How to Run a Ransomware Tabletop Exercise [+ Scenarios]

In May of 2019, the city of Baltimore, Maryland, experienced a sudden emergency. It wasn’t a natural disaster, physical infrastructure failure, or civil unrest but an entirely digital problem.

Hackers targeted the city government’s computer system with malware dubbed “RobbinHood” that leveraged several security exploits to disable large portions of the city’s critical digital infrastructure. The hackers demanded roughly $80,000 in cryptocurrency in exchange for unencrypting the city’s ruined files. Until they paid the ransom or found another solution, government email accounts would be locked, digital real estate transfers would be impossible, and payment processing for essentials like utilities would be cut off.

Ultimately, the city was skeptical of the hackers’ promise of restoration, and they refused to pay the ransom. The subsequent restoration of the city’s computer systems cost at least $18 million.

These ransomware attacks are becoming more and more frequent. Other U.S. cities like Greenville, North Carolina, and Atlanta, Georgia, also suffered similar attacks in recent years, and many companies—from Colonial Pipeline to Sony—have suffered heavy blows from criminals who can find the cracks in an organization’s cyber armor. While cybercriminals continue to advance, there are things you can do to protect your business from such attacks. Simulated ransomware events can be beneficial in preparing your people for the real thing and give them the confidence to respond effectively. One of the most popular ways to do so is with a tabletop exercise.

What Is a Ransomware Tabletop Exercise?

A ransomware tabletop exercise is a simulated event in which participants are asked to walk through an imagined ransomware scenario. It is similar to any other tabletop exercise, but it focuses specifically on ransom-seeking cyberattacks.

You can use AlertMedia’s step-by-step Tabletop Exercise Template to keep track of each part of your exercise in one easy-to-share document.

Benefits of Tabletop Exercises for Ransomware Attacks

Ransomware tabletop exercises offer numerous advantages for all businesses aiming to enhance their cybersecurity preparedness. Here’s why they should be a cornerstone of your defense strategy:

• Enhanced stakeholder collaboration—Tabletop exercises foster stakeholder collaboration by involving IT teams, leadership, legal advisors, and external partners. By working together during a simulated crisis, participants build stronger communication channels and trust, which is critical for swift, coordinated responses to real-world ransomware incidents.
• Risk identification and mitigation—Tabletop exercises help organizations uncover vulnerabilities in their systems, processes, and policies. This proactive risk identification allows for targeted mitigation strategies, reducing the likelihood of a successful ransomware attack and safeguarding critical assets, including sensitive data and intellectual property.
• Cost-effective training—Unlike live incident responses, which can be costly and disruptive, tabletop exercises offer cost-effective training. Employees gain hands-on experience without risking data loss or operational downtime, ensuring the organization’s readiness while preserving resources.
• Increased awareness and buy-in—Simulating ransomware scenarios increases employees’ and executives’ awareness of the severity of such threats. This heightened understanding often leads to greater buy-in for cybersecurity initiatives, reinforcing a culture of vigilance and responsibility across the organization.
• Improved response capabilities—These exercises refine your organization’s ability to respond quickly and effectively to a ransomware event. By analyzing outcomes and identifying lessons learned, you can adjust strategies to close gaps and improve overall preparedness.
• Strategy adjustment insights—Through these exercises, organizations can evaluate their current strategies for mitigating risks, such as data loss or intellectual property theft, and recovering from disruptions. Insights gained during these scenarios help fine-tune incident response plans to better protect against ransomware attacks’ financial and reputational risks.

How to Conduct Ransomware Tabletop Exercises

1. Set goals and objectives

These exercises provide a safe environment to practice and explore potential responses to a ransomware cyberattack. As the name suggests, these exercises usually take place seated around a table and are conducted somewhat similarly to a tabletop role-playing game. In this relaxed setting, participants are invited to imagine that a ransomware attack has occurred at their organization and then simulate their response. By acting these out, participants and observers can identify potential flaws and oversights in the official emergency plans.

Of course, as this is just a tabletop exercise, people won’t be working on the supposedly affected computer systems, and the attack will be imaginary. But by exposing your people to the problems and potential reactions to ransomware, they’ll be prepared to act appropriately if one of these attacks hits your business.

2. Gather stakeholders

Tabletop exercises require a mix of people to perform certain functions on the day of the exercise. For this attack scenario, you need to fill the following roles:

• The facilitator is the moderator of the exercise. They know how the exercise is supposed to flow, and they step in with guiding questions if the conversation stalls.
• You also need to gather your participants, who will be asked to imagine a ransomware attack at work and determine the response actions.
• Finally, identify the evaluators. Their job is to observe the exercise without participating and take notes so that they can contribute to an after-action report following the training exercise. In this case, cybersecurity experts at your company, such as IT team members, would be excellent choices for this role.

Ransomware and other cyber threats, such as phishing, can target any individual at your company, so you should include representatives from all departments and business levels, if possible. Groups should be limited in size to keep discussions manageable. Your facilitators should be involved in setting up these groups to give their input on how many people they think they can handle at once.

