1. Quick Reference

Element Details
Malmon WannaCry (Worm/Ransom) ⭐⭐⭐⭐
Difficulty Tier Tier 2 (Advanced) - Professional deadline and attorney-client privilege
Scenario Variant Law Firm - Court Filing Deadline
Organizational Context Morrison & Associates: 150 attorneys across 3 offices, specialized litigation, 72 hours from critical $500M class-action filing deadline
Primary Stakes Client case files + Attorney-client privilege + Court deadline compliance + Professional reputation
Recommended Formats Full Game, Advanced Challenge (120-180 min)
Essential NPCs Patricia Morrison (Managing Partner), James Liu (IT Director), Dr. Sarah Kim (Expert Witness), Michael Rodriguez (Opposing Counsel)
Optional NPCs Client representatives, Court clerks, Legal ethics counsel, Backup service providers

Scenario Hook

“Morrison & Associates is 72 hours from filing critical motions in their biggest class-action lawsuit ever, representing 10,000 plaintiffs against a major corporation. The legal team has been working around the clock to meet court deadlines when ransomware begins encrypting case files, depositions, and expert witness reports that cannot be recreated before the filing deadline.”

Victory Condition

Successfully contain WannaCry worm, recover critical case files for Monday court deadline, protect attorney-client privileged communications, and maintain professional obligations while preserving client representation and case integrity.

2. Organization Context

Morrison & Associates: Class-Action Litigation Under Court Filing Deadline Crisis

Quick Reference

  • Organization: Mid-size specialized litigation law firm focusing on complex commercial disputes, class-action lawsuits, intellectual property litigation, and corporate governance matters requiring extensive disco…
  • Key Assets at Risk: Class-Action Case Preservation & Court Deadline Compliance, Attorney-Client Privilege & Confidential Information Protection, Operational Continuity & Multi-Case Practice…
  • Business Pressure: [Business pressure and timeline]
  • Core Dilemma: You’re not just deciding whether to pay ransomware—you’re determining whether attorney obligations to clients override policy concerns about validating criminal business models when case dismissal …
Detailed Context
Organization Profile

Mid-size specialized litigation law firm focusing on complex commercial disputes, class-action lawsuits, intellectual property litigation, and corporate governance matters requiring extensive discovery processes and multi-year case preparation timelines

The organization employs 150 attorneys distributed across organizational functions including 45 senior partners managing client relationships and trial strategy for high-stakes litigation matters, 65 associate attorneys conducting legal research, document review, deposition preparation, and motion drafting supporting partner-led case teams, 25 paralegals coordinating discovery document management, witness interview scheduling, expert report compilation, and court filing procedures, 10 IT support staff maintaining case management systems, email infrastructure, and document sharing platforms, and 5 administrative personnel coordinating office operations across three geographic locations serving clients throughout regional federal and state court jurisdictionsemployees.

Generating approximately $95 million in annual legal fees through contingency arrangements and hourly billing for complex litigation matters including $500 million class-action lawsuit representing 4,200 plaintiffs alleging securities fraud against regional financial services corporation, multiple intellectual property disputes defending technology company patent portfolios, corporate governance litigation involving shareholder derivative claims, and employment class actions addressing wage and hour violations—firm’s reputation depends on trial success rate and ability to manage document-intensive litigation requiring review of millions of pages of electronic discovery materials, coordination of expert witness testimony, and preparation of comprehensive legal briefs meeting strict court filing deadlines with zero tolerance for procedural errors that could result in case dismissal

Lead counsel for Morrison & Associates prepared for five years developing $500 million securities fraud class action scheduled for final motions hearing Tuesday morning at 9:00 AM—court filing deadline Monday 5:00 PM requires submission of 840-page comprehensive motion for summary judgment including supporting declarations from 12 expert witnesses, exhibit compilation totaling 2,300 documents, and legal memorandum synthesizing complex financial regulations and securities law precedents, with strict court rules mandating electronic filing through federal court system rejecting submissions after deadline creating automatic case dismissal if filing obligations not met precisely on schedule

