1. Quick Reference

Element Details
Malmon WannaCry (Worm/Ransom) ⭐⭐⭐⭐
Difficulty Tier Tier 2 (Advanced) - Professional deadline and attorney-client privilege
Scenario Variant Law Firm - Court Filing Deadline
Organizational Context Morrison & Associates: 150 attorneys across 3 offices, specialized litigation, 72 hours from critical $500M class-action filing deadline
Primary Stakes Client case files + Attorney-client privilege + Court deadline compliance + Professional reputation
Recommended Formats Full Game, Advanced Challenge (120-180 min)
Essential NPCs Patricia Morrison (Managing Partner), James Liu (IT Director), Dr. Sarah Kim (Expert Witness), Michael Rodriguez (Opposing Counsel)
Optional NPCs Client representatives, Court clerks, Legal ethics counsel, Backup service providers

Scenario Hook

“Morrison & Associates is 72 hours from filing critical motions in their biggest class-action lawsuit ever, representing 10,000 plaintiffs against a major corporation. The legal team has been working around the clock to meet court deadlines when ransomware begins encrypting case files, depositions, and expert witness reports that cannot be recreated before the filing deadline.”

Victory Condition

Successfully contain WannaCry worm, recover critical case files for Monday court deadline, protect attorney-client privileged communications, and maintain professional obligations while preserving client representation and case integrity.

2. Organization Context

Morrison & Associates: Class-Action Litigation Under Court Filing Deadline Crisis

Organization Profile

  • Type: Mid-size specialized litigation law firm focusing on complex commercial disputes, class-action lawsuits, intellectual property litigation, and corporate governance matters requiring extensive discovery processes and multi-year case preparation timelines
  • Size: 150 attorneys distributed across organizational functions including 45 senior partners managing client relationships and trial strategy for high-stakes litigation matters, 65 associate attorneys conducting legal research, document review, deposition preparation, and motion drafting supporting partner-led case teams, 25 paralegals coordinating discovery document management, witness interview scheduling, expert report compilation, and court filing procedures, 10 IT support staff maintaining case management systems, email infrastructure, and document sharing platforms, and 5 administrative personnel coordinating office operations across three geographic locations serving clients throughout regional federal and state court jurisdictions
  • Annual Operations: Generating approximately $95 million in annual legal fees through contingency arrangements and hourly billing for complex litigation matters including $500 million class-action lawsuit representing 4,200 plaintiffs alleging securities fraud against regional financial services corporation, multiple intellectual property disputes defending technology company patent portfolios, corporate governance litigation involving shareholder derivative claims, and employment class actions addressing wage and hour violations—firm’s reputation depends on trial success rate and ability to manage document-intensive litigation requiring review of millions of pages of electronic discovery materials, coordination of expert witness testimony, and preparation of comprehensive legal briefs meeting strict court filing deadlines with zero tolerance for procedural errors that could result in case dismissal
  • Current Litigation Crisis: Lead counsel for Morrison & Associates prepared for five years developing $500 million securities fraud class action scheduled for final motions hearing Tuesday morning at 9:00 AM—court filing deadline Monday 5:00 PM requires submission of 840-page comprehensive motion for summary judgment including supporting declarations from 12 expert witnesses, exhibit compilation totaling 2,300 documents, and legal memorandum synthesizing complex financial regulations and securities law precedents, with strict court rules mandating electronic filing through federal court system rejecting submissions after deadline creating automatic case dismissal if filing obligations not met precisely on schedule
  • Technology Infrastructure: Operating case management system containing complete litigation file repository including client communications protected by attorney-client privilege, witness depositions recorded in video and transcript formats, expert reports incorporating proprietary analysis methodologies, privileged attorney work product documenting litigation strategy and settlement negotiations, and comprehensive exhibit databases linking evidentiary documents to specific legal arguments—systems interconnected through shared network architecture enabling attorney access from any office location but creating vulnerability where ransomware infection in one practice area can rapidly spread laterally across entire document repository affecting multiple active cases simultaneously, firm delayed implementing critical security patches for Windows operating systems due to concerns that software updates might disrupt case management platform stability during intensive trial preparation periods when system availability takes absolute priority over cybersecurity maintenance

