  • File analysis confirms targeted encryption of payroll databases, tax withholding files, and timesheet exports
  • Event timeline traces the first confirmed encryption event to a legacy workstation in the HR workflow

Protector System Analysis:

  • Real-time monitoring shows continuing spread from finance systems toward adjacent administrative networks
  • Integrity checks reveal weak segmentation between payroll infrastructure and other council business systems
  • Recovery readiness review shows backup procedures exist but restoration sequencing is incomplete

Tracker Network Investigation:

  • Traffic analysis shows repeated SMB scanning and propagation behavior across shared municipal file services
  • Propagation mapping highlights risk paths toward emergency-support administration and utilities back-office systems
  • External telemetry confirms no reliable evidence yet that encrypted payroll data can be recovered without restoration

Communicator Stakeholder Interviews:

  • Payroll leadership confirms the banking transmission cut-off is non-negotiable and missing it creates immediate labor escalation
  • IT leadership confirms legacy patch debt and insufficient segmentation amplified spread speed
  • Public safety leaders emphasize that salary uncertainty can quickly affect staffing confidence for critical services

Mid-Scenario Pressure Points:

  • Hour 1: Union representatives request written confirmation that payroll will still process on time
  • Hour 2: Finance confirms direct-deposit files must be transmitted by 17:00 to hit Friday distribution
  • Hour 3: Administrative support systems for emergency services begin showing lock-screen activity
  • Hour 4: Local media reports municipal payroll disruption and requests an official briefing

Evolution Triggers:

  • If containment is delayed, encryption spreads into additional municipal administrative functions
  • If restoration sequencing is unclear, payroll transmission misses bank cut-off despite partial containment
  • If communications are weak, labor and public confidence deteriorate faster than technical recovery progresses

Resolution Pathways:

Technical Success Indicators:

  • Team contains propagation with decisive segmentation and host isolation
  • Recovery order prioritizes payroll and finance data integrity before broader restoration
  • Backup validation confirms clean restore points for critical compensation workflows

Business Success Indicators:

  • Payroll disbursement occurs on schedule with minimal disruption to municipal service staffing
  • Emergency-support operations remain stable while administrative recovery proceeds
  • Leadership communication reduces rumor-driven escalation across workforce and public channels

Learning Success Indicators:

  • Team explains why autonomous SMB propagation punishes patch debt in local government environments
  • Participants demonstrate risk-based prioritization under hard operational deadlines
  • Group integrates incident response, labor communication, and essential-service continuity planning

Common IM Facilitation Challenges:

If Payroll Deadline Pressure Is Underestimated:

“Your technical containment is improving, but finance confirms the transmission cut-off is 17:00 today. What must happen in the next 30 minutes to protect payroll delivery?”

If Public Safety Risk Is Ignored:

“While the team focuses on finance, emergency-service administrators report lock screens on support systems. How are you preventing this from affecting critical operations staffing?”

If Executive Communication Is Weak:

“The council leader needs a statement now for employees and residents. What can you say confidently, and what remains uncertain?”

Success Metrics for Session:

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 2 investigation rounds, 1 decision round
Focus: Fast containment and payroll deadline prioritization
Simplified Elements: Guided clues and a constrained set of recovery choices
Key Actions: Segment affected networks, preserve payroll data, coordinate executive messaging

Lunch & Learn (75-90 minutes)

Structure: 4 investigation rounds, 2 decision rounds
Focus: Municipal operations pressure with labor and public-facing communication tradeoffs
Added Depth: Backup integrity validation and service-continuity dependencies
Key Actions: Sequence payroll restoration, maintain emergency-support operations, prepare external communications

Full Game (120-140 minutes)

Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end municipal incident command under strict business deadlines
Full Complexity: Recovery governance, communications under uncertainty, and post-incident resilience planning
Key Actions: Coordinate technical and executive response, protect workforce continuity, build long-term controls roadmap

Quick Demo Materials (35-40 min)

Guided Investigation Clues

  • Clue 1 (Minute 5): “Network telemetry confirms SMB-based lateral movement across finance and HR systems tied to payroll preparation.”
  • Clue 2 (Minute 10): “Time-tracking exports and payroll files are partially encrypted; restoration points must be validated before transmission.”
  • Clue 3 (Minute 15): “The payroll cut-off window is approaching, and administrative disruption is expanding beyond finance.”

