Workers sit around table
Safety and Security Sep 29, 2022

How to Run a Ransomware Tabletop Exercise [+ Scenarios]

Ransomware attacks can wreak havoc on your business. Prepare your people with these tabletop exercise scenarios.

Tabletop Exercise Template
Conduct simulated exercises that test your organization’s emergency response procedures.
Thumbnail view of the Tabletop Exercise Template cover page

In May of 2019, the city of Baltimore, Maryland, experienced a sudden emergency. It wasn’t a natural disaster, physical infrastructure failure, or civil unrest; rather, it was an entirely digital problem.

Hackers targeted the city government’s computer system with malware dubbed “RobbinHood” that leveraged several security exploits to disable large portions of the city’s critical digital infrastructure. The hackers demanded roughly $80,000 in cryptocurrency in exchange for unencrypting the city’s ruined files. Until they paid