Operating case management system containing complete litigation file repository including client communications protected by attorney-client privilege, witness depositions recorded in video and transcript formats, expert reports incorporating proprietary analysis methodologies, privileged attorney work product documenting litigation strategy and settlement negotiations, and comprehensive exhibit databases linking evidentiary documents to specific legal arguments—systems interconnected through shared network architecture enabling attorney access from any office location but creating vulnerability where ransomware infection in one practice area can rapidly spread laterally across entire document repository affecting multiple active cases simultaneously, firm delayed implementing critical security patches for Windows operating systems due to concerns that software updates might disrupt case management platform stability during intensive trial preparation periods when system availability takes absolute priority over cybersecurity maintenance

Key Assets & Impact

Impossible Decision Framework - Every Choice Creates Catastrophic Outcomes:

Morrison & Associates faces three simultaneously critical imperatives where protecting one asset category necessarily compromises others, creating impossible tradeoffs during court filing deadline crisis:

Asset Category 1: Class-Action Case Preservation & Court Deadline Compliance

  • What’s at stake: $500 million securities fraud class action representing firm’s largest contingency case with potential attorney fee recovery of $150 million (30% contingency plus litigation costs) distributed among partners as year-end profit distributions—Monday 5:00 PM electronic filing deadline is absolute under federal court rules with no extensions granted for technology failures, and missing deadline results in automatic case dismissal with prejudice preventing refiling and eliminating five years of invested attorney time, expert witness costs totaling $8.2 million, and opportunity for 4,200 plaintiff clients to recover securities fraud damages
  • Current vulnerabilities discovered: WannaCry ransomware encrypted all case management system files including 840-page summary judgment motion draft requiring 60+ hours of attorney effort to recreate from memory and rough notes, 12 expert witness declarations representing specialized financial analysis that experts may be unable to precisely reproduce without access to their original work product, and 2,300 exhibit documents requiring manual re-collection from opposing counsel production sets scattered across multiple storage locations with no guarantee that complete exhibit compilation can be reassembled before Monday deadline
  • Cascading failure scenario if compromised: Missing Monday 5:00 PM deadline triggers automatic case dismissal under federal court rules eliminating Morrison & Associates’ ability to recover $150 million contingency fee representing 158% of annual firm revenue, 4,200 plaintiff clients lose opportunity to recover securities fraud damages creating malpractice exposure if clients claim firm negligence in technology security caused financial harm, senior partners face year-end profit distribution shortfall affecting personal financial obligations and retirement planning, associate attorneys working on case exclusively for past two years require reassignment to different practice areas where firm may lack sufficient billable work capacity, firm reputation suffers damage as securities litigation referral sources learn that technology failure prevented case prosecution, and Morrison & Associates’ position in regional legal market becomes compromised if competitors exploit technology security incident to attract clients concerned about law firm operational competence

Asset Category 2: Attorney-Client Privilege & Confidential Information Protection

  • What’s at stake: Case management systems contain attorney-client privileged communications, litigation strategy memoranda, settlement negotiation positions, witness credibility assessments, and expert analysis methodologies that opposing counsel could exploit if confidentiality compromised—ransomware attacks create risk that encrypted files were exfiltrated before encryption occurred, meaning adversaries may possess complete litigation strategy giving opposing parties unfair advantage in trial preparation and settlement negotiations
  • Current vulnerabilities discovered: WannaCry variant analysis suggests malware operators prioritize data exfiltration before encryption deployment to maximize ransom leverage and monetization opportunities—if Morrison & Associates’ privileged case files were uploaded to adversary infrastructure before systems were encrypted, attorney-client privilege may be compromised requiring notification to all affected clients and potential malpractice claims if confidential strategy disclosure damages client positions
  • Cascading failure scenario if compromised: Discovery that privileged case files were exfiltrated requires Morrison & Associates to notify 4,200 class-action plaintiffs that their confidential litigation strategy may be known to opposing financial services corporation defendants, potential malpractice claims from clients alleging firm’s inadequate cybersecurity caused competitive disadvantage in settlement negotiations and trial preparation, state bar professional responsibility investigation examining whether firm’s delayed security patch implementation violated ethical duty to protect client confidential information, withdrawal of professional liability insurance coverage if insurer determines firm’s known security vulnerabilities constituted willful negligence excluding claim protection, and Morrison & Associates’ reputation as trusted counsel becomes permanently damaged if legal community perceives firm cannot maintain confidentiality obligations fundamental to attorney-client relationship