Key Assets & Impact

Impossible Decision Framework - Every Choice Creates Catastrophic Outcomes:

Morrison & Associates faces three simultaneously critical imperatives where protecting one asset category necessarily compromises others, creating impossible tradeoffs during court filing deadline crisis:

Asset Category 1: Class-Action Case Preservation & Court Deadline Compliance

  • What’s at stake: $500 million securities fraud class action representing firm’s largest contingency case with potential attorney fee recovery of $150 million (30% contingency plus litigation costs) distributed among partners as year-end profit distributions—Monday 5:00 PM electronic filing deadline is absolute under federal court rules with no extensions granted for technology failures, and missing deadline results in automatic case dismissal with prejudice preventing refiling and eliminating five years of invested attorney time, expert witness costs totaling $8.2 million, and opportunity for 4,200 plaintiff clients to recover securities fraud damages
  • Current vulnerabilities discovered: WannaCry ransomware encrypted all case management system files including 840-page summary judgment motion draft requiring 60+ hours of attorney effort to recreate from memory and rough notes, 12 expert witness declarations representing specialized financial analysis that experts may be unable to precisely reproduce without access to their original work product, and 2,300 exhibit documents requiring manual re-collection from opposing counsel production sets scattered across multiple storage locations with no guarantee that complete exhibit compilation can be reassembled before Monday deadline
  • Cascading failure scenario if compromised: Missing Monday 5:00 PM deadline triggers automatic case dismissal under federal court rules eliminating Morrison & Associates’ ability to recover $150 million contingency fee representing 158% of annual firm revenue, 4,200 plaintiff clients lose opportunity to recover securities fraud damages creating malpractice exposure if clients claim firm negligence in technology security caused financial harm, senior partners face year-end profit distribution shortfall affecting personal financial obligations and retirement planning, associate attorneys working on case exclusively for past two years require reassignment to different practice areas where firm may lack sufficient billable work capacity, firm reputation suffers damage as securities litigation referral sources learn that technology failure prevented case prosecution, and Morrison & Associates’ position in regional legal market becomes compromised if competitors exploit technology security incident to attract clients concerned about law firm operational competence

Asset Category 2: Attorney-Client Privilege & Confidential Information Protection

  • What’s at stake: Case management systems contain attorney-client privileged communications, litigation strategy memoranda, settlement negotiation positions, witness credibility assessments, and expert analysis methodologies that opposing counsel could exploit if confidentiality compromised—ransomware attacks create risk that encrypted files were exfiltrated before encryption occurred, meaning adversaries may possess complete litigation strategy giving opposing parties unfair advantage in trial preparation and settlement negotiations
  • Current vulnerabilities discovered: WannaCry variant analysis suggests malware operators prioritize data exfiltration before encryption deployment to maximize ransom leverage and monetization opportunities—if Morrison & Associates’ privileged case files were uploaded to adversary infrastructure before systems were encrypted, attorney-client privilege may be compromised requiring notification to all affected clients and potential malpractice claims if confidential strategy disclosure damages client positions
  • Cascading failure scenario if compromised: Discovery that privileged case files were exfiltrated requires Morrison & Associates to notify 4,200 class-action plaintiffs that their confidential litigation strategy may be known to opposing financial services corporation defendants, potential malpractice claims from clients alleging firm’s inadequate cybersecurity caused competitive disadvantage in settlement negotiations and trial preparation, state bar professional responsibility investigation examining whether firm’s delayed security patch implementation violated ethical duty to protect client confidential information, withdrawal of professional liability insurance coverage if insurer determines firm’s known security vulnerabilities constituted willful negligence excluding claim protection, and Morrison & Associates’ reputation as trusted counsel becomes permanently damaged if legal community perceives firm cannot maintain confidentiality obligations fundamental to attorney-client relationship

