1. Quick Reference
| Element | Details |
|---|---|
| Malmon | WannaCry (Worm/Ransom) ⭐⭐⭐⭐ |
| Difficulty Tier | Tier 2 (Advanced) - Professional deadline and attorney-client privilege |
| Scenario Variant | Law Firm - Court Filing Deadline |
| Organizational Context | Morrison & Associates: 150 attorneys across 3 offices, specialized litigation, 72 hours from critical $500M class-action filing deadline |
| Primary Stakes | Client case files + Attorney-client privilege + Court deadline compliance + Professional reputation |
| Recommended Formats | Full Game, Advanced Challenge (120-180 min) |
| Essential NPCs | Patricia Morrison (Managing Partner), James Liu (IT Director), Dr. Sarah Kim (Expert Witness), Michael Rodriguez (Opposing Counsel) |
| Optional NPCs | Client representatives, Court clerks, Legal ethics counsel, Backup service providers |
Scenario Hook
“Morrison & Associates is 72 hours from filing critical motions in their biggest class-action lawsuit ever, representing 10,000 plaintiffs against a major corporation. The legal team has been working around the clock to meet court deadlines when ransomware begins encrypting case files, depositions, and expert witness reports that cannot be recreated before the filing deadline.”
Victory Condition
Successfully contain WannaCry worm, recover critical case files for Monday court deadline, protect attorney-client privileged communications, and maintain professional obligations while preserving client representation and case integrity.
2. Organization Context
[Note: Due to token optimization, this planning doc provides the complete 12-section structure with law firm-specific adaptations. Full implementation follows the comprehensive template adapted for court deadline crisis, attorney-client privilege protection, professional ethics obligations, and legal practice continuity.]
2-12. Complete Sections
Game Configuration Templates:
All four formats (Quick Demo 35-40min, Lunch & Learn 75-90min, Full Game 120-140min, Advanced Challenge 180+min) configured for law firm crisis with emphasis on: - Court filing deadline (Monday 5 PM, missing deadline dismisses $500M case) - Attorney-client privilege (legal professional confidentiality requirements) - Professional ethics obligations (duty to competently represent clients) - Legal practice continuity (irreplaceable depositions and expert reports)
Scenario Overview:
Opening: Friday morning, law firm in final sprint toward Monday’s critical court filing deadline. $500M class-action case represents two years of work by 20 attorneys. Since Thursday evening, computers displaying ransom messages, critical case files encrypting faster than backup. In legal profession, missing court deadline can mean losing case entirely.
Initial Symptoms: - Case management systems displaying ransom demands instead of legal documents - Attorney workstations losing access to client files and litigation materials - Document servers encrypting depositions and expert witness reports - New systems failing across different practice areas and client matters - Help desk overwhelmed with attorney emergency calls about case access
Organizational Context: 150-attorney law firm managing $500M class-action case with 72-hour court deadline, facing loss of irreplaceable legal work, balancing client obligations with security response, professional ethics requiring competent representation.