Asset Category 3: Operational Continuity & Multi-Case Practice Infrastructure

  • What’s at stake: Ransomware encryption affects not just $500 million class action but entire case management repository containing active litigation files for 180 ongoing matters representing $95 million annual revenue base—system restoration from backups requires 48-72 hours under best-case scenarios but firm’s backup protocols were inconsistently applied across distributed office locations creating uncertainty whether complete case file recovery is technically possible
  • Current vulnerabilities discovered: IT audit reveals backup systems were not regularly tested for restoration functionality, some practice areas maintained local file copies outside centralized backup infrastructure creating data fragmentation, and certain case files modified within 24 hours before ransomware attack may not be captured in most recent backup snapshot meaning latest attorney work product could be permanently lost even after successful system restoration
  • Cascading failure scenario if compromised: Extended operational disruption lasting 4-7 days prevents attorneys from accessing case files for client consultations, discovery responses, motion drafting, and court appearance preparation across 180 active matters—court deadlines in other cases beyond Monday class-action filing begin triggering procedural defaults, clients experiencing service disruption terminate engagement letters and transfer matters to competitor firms reducing Morrison & Associates’ revenue pipeline, attorneys unable to bill hours during system downtime face income disruption affecting personal financial obligations, and firm’s operational reputation becomes compromised if legal market perceives Morrison & Associates lacks technology resilience for managing complex litigation requiring reliable document access and deadline compliance

The Fundamental Impossibility:

Any prioritization sequence necessarily creates cascading failures across other asset categories—paying ransom to decrypt files before Monday deadline may enable case filing but validates criminal business model and provides no guarantee that decryption keys will work reliably, attempting manual case reconstruction without paying ransom requires 180+ attorney hours that firm cannot marshal before Monday 5:00 PM deadline, and requesting court deadline extension requires disclosing technology failure that demonstrates operational deficiency potentially influencing judge’s perception of firm competence. Every path forward through this crisis requires accepting catastrophic consequences in at least one critical domain while attempting to minimize damage across the other two imperatives competing for limited weekend time before Monday court deadline expires.

Critical Timeline & Operational Deadlines

Immediate Crisis Timeline:

  • Thursday, 6:30 PM: Paralegal opens phishing email containing WannaCry malware
  • Thursday, 6:45 PM - Friday, 11:00 PM: Malware spreads laterally across network, exfiltrates 2.3 GB case files, establishes encryption
  • Saturday, 8:15 AM (Session Start): IT director discovers complete system encryption, notifies managing partner
  • Saturday, 11:45 AM: Forensic analysis confirms likely data exfiltration before encryption
  • Monday, 8:00 AM: Ransom payment deadline expires (decryption allegedly becomes impossible)
  • Monday, 5:00 PM: COURT FILING DEADLINE—summary judgment motion must be electronically submitted or case dismissed

Decision Windows:

  • Saturday-Sunday (48 hours): Maximum time available for ransom payment decision, system restoration attempts, or manual case reconstruction
  • Monday, 8:00 AM: Ransom deadline—after this time, adversaries claim decryption keys destroyed
  • Monday, 9:00 AM-5:00 PM: Final 8-hour window for motion filing if systems restored
Why This Matters

You’re not just deciding whether to pay ransomware—you’re determining whether attorney obligations to clients override policy concerns about validating criminal business models when case dismissal would harm 4,200 plaintiffs who trusted your firm with their legal representation.