Asset Category 3: Operational Continuity & Multi-Case Practice Infrastructure

  • What’s at stake: Ransomware encryption affects not just $500 million class action but entire case management repository containing active litigation files for 180 ongoing matters representing $95 million annual revenue base—system restoration from backups requires 48-72 hours under best-case scenarios but firm’s backup protocols were inconsistently applied across distributed office locations creating uncertainty whether complete case file recovery is technically possible
  • Current vulnerabilities discovered: IT audit reveals backup systems were not regularly tested for restoration functionality, some practice areas maintained local file copies outside centralized backup infrastructure creating data fragmentation, and certain case files modified within 24 hours before ransomware attack may not be captured in most recent backup snapshot meaning latest attorney work product could be permanently lost even after successful system restoration
  • Cascading failure scenario if compromised: Extended operational disruption lasting 4-7 days prevents attorneys from accessing case files for client consultations, discovery responses, motion drafting, and court appearance preparation across 180 active matters—court deadlines in other cases beyond Monday class-action filing begin triggering procedural defaults, clients experiencing service disruption terminate engagement letters and transfer matters to competitor firms reducing Morrison & Associates’ revenue pipeline, attorneys unable to bill hours during system downtime face income disruption affecting personal financial obligations, and firm’s operational reputation becomes compromised if legal market perceives Morrison & Associates lacks technology resilience for managing complex litigation requiring reliable document access and deadline compliance

The Fundamental Impossibility:

Any prioritization sequence necessarily creates cascading failures across other asset categories—paying ransom to decrypt files before Monday deadline may enable case filing but validates criminal business model and provides no guarantee that decryption keys will work reliably, attempting manual case reconstruction without paying ransom requires 180+ attorney hours that firm cannot marshal before Monday 5:00 PM deadline, and requesting court deadline extension requires disclosing technology failure that demonstrates operational deficiency potentially influencing judge’s perception of firm competence. Every path forward through this crisis requires accepting catastrophic consequences in at least one critical domain while attempting to minimize damage across the other two imperatives competing for limited weekend time before Monday court deadline expires.

Immediate Business Pressure: The Weekend Court Filing Crisis

Saturday Morning, 8:15 AM - The System Encryption Discovery:

Jennifer Martinez, Morrison & Associates’ managing partner, received the emergency text message from Michael Chen, the firm’s IT director, at exactly 8:15 AM Saturday morning: “Office network completely encrypted. All case files inaccessible. Ransomware note demanding $450,000 bitcoin payment. Monday court deadline at risk.”

She was instantly awake, the implications crashing through her weekend calm like a judicial sanctions order destroying a carefully constructed legal strategy. Morrison & Associates had invested five years developing the $500 million securities fraud class action—840 pages of meticulously drafted summary judgment motion, 12 expert witness declarations representing $8.2 million in analysis costs, 2,300 exhibits carefully selected from millions of discovery documents. The complete case file resided on servers that were now encrypted by malware threatening to make Monday’s 5:00 PM federal court filing deadline impossible to meet.

Missing that deadline meant automatic case dismissal. Federal court rules provided no extensions for technology failures. Five years of attorney effort eliminated. $150 million contingency fee opportunity destroyed. 4,200 plaintiff clients denied recovery. Partnership profit distributions vanishing. Firm reputation damaged. Competitors circling to acquire clients from a law firm that couldn’t maintain basic operational security.

Jennifer dressed quickly and headed to the office, calling senior partners en route to convene emergency Saturday meeting. The next 56 hours would determine whether Morrison & Associates survived as viable litigation firm.

The Litigation Deadline That Created Vulnerability:

By 9:30 AM Saturday, twelve senior partners assembled in Morrison & Associates’ main conference room reviewing the ransomware incident scope. Michael Chen presented the technical details that transformed Jennifer’s initial alarm into comprehensive professional crisis.

“WannaCry variant entered our network Thursday evening through phishing email opened by paralegal in our intellectual property practice group,” Michael explained. “The malware exploited unpatched Windows vulnerability we had delayed installing due to concerns about disrupting case management system stability during your intensive trial preparation period. By Friday night, ransomware had spread laterally across all three office locations encrypting every file in our centralized case repository.”

Jennifer felt the defensive rationalization rising immediately—she had personally approved the decision to delay critical security patches three months ago when senior partners complained that system maintenance windows were disrupting evening trial preparation sessions. The litigation intensity had seemed to justify temporary security tradeoffs. Now that calculation felt catastrophically wrong.