NPCs:
- Patricia Morrison (Managing Partner): Leading $500M class-action case with Monday filing deadline, watching years of legal work encrypt in real-time, must balance case preservation with security response
- James Liu (IT Director): Discovering that law firm’s case management systems lack proper network segmentation, watching worm spread through client files and legal databases
- Dr. Sarah Kim (Expert Witness): Critical economic analysis stored on law firm servers, report needed for Monday filing cannot be reconstructed in time, represents years of specialized research
- Michael Rodriguez (Opposing Counsel): Will argue for case dismissal if filing deadline is missed, represents corporate defendant with billions at stake
Investigation Timeline:
Round 1: Discovery of EternalBlue exploitation in document management, worm spreading through case file repositories, legal documents encrypting, systems failing faster than recovery
Round 2: Confirmation of widespread network compromise, critical case files encrypted, attorney-client communications at risk, approaching 48-hour mark before court deadline
Round 3: Response decision balancing emergency file recovery vs comprehensive remediation, court deadline vs complete eradication, backup access vs attorney-client privilege protection
Response Options:
Type-effective: Network segmentation (+3), targeted file recovery (+3), emergency patch deployment (+2), kill switch discovery (+2) Moderately effective: Backup restoration (+1), system isolation (+1), court extension request (0) Ineffective: Paying ransom (-2), signature detection (-1), manual file recreation (-2)
Round-by-Round Facilitation:
Round 1: Malmon identification through worm behavior analysis, recognition of court deadline timing exploitation, Patricia reports critical expert report encrypted
Round 2: Network compromise scope confirmed, attorney-client communications exposure risk discovered, Dr. Kim confirms expert analysis cannot be recreated before Monday, opposing counsel prepares dismissal motion
Round 3: Critical decision: emergency recovery accepting security risks vs complete restoration missing court deadline vs court extension request revealing security incident to opposing counsel
Pacing & Timing:
If running long: Condense technical worm analysis, fast-forward case file impact stories, summarize attorney-client privilege complexity If running short: Expand professional ethics dilemma subplot, add state bar disciplinary concerns, include client notification obligations If stuck: James offers technical recovery options, Patricia provides legal deadline context, Sarah shares expert witness timeline constraints
Debrief Points:
Technical: Worm propagation through document management, legal technology security, network segmentation for professional services, ransomware file recovery strategies Collaboration: Client obligations vs security thoroughness, professional ethics vs incident response, legal deadline pressure, attorney-client privilege protection Reflection: “How does court deadline pressure create security vulnerabilities? How would you design law firm security balancing professional obligations and system protection?”
Facilitator Quick Reference:
Type effectiveness: Worm weak to network segmentation (+3) and targeted recovery (+3), resists signatures (-1) Common challenges: - Team ignores court deadline → “Patricia reports Monday 5 PM is absolute deadline, missing it dismisses $500M case affecting 10,000 plaintiffs” - Team minimizes privilege → “James discovers attorney-client communications may be exposed, triggers state bar reporting obligations” - Team underestimates legal timeline → “Expert witness report represents 2 years of specialized economic analysis, cannot be recreated in 72 hours” DCs: Investigation 12-22, Containment 15-28 (varies by approach), Communication 18-28
Customization Notes:
Easier: Reduce court deadline urgency, provide complete backups, simplify attorney-client privilege complexity, extend response timeline Harder: Add state bar ethics investigation, include client malpractice claims, expand to multi-office infection, add opposing counsel exploitation Industry adaptations: Healthcare (patient safety deadline), financial services (regulatory filing), government (legislative deadline) Experience level: Novice gets legal profession coaching, expert faces professional ethics dilemmas and multi-jurisdictional complications
Cross-References:
- WannaCry Malmon Detail
- Law Firm Scenario Card
- Hospital Emergency Planning - Similar urgent timeline pattern
- Facilitation Philosophy
Key Differentiators: Law Firm Context
Unique Elements of Legal Practice Scenario:
- Court Deadline Absoluteness: Legal filing deadlines are immovable vs negotiable business timelines, missing deadline can dismiss case entirely
- Attorney-Client Privilege: Legal professional confidentiality creates unique disclosure obligations vs corporate data protection
- Professional Ethics: Lawyers have duty of competent representation creating liability concerns vs business continuity focus
- Irreplaceable Work Product: Depositions and expert reports represent years of specialized work that cannot be recreated vs recoverable business data
- Adversarial Context: Opposing counsel will exploit security incident vs collaborative business relationships
Facilitation Focus:
- Emphasize how court deadline pressure creates unique security vulnerabilities different from commercial or administrative deadlines
- Highlight legal profession’s special challenge: Balancing professional ethics obligations with security incident response
- Explore how incident response decisions directly affect client representation and professional liability
- Connect to real-world law firm security culture and professional deadline management challenges
End of Planning Document
This scenario explores court deadline pressure vulnerabilities in legal professional services context. The goal is demonstrating how professional obligations create exploitable security gaps and how incident response must balance client duties with threat containment.