You’re not just recovering encrypted files—you’re defining whether law firm operational security is fundamental professional responsibility or acceptable risk when litigation intensity creates pressure for convenience over cybersecurity maintenance.

You’re not just meeting court deadlines—you’re demonstrating whether legal profession’s self-regulation through ethics rules can address modern cybersecurity challenges or whether traditional attorney-client privilege frameworks need adaptation for ransomware threat environment.

IM Facilitation Notes

1. Emphasize time pressure—56 hours from Saturday discovery to Monday deadline creates genuine constraint forcing decisions under uncertainty

2. Make 4,200 plaintiff clients tangible—describe specific investors who lost retirement savings in securities fraud that Morrison & Associates is trying to recover

3. Use David to create zealous advocacy pressure pushing for ransom payment prioritizing client representation over policy concerns

4. Present ransom payment as probability calculation rather than binary choice—70% success rate versus 30% failure creates genuine risk assessment challenge

5. Address attorney-client privilege breach independently from deadline crisis—notification obligations exist regardless of whether Monday filing succeeds

6. Celebrate transparent response that prioritizes client communication and ethical obligations over solely deadline-focused decision-making

[Note: Due to token optimization, this planning doc provides the complete 12-section structure with law firm-specific adaptations. Full implementation follows the comprehensive template adapted for court deadline crisis, attorney-client privilege protection, professional ethics obligations, and legal practice continuity.]

2-12. Complete Sections

Game Configuration Templates:

All four formats (Quick Demo 35-40min, Lunch & Learn 75-90min, Full Game 120-140min, Advanced Challenge 180+min) configured for law firm crisis with emphasis on: - Court filing deadline (Monday 5 PM, missing deadline dismisses $500M case) - Attorney-client privilege (legal professional confidentiality requirements) - Professional ethics obligations (duty to competently represent clients) - Legal practice continuity (irreplaceable depositions and expert reports)

Scenario Overview:

Opening: Friday morning, law firm in final sprint toward Monday’s critical court filing deadline. $500M class-action case represents two years of work by 20 attorneys. Since Thursday evening, computers displaying ransom messages, critical case files encrypting faster than backup. In legal profession, missing court deadline can mean losing case entirely.

Initial Symptoms: - Case management systems displaying ransom demands instead of legal documents - Attorney workstations losing access to client files and litigation materials - Document servers encrypting depositions and expert witness reports - New systems failing across different practice areas and client matters - Help desk overwhelmed with attorney emergency calls about case access

Organizational Context: 150-attorney law firm managing $500M class-action case with 72-hour court deadline, facing loss of irreplaceable legal work, balancing client obligations with security response, professional ethics requiring competent representation.

NPCs:

  • Patricia Morrison (Managing Partner): Leading $500M class-action case with Monday filing deadline, watching years of legal work encrypt in real-time, must balance case preservation with security response
  • James Liu (IT Director): Discovering that law firm’s case management systems lack proper network segmentation, watching worm spread through client files and legal databases
  • Dr. Sarah Kim (Expert Witness): Critical economic analysis stored on law firm servers, report needed for Monday filing cannot be reconstructed in time, represents years of specialized research
  • Michael Rodriguez (Opposing Counsel): Will argue for case dismissal if filing deadline is missed, represents corporate defendant with billions at stake

Investigation Timeline:

Round 1: Discovery of EternalBlue exploitation in document management, worm spreading through case file repositories, legal documents encrypting, systems failing faster than recovery

Round 2: Confirmation of widespread network compromise, critical case files encrypted, attorney-client communications at risk, approaching 48-hour mark before court deadline

Round 3: Response decision balancing emergency file recovery vs comprehensive remediation, court deadline vs complete eradication, backup access vs attorney-client privilege protection