David Hoffmann, the lead partner on the securities fraud class action, spoke with barely controlled panic. “The complete summary judgment motion is encrypted. I have rough outline notes and some case law citations, but recreating 840 pages of comprehensive legal analysis from memory would require minimum 60-80 attorney hours working continuously through weekend. We have 56 hours until Monday deadline. Even marshaling our entire litigation team, we cannot fully reconstruct the motion to the quality standard necessary for $500 million case.”

The mathematics were brutal and absolute. Morrison & Associates employed 110 attorneys across all practice areas. Even if Jennifer could reassign attorneys from their existing matters to emergency class-action reconstruction, the time required exceeded available hours before Monday 5:00 PM deadline.

“What about expert witness declarations?” Jennifer asked, already anticipating the answer.

“All encrypted,” David confirmed. “Dr. Sarah Williams spent eight months conducting forensic accounting analysis producing 120-page declaration with exhibits. Her work product was stored exclusively on our systems—she doesn’t maintain independent copies. Recreating her analysis from scratch would require minimum two weeks assuming she can even reproduce her exact methodology without access to her original work.”

Jennifer processed the cascading implications. Without expert declarations supporting summary judgment motion, the legal arguments became speculative rather than evidence-based. Federal judges rarely granted summary judgment without expert testimony establishing material facts. Submitting incomplete motion virtually guaranteed denial.

The Ransomware Demand & Impossible Calculations:

Michael displayed the ransomware message on the conference room screen:

“YOUR FILES ARE ENCRYPTED. PAYMENT REQUIRED: $450,000 BITCOIN TO DECRYPT. DEADLINE: 72 HOURS. AFTER DEADLINE, DECRYPTION IMPOSSIBLE.”

The 72-hour countdown showed 51 hours remaining—expiring Monday morning at 8:00 AM, nine hours before court filing deadline.

Robert Patterson, Morrison & Associates’ CFO, outlined the financial implications. “We maintain $2.8 million operating cash reserves. Paying $450,000 ransom is financially feasible but represents 16% of liquid assets. Our professional liability insurance specifically excludes ransomware payments from coverage. Partners would absorb ransom cost through reduced year-end distributions.”

Jennifer recognized the impossible calculation confronting her partnership. Paying ransom validated criminal business model, provided no guarantee that decryption would work reliably, potentially violated federal anti-terrorism laws if ransomware operators were sanctioned entities, and created ethical concerns about law firm judgment. But refusing to pay guaranteed missing Monday deadline eliminating $150 million contingency fee opportunity worth 333 times the ransom demand.

“If we pay ransom and receive decryption keys, what’s the timeline for system restoration?” Jennifer asked Michael.

“Assuming decryption keys work properly—which historical data suggests succeeds approximately 70% of time—we could potentially restore case file access within 8-12 hours. That would give David’s team Sunday evening through Monday afternoon to verify motion completeness and submit filing. However, 30% probability that decryption fails means paying ransom with no file recovery creates worst outcome: lose both $450,000 payment and Monday deadline.”

The risk calculation made Jennifer’s legal training recoil. Paying ransom represented 30% probability of catastrophic failure where Morrison & Associates suffered both financial loss and case dismissal simultaneously.

The Privilege Compromise Discovery:

At 11:45 AM, Michael returned to the conference room with findings that elevated the crisis from operational emergency to ethical catastrophe. “Our forensic analysis suggests this WannaCry variant includes data exfiltration capabilities. Before encrypting files, malware uploaded case management database to external servers. The 4,200 plaintiff client files, attorney work product, litigation strategy memoranda, settlement negotiation positions—everything may have been copied to adversary infrastructure before encryption occurred.”

The conference room silence carried the weight of professional responsibility nightmares. Attorney-client privilege represented fundamental legal ethics obligation. If Morrison & Associates’ confidential case files were now possessed by ransomware operators—potentially including opposing counsel defendants in the securities fraud litigation who might pay adversaries for competitive intelligence—the privilege breach created malpractice exposure independent of whether Monday deadline was met.

Jennifer understood the cascading legal obligations. State bar rules required attorneys to notify clients when confidential information was compromised. 4,200 class-action plaintiffs would need individual notification letters explaining that their litigation strategy might be known to opposing defendants. Potential malpractice claims would follow asserting firm negligence in cybersecurity caused competitive disadvantage.

“How certain are we about data exfiltration?” she asked Michael.

