Introduction
Ransomware remains one of the most devastating and common threats facing organizations today. To ensure teams are ready to respond effectively, running a tabletop exercise is essential. This structured, discussion-based simulation allows stakeholders to walk through a hypothetical incident in a stress-free environment, identifying gaps and testing their roles without impacting operations.
This post outlines a comprehensive ransomware tabletop exercise complete with scenario details, roles and responsibilities, key injects (event triggers), decisions to be made, and actions to take. We’ll finish with a reflection on lessons learned and best practices.
Scenario Overview: “Operation Blackout”
Date & Time: You can run this over a 2-hour session.
Scenario Type: Targeted ransomware attack on a mid-sized organization.
Participants:
- IT & Security Team
- Incident Response (IR) Team
- Executive Leadership (CEO, CIO, CFO)
- Legal Counsel
- HR Representative
- Public Relations / Communications
- Third-party Vendors (simulated or represented)
Phase 1: Preparation
Objectives:
- Test the organization’s ability to respond to a ransomware attack.
- Evaluate communication, escalation, and containment protocols.
- Identify gaps in incident response planning.
- Foster cross-functional coordination.
Materials:
- Copies of the IR plan & business continuity plans.
- A facilitator guide.
- Role cards for each participant.
- Timeline & inject sheet.
- Notebooks or digital notes for tracking decisions and responses.
Phase 2: Roles and Responsibilities
1. Facilitator (usually CISO or external consultant)
- Guides the scenario.
- Issues injects.
- Observes and records decisions.
- Keeps time and controls pace.
2. IT/Security Team
- Detects the breach.
- Analyzes logs, isolates systems, and leads remediation.
- Communicates with vendors.
3. Incident Response Team
- Coordinates the technical and business response.
- Documents all actions.
- Liaises with stakeholders.
4. Executive Leadership
- Makes strategic decisions (e.g., paying ransom, notifying regulators).
- Ensures business continuity.
- Communicates with the board.
5. Legal Counsel
- Assesses regulatory obligations.
- Advises on data breach implications.
- Reviews communication for liability risk.
6. HR
- Assists with internal employee communications.
- Handles insider threat implications if applicable.
7. Public Relations / Communications
- Manages media response and public messaging.
- Communicates with customers and partners.
Phase 3: Scenario Timeline and Injects
Each phase introduces injects (new developments) to which participants must respond.
T+0 Minutes: Discovery
Inject:
A help desk ticket reports that several users are locked out of their systems, and a strange message appears demanding Bitcoin in exchange for decryption keys.
Expected Actions:
- IT begins triage.
- Confirm scope and isolate affected systems.
- Activate the IR plan.
- Notify the CISO/CTO.
T+15 Minutes: Escalation
Inject:
- Security tools report encryption processes running on shared drives.
- Email server begins to malfunction.
Expected Actions:
- Shut down file shares and critical services if needed.
- Convene the crisis response team.
- Begin system imaging for forensics.
T+30 Minutes: Business Impact
Inject:
- Payroll and CRM systems are unavailable.
- Finance reports suspicious outbound traffic to an unknown IP.
Expected Actions:
- Inform executive leadership.
- Begin assessing business impact.
- Engage legal and communications team.
- Log all decisions.
T+45 Minutes: Ransom Demand
Inject:
- A note is found: “Your files are encrypted. Pay $500,000 in Bitcoin or lose everything in 72 hours.”
- Data appears to have been exfiltrated.
Expected Actions:
- Legal reviews obligations under GDPR/ICO/NIS2.
- Discuss with leadership: Will you pay?
- Contact cyber insurance provider.
- Consider engaging third-party negotiators or law enforcement.
T+60 Minutes: Public Reaction
Inject:
- A journalist emails asking for comment on reports of a ransomware attack.
- Customers complain about login failures.
Expected Actions:
- Public Relations drafts a holding statement.
- Decide on stakeholder communication strategy.
- HR prepares internal employee comms.
- Legal reviews for compliance.
T+90 Minutes: Recovery Plans
Inject:
- Backups are found to be 5 days old and incomplete.
- Pressure mounts to restore services.
Expected Actions:
- Evaluate restoration timeline.
- Communicate impact on customers.
- Begin forensics analysis.
- Update the board and customers.
Phase 4: Debrief and Discussion
Topics for Debrief:
- What went well?
- What failed or was missed?
- How fast were key decisions made (e.g., containment, communication)?
- Were legal/regulatory obligations met?
- Was internal coordination effective?
Lessons Learned & Recommendations
- Speed and Clarity Matter
- Early detection and response are critical.
- Unclear ownership slows response, ensure RACI (Responsible, Accountable, Consulted, Informed) is clear.
- Backup Testing is Non-Negotiable
- Regularly test and verify backups; data integrity matters more than frequency.
- Communication Is Key
- Poor external comms can do more damage than the attack itself.
- Have templates ready for press releases and customer emails.
- Regulatory Response
- Know your breach reporting timelines.
- Have a pre-established relationship with legal counsel.
- Documentation and Evidence
- Maintain a log of all decisions and actions.
- Chain-of-custody matters for forensic investigations.
- Cross-Functional Coordination
- Cybersecurity isn’t just IT; it’s legal, HR, PR, and leadership.
- Practice strengthens these connections.
Final Thoughts
Ransomware is a matter of when, not if. Tabletop exercises like this empower organizations to respond with confidence instead of chaos. By simulating real-world attacks, teams improve their resilience and refine their strategy before disaster strikes.
Ready to run your own exercise? Customize the above scenario to match your industry, threat landscape, and internal structure; and rehearse like it’s the real thing.