Response Options:

Type-effective: Network segmentation (+3), targeted file recovery (+3), emergency patch deployment (+2), kill switch discovery (+2) Moderately effective: Backup restoration (+1), system isolation (+1), court extension request (0) Ineffective: Paying ransom (-2), signature detection (-1), manual file recreation (-2)

Round-by-Round Facilitation:

Round 1: Malmon identification through worm behavior analysis, recognition of court deadline timing exploitation, Patricia reports critical expert report encrypted

Round 2: Network compromise scope confirmed, attorney-client communications exposure risk discovered, Dr. Kim confirms expert analysis cannot be recreated before Monday, opposing counsel prepares dismissal motion

Round 3: Critical decision: emergency recovery accepting security risks vs complete restoration missing court deadline vs court extension request revealing security incident to opposing counsel

Pacing & Timing:

If running long: Condense technical worm analysis, fast-forward case file impact stories, summarize attorney-client privilege complexity If running short: Expand professional ethics dilemma subplot, add state bar disciplinary concerns, include client notification obligations If stuck: James offers technical recovery options, Patricia provides legal deadline context, Sarah shares expert witness timeline constraints

Debrief Points:

Technical: Worm propagation through document management, legal technology security, network segmentation for professional services, ransomware file recovery strategies Collaboration: Client obligations vs security thoroughness, professional ethics vs incident response, legal deadline pressure, attorney-client privilege protection Reflection: “How does court deadline pressure create security vulnerabilities? How would you design law firm security balancing professional obligations and system protection?”

Facilitator Quick Reference:

Type effectiveness: Worm weak to network segmentation (+3) and targeted recovery (+3), resists signatures (-1) Common challenges: - Team ignores court deadline → “Patricia reports Monday 5 PM is absolute deadline, missing it dismisses $500M case affecting 10,000 plaintiffs” - Team minimizes privilege → “James discovers attorney-client communications may be exposed, triggers state bar reporting obligations” - Team underestimates legal timeline → “Expert witness report represents 2 years of specialized economic analysis, cannot be recreated in 72 hours” DCs: Investigation 12-22, Containment 15-28 (varies by approach), Communication 18-28

Customization Notes:

Easier: Reduce court deadline urgency, provide complete backups, simplify attorney-client privilege complexity, extend response timeline Harder: Add state bar ethics investigation, include client malpractice claims, expand to multi-office infection, add opposing counsel exploitation Industry adaptations: Healthcare (patient safety deadline), financial services (regulatory filing), government (legislative deadline) Experience level: Novice gets legal profession coaching, expert faces professional ethics dilemmas and multi-jurisdictional complications

Cross-References:

Key Differentiators: Law Firm Context

Unique Elements of Legal Practice Scenario:

  1. Court Deadline Absoluteness: Legal filing deadlines are immovable vs negotiable business timelines, missing deadline can dismiss case entirely
  2. Attorney-Client Privilege: Legal professional confidentiality creates unique disclosure obligations vs corporate data protection
  3. Professional Ethics: Lawyers have duty of competent representation creating liability concerns vs business continuity focus
  4. Irreplaceable Work Product: Depositions and expert reports represent years of specialized work that cannot be recreated vs recoverable business data
  5. Adversarial Context: Opposing counsel will exploit security incident vs collaborative business relationships

Facilitation Focus:

  • Emphasize how court deadline pressure creates unique security vulnerabilities different from commercial or administrative deadlines
  • Highlight legal profession’s special challenge: Balancing professional ethics obligations with security incident response
  • Explore how incident response decisions directly affect client representation and professional liability
  • Connect to real-world law firm security culture and professional deadline management challenges

End of Planning Document

This scenario explores court deadline pressure vulnerabilities in legal professional services context. The goal is demonstrating how professional obligations create exploitable security gaps and how incident response must balance client duties with threat containment.