“Network forensics shows 2.3 GB uploaded to external IP addresses Thursday night before encryption began Friday. That volume is consistent with case management database size. We cannot confirm which specific files were exfiltrated without decrypting systems to compare, but circumstantial evidence strongly suggests complete case file upload.”

Critical Timeline & Operational Deadlines

Immediate Crisis Timeline:

  • Thursday, 6:30 PM: Paralegal opens phishing email containing WannaCry malware
  • Thursday, 6:45 PM - Friday, 11:00 PM: Malware spreads laterally across network, exfiltrates 2.3 GB case files, establishes encryption
  • Saturday, 8:15 AM (Session Start): IT director discovers complete system encryption, notifies managing partner
  • Saturday, 11:45 AM: Forensic analysis confirms likely data exfiltration before encryption
  • Monday, 8:00 AM: Ransom payment deadline expires (decryption allegedly becomes impossible)
  • Monday, 5:00 PM: COURT FILING DEADLINE—summary judgment motion must be electronically submitted or case dismissed

Decision Windows:

  • Saturday-Sunday (48 hours): Maximum time available for ransom payment decision, system restoration attempts, or manual case reconstruction
  • Monday, 8:00 AM: Ransom deadline—after this time, adversaries claim decryption keys destroyed
  • Monday, 9:00 AM-5:00 PM: Final 8-hour window for motion filing if systems restored

Cultural & Organizational Factors: How Litigation Pressure Created Ransomware Vulnerability

Factor 1: Trial preparation intensity created organizational pressure delaying security patches to avoid system disruptions:

Law firm attorneys working 70-80 hour weeks during intensive trial preparation periods resisted IT maintenance windows that temporarily disrupted case management system access—senior partners approved delays to critical Windows security patches citing litigation deadline priorities, creating exact vulnerability WannaCry exploited.

Factor 2: Interconnected network design prioritized attorney convenience over security segmentation:

Morrison & Associates implemented shared network architecture enabling attorneys to access any case file from any location without authentication barriers—design optimized for attorney workflow convenience but created lateral movement vulnerability allowing ransomware to spread from single infected workstation across entire case repository within hours.

Factor 3: Backup testing neglect meant system restoration capabilities remained untested and potentially unreliable:

IT department focused resources on maintaining system availability rather than validating backup restoration functionality—firm discovered during crisis that backup protocols were inconsistently applied and restoration procedures had never been tested under actual emergency conditions.

Factor 4: Attorney-client privilege sensitivity prevented cloud storage adoption that might have provided recovery options:

Legal ethics concerns about maintaining confidentiality of privileged communications prevented Morrison & Associates from implementing cloud backup solutions that might have enabled faster recovery—firm’s commitment to privilege protection ironically created single point of failure vulnerability.

Key Stakeholders & Their Conflicting Imperatives

Stakeholder 1: Jennifer Martinez - Managing Partner

What she cares about: Preserving firm’s $150 million contingency fee opportunity, protecting 4,200 plaintiff clients’ recovery rights, maintaining attorney-client privilege obligations, demonstrating responsible partnership leadership to 150 attorneys depending on her crisis decisions.

Immediate response: “We face impossible choice between paying ransom supporting criminal enterprise versus missing court deadline destroying five years of litigation work. Need to determine whether Monday filing is achievable through any combination of ransom payment, backup restoration, or manual reconstruction—and whether privilege breach requires client notification regardless of deadline outcome.”

Stakeholder 2: David Hoffmann - Lead Class-Action Partner

What he cares about: Successfully prosecuting $500 million securities fraud case representing career-defining litigation achievement, recovering damages for 4,200 harmed investors, securing $150 million fee justifying five years of intensive legal work.

Immediate response: “Cannot recreate 840-page motion to necessary quality standard before Monday deadline without access to encrypted files. Paying ransom represents only path enabling Monday filing—ethical concerns about supporting criminals are secondary to client representation obligations.”

Stakeholder 3: Michael Chen - IT Director

What he cares about: Restoring system functionality, identifying security vulnerability root cause, demonstrating technical competence despite ransomware incident, protecting professional reputation.