3. Analyze possible threats

Before you run any tabletop exercise, you need to know what threats you face and how they might affect your business. Perform a cybersecurity threat assessment to identify security vulnerabilities and likely attack vectors. Most hacking attacks include some form of social manipulation, so you need to be aware of the human element of cybersecurity.

Basic security practices—such as password hygiene and suspicious message verification through separate communication channels—can significantly affect your information security. Knowing how your people would react to such a situation can be incredibly helpful in uncovering any bad practices or honest mistakes that could open the door to bad actors looking to compromise your business continuity.

Share the results of this analysis with your facilitator so they know what kind of scenarios and complications to introduce when they perform the exercise in the next step.

4. Run the exercise

Once you’ve prepared for the exercise, gather your facilitator, evaluators, and participants in one room or, if required, a call bridge or video conference. The facilitator begins by describing the goals of the exercise. They will then set the scene by describing a typical day at work and identifying the details of a ransomware attack on the organization.

At that point, participants take over and discuss what they would do in this scenario. Employees will be asked to consider how a cyberattack would influence their day—perhaps it would disable certain computer systems or block particular lines of communication. With an understanding of the likely impact of cyberattacks as identified in the threat assessment, the facilitator can also help to fill in details at this stage to ensure participants are considering the full scope of the scenario.

After each run, open the floor for discussion. All of the group, save the evaluators, should talk about what went well, what they think could be improved, and their feelings on the exercise in general. The evaluators should focus on taking careful notes during these parts.

Once you’ve completed the brief review, run it again from the top, but this time introduce a new complication. This could be any variable that forces the group to consider new paths of action during the exercise, such as:

• The cloud-based backup system is unaffected but hasn’t been updated in two weeks, and all data created since then is encrypted.
• A key senior leader is out sick that day, disrupting the decision-making hierarchy.
• Remote workers are locked out of their computers and cannot perform their job functions.

Once you’ve run this a few times, dismiss the group and move on to the review.

5. After-action report

Once the group completes the exercise, the evaluators’ job begins in earnest. They work together with the facilitator to create an after-action report, which is made easy by our after-action report template. Using the notes they took during the tabletop exercise, they sum up their observations of the proceedings. When reflecting on the exercise, they will think critically about the participants’ answers and discussions to complete the report.

The contents of the after-action report should include:

• A summary of expectations and goals
• A recap of the meeting and its proceedings
• Things that went well and should be replicated in the future
• Things that were excluded or didn’t go well
• Areas of improvement

Once the after-action report is completed, the evaluator will share it with those involved in the tabletop exercises. Conducting an after-action review with every exercise as an integral part of the tabletop exercise process. This evaluation can also guide improvements to your ransomware response plan so you’re more prepared should this type of cyberattack occur in real life.

2 Ransomware Scenarios to Incorporate in Tabletop Exercises

After you’ve used any tabletop exercise scenario once or twice, it’s probably best to move on to another. Assuming everyone is participating and performing their role well, you’ll want to introduce new circumstances, allowing the group to face unfamiliar challenges and develop new solutions.

If you’re looking for new scenarios to challenge your groups, here are a couple that are popular with our team at AlertMedia:

Software provider compromised

The software and services we rely on are often owned and operated by third parties. Examples include email providers, video conferencing systems, and a wide variety of business software (e.g., CRM, ERP, HRIS, etc.).

While most of these providers have their cybersecurity measures, there’s always a possibility that their systems become compromised, leading to downstream consequences for your business.

Think of a software or digital service your organization relies on, and imagine it has been the victim of a ransomware attack. Use that premise to kick off your tabletop exercise.

Follow-up questions:

• What did the group do immediately to minimize further damage?
• How did they choose to interact with the affected provider?
• If the group arrived at a short-term solution, how would that change if and when the provider fixed the issue?
• Can you identify any other security gaps that might leave your systems vulnerable to an internal or external cyberattack?

Physical intrusion

Most ransomware is deployed via the Internet and is often perpetrated by criminals located in distant countries so they can more easily evade capture. However, someone can also simply walk into an office on your premises, log in to a computer, and plug in a USB drive that contains malware.

This scenario demands the intersection of cybersecurity and physical security—known as security convergence—for the most effective response. A threat of this kind will force your people to consider new, physical gaps in your cyber preparedness. Include members of your company’s physical security team in this round of the tabletop exercise to hear their opinions and to give employees practice communicating between departments during an emergency.

Follow-up questions:

• What digital measures did the team take to prevent future physical intrusions? What physical ones?
• How did the physical deployment of ransomware compare to one deployed remotely?
• How likely is such a threat at your workplace(s)?
• Are there other security gaps you can identify that might leave your systems vulnerable to a physical ransomware attack?

Security on All Sides

As your tabletop exercises will reveal, safety and preparedness go beyond a basic incident response plan. To fully prepare your people, systems, and processes, you must examine how they all work together to understand the full scope of any potential threat. This hands-on approach to developing risk awareness and constant readiness to address a range of cyber threats will go a long way toward protecting your people and business continuity.