Pre-Defined Response Options

Option A: Emergency Segmentation and Payroll Priority

  • Action: Isolate infected administrative segments immediately, preserve and restore payroll datasets first, and establish a protected transmission path.
  • Pros: Fastest way to stop spread and protect compensation workflows.
  • Cons: Non-critical municipal services degrade while segmentation remains in place.
  • Type Effectiveness: Strong against worm-style SMB propagation.

Option B: Controlled Continuity with Parallel Recovery

  • Action: Keep limited core administration online while running aggressive host containment and staged payroll restoration.
  • Pros: Reduces disruption to broader city administration.
  • Cons: Higher risk of continued lateral movement if containment is imperfect.
  • Type Effectiveness: Moderate if detection and isolation discipline remain high.

Option C: Manual Payroll Contingency First

  • Action: Trigger manual compensation contingency planning immediately while technical teams contain and recover digital systems.
  • Pros: Protects workforce confidence if digital transmission slips.
  • Cons: Operationally heavy and can delay full technical cleanup.
  • Type Effectiveness: Indirect; manages business impact but does not remove technical threat on its own.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Containment and Payroll Integrity (30-35 min)

Investigation clues:

  • “SMB exploitation activity is concentrated on legacy hosts with known patch debt.”
  • “Payroll datasets show mixed states: some intact, some encrypted, some uncertain.”
  • “Finance confirms banking cut-off is fixed and cannot be extended.”
  • “Public safety leadership requests assurance that staffing confidence will be protected.”

Facilitation questions:

  • “What is your minimum viable path to payroll transmission before cut-off?”
  • “Which systems can remain online safely, and which must be isolated immediately?”
  • “Who owns employee communication updates while technical data is still incomplete?”

Round 1→2 Transition

Containment slows spread, but restoration sequencing now determines whether payroll can still be transmitted on time. Leadership pressure increases as labor representatives and media request concrete timelines.

Round 2: Workforce Continuity and Public Confidence (30-35 min)

Developments:

  • “Payroll restoration is possible, but only if final validation is completed before banking cut-off.”
  • “Emergency-support administration remains stable, but adjacent departments are degraded.”
  • “External scrutiny grows as residents and staff demand transparent updates.”

Facilitation questions:

  • “How do you communicate progress without overpromising recovery certainty?”
  • “If full restoration slips, what contingency protects essential-worker compensation first?”
  • “What evidence do you require before declaring payroll systems safe for transmission?”

Full Game Materials (120-140 min, 3 rounds)

Round 1: Initial Propagation and Decision Framing (30 min)

Finance and HR report escalating encryption while payroll preparation is underway. Leadership must set technical and business priorities under an immovable deadline.

Round 2: Deadline Compression and Cross-Department Risk (35 min)

Containment actions create tradeoffs between service continuity and technical certainty. The team must align restoration sequencing with labor and public communication obligations.

Round 3: Strategic Recovery and Resilience Design (35 min)

Immediate crisis pressure eases, but long-term governance questions emerge around patch policy, segmentation standards, incident rehearsal, and municipal budget prioritization.

Debrief Focus (Full Game)

  • How patch governance and segmentation design directly influence public-service continuity risk
  • Why hard business deadlines can conflict with clean forensic certainty during active incidents
  • How municipal leadership, finance, and security teams must share a single response narrative
  • What long-term controls reduce repeat risk without disabling essential service delivery

Advanced Challenge Materials (150-170 min, 3+ rounds)

Red Herrings and Misdirection

  • Legitimate bulk data transfers in adjacent departments that resemble malicious SMB activity
  • Planned maintenance windows that create noisy false indicators during investigation
  • Parallel service incidents that consume decision bandwidth and distract from containment

Removed Resources and Constraints

  • No external incident-response vendor availability during the first response window
  • Limited backup validation tooling, requiring manual verification steps
  • Incomplete asset inventory across legacy municipal administrative systems

Enhanced Pressure

  • Labor representatives request formal incident briefings before payroll cut-off
  • Elected officials demand publication-ready status updates while facts are still evolving
  • Broader administrative outages threaten resident trust even when emergency services remain stable

Ethical Dilemmas

  • Whether to authorize public funds for a ransom-related payment under accountability pressure
  • Whether to delay full public disclosure until payroll certainty is restored
  • Whether to prioritize compensation for critical services first if full payroll cannot be processed simultaneously

Advanced Debrief Topics

  • Public-sector ethics and accountability during high-pressure cyber decisions
  • The operational cost of deferred infrastructure investment
  • Building realistic contingency plans that integrate technical recovery and workforce continuity