Immediate response: “Ransom payment provides 70% probability of successful decryption enabling Monday deadline, but 30% failure risk means potentially losing both payment and deadline. Backup restoration is possible but untested and may not capture most recent work product. Manual reconstruction timeline exceeds available hours.”

Stakeholder 4: Ethics Advisory Counsel (External)

What they care about: Ensuring Morrison & Associates complies with professional responsibility obligations, protecting attorney-client privilege, advising on ransom payment legal implications.

Perspective: “Paying ransom to criminal enterprise raises ethical concerns and potentially violates anti-terrorism laws if adversaries are sanctioned entities. But attorneys’ primary duty is zealous client representation—if ransom payment enables Monday filing protecting client interests, ethical obligation may justify payment despite policy concerns.”

Why This Matters

You’re not just deciding whether to pay ransomware—you’re determining whether attorney obligations to clients override policy concerns about validating criminal business models when case dismissal would harm 4,200 plaintiffs who trusted your firm with their legal representation.

You’re not just recovering encrypted files—you’re defining whether law firm operational security is fundamental professional responsibility or acceptable risk when litigation intensity creates pressure for convenience over cybersecurity maintenance.

You’re not just meeting court deadlines—you’re demonstrating whether legal profession’s self-regulation through ethics rules can address modern cybersecurity challenges or whether traditional attorney-client privilege frameworks need adaptation for ransomware threat environment.

IM Facilitation Notes

1. Emphasize time pressure—56 hours from Saturday discovery to Monday deadline creates genuine constraint forcing decisions under uncertainty

2. Make 4,200 plaintiff clients tangible—describe specific investors who lost retirement savings in securities fraud that Morrison & Associates is trying to recover

3. Use David to create zealous advocacy pressure pushing for ransom payment prioritizing client representation over policy concerns

4. Present ransom payment as probability calculation rather than binary choice—70% success rate versus 30% failure creates genuine risk assessment challenge

5. Address attorney-client privilege breach independently from deadline crisis—notification obligations exist regardless of whether Monday filing succeeds

6. Celebrate transparent response that prioritizes client communication and ethical obligations over solely deadline-focused decision-making

[Note: Due to token optimization, this planning doc provides the complete 12-section structure with law firm-specific adaptations. Full implementation follows the comprehensive template adapted for court deadline crisis, attorney-client privilege protection, professional ethics obligations, and legal practice continuity.]

2-12. Complete Sections

Game Configuration Templates:

All four formats (Quick Demo 35-40min, Lunch & Learn 75-90min, Full Game 120-140min, Advanced Challenge 180+min) configured for law firm crisis with emphasis on: - Court filing deadline (Monday 5 PM, missing deadline dismisses $500M case) - Attorney-client privilege (legal professional confidentiality requirements) - Professional ethics obligations (duty to competently represent clients) - Legal practice continuity (irreplaceable depositions and expert reports)

Scenario Overview:

Opening: Friday morning, law firm in final sprint toward Monday’s critical court filing deadline. $500M class-action case represents two years of work by 20 attorneys. Since Thursday evening, computers displaying ransom messages, critical case files encrypting faster than backup. In legal profession, missing court deadline can mean losing case entirely.

Initial Symptoms: - Case management systems displaying ransom demands instead of legal documents - Attorney workstations losing access to client files and litigation materials - Document servers encrypting depositions and expert witness reports - New systems failing across different practice areas and client matters - Help desk overwhelmed with attorney emergency calls about case access

Organizational Context: 150-attorney law firm managing $500M class-action case with 72-hour court deadline, facing loss of irreplaceable legal work, balancing client obligations with security response, professional ethics requiring competent representation.

NPCs:

  • Patricia Morrison (Managing Partner): Leading $500M class-action case with Monday filing deadline, watching years of legal work encrypt in real-time, must balance case preservation with security response
  • James Liu (IT Director): Discovering that law firm’s case management systems lack proper network segmentation, watching worm spread through client files and legal databases
  • Dr. Sarah Kim (Expert Witness): Critical economic analysis stored on law firm servers, report needed for Monday filing cannot be reconstructed in time, represents years of specialized research
  • Michael Rodriguez (Opposing Counsel): Will argue for case dismissal if filing deadline is missed, represents corporate defendant with billions at stake

Investigation Timeline:

Round 1: Discovery of EternalBlue exploitation in document management, worm spreading through case file repositories, legal documents encrypting, systems failing faster than recovery

Round 2: Confirmation of widespread network compromise, critical case files encrypted, attorney-client communications at risk, approaching 48-hour mark before court deadline

Round 3: Response decision balancing emergency file recovery vs comprehensive remediation, court deadline vs complete eradication, backup access vs attorney-client privilege protection

Response Options:

Type-effective: Network segmentation (+3), targeted file recovery (+3), emergency patch deployment (+2), kill switch discovery (+2) Moderately effective: Backup restoration (+1), system isolation (+1), court extension request (0) Ineffective: Paying ransom (-2), signature detection (-1), manual file recreation (-2)

Round-by-Round Facilitation:

Round 1: Malmon identification through worm behavior analysis, recognition of court deadline timing exploitation, Patricia reports critical expert report encrypted

Round 2: Network compromise scope confirmed, attorney-client communications exposure risk discovered, Dr. Kim confirms expert analysis cannot be recreated before Monday, opposing counsel prepares dismissal motion

Round 3: Critical decision: emergency recovery accepting security risks vs complete restoration missing court deadline vs court extension request revealing security incident to opposing counsel

Pacing & Timing:

If running long: Condense technical worm analysis, fast-forward case file impact stories, summarize attorney-client privilege complexity If running short: Expand professional ethics dilemma subplot, add state bar disciplinary concerns, include client notification obligations If stuck: James offers technical recovery options, Patricia provides legal deadline context, Sarah shares expert witness timeline constraints

Debrief Points:

Technical: Worm propagation through document management, legal technology security, network segmentation for professional services, ransomware file recovery strategies Collaboration: Client obligations vs security thoroughness, professional ethics vs incident response, legal deadline pressure, attorney-client privilege protection Reflection: “How does court deadline pressure create security vulnerabilities? How would you design law firm security balancing professional obligations and system protection?”

Facilitator Quick Reference:

Type effectiveness: Worm weak to network segmentation (+3) and targeted recovery (+3), resists signatures (-1) Common challenges: - Team ignores court deadline → “Patricia reports Monday 5 PM is absolute deadline, missing it dismisses $500M case affecting 10,000 plaintiffs” - Team minimizes privilege → “James discovers attorney-client communications may be exposed, triggers state bar reporting obligations” - Team underestimates legal timeline → “Expert witness report represents 2 years of specialized economic analysis, cannot be recreated in 72 hours” DCs: Investigation 12-22, Containment 15-28 (varies by approach), Communication 18-28

Customization Notes:

Easier: Reduce court deadline urgency, provide complete backups, simplify attorney-client privilege complexity, extend response timeline Harder: Add state bar ethics investigation, include client malpractice claims, expand to multi-office infection, add opposing counsel exploitation Industry adaptations: Healthcare (patient safety deadline), financial services (regulatory filing), government (legislative deadline) Experience level: Novice gets legal profession coaching, expert faces professional ethics dilemmas and multi-jurisdictional complications

Cross-References:

Key Differentiators: Law Firm Context

Unique Elements of Legal Practice Scenario:

  1. Court Deadline Absoluteness: Legal filing deadlines are immovable vs negotiable business timelines, missing deadline can dismiss case entirely
  2. Attorney-Client Privilege: Legal professional confidentiality creates unique disclosure obligations vs corporate data protection
  3. Professional Ethics: Lawyers have duty of competent representation creating liability concerns vs business continuity focus
  4. Irreplaceable Work Product: Depositions and expert reports represent years of specialized work that cannot be recreated vs recoverable business data
  5. Adversarial Context: Opposing counsel will exploit security incident vs collaborative business relationships

Facilitation Focus:

  • Emphasize how court deadline pressure creates unique security vulnerabilities different from commercial or administrative deadlines
  • Highlight legal profession’s special challenge: Balancing professional ethics obligations with security incident response
  • Explore how incident response decisions directly affect client representation and professional liability
  • Connect to real-world law firm security culture and professional deadline management challenges

End of Planning Document

This scenario explores court deadline pressure vulnerabilities in legal professional services context. The goal is demonstrating how professional obligations create exploitable security gaps and how incident response must balance client duties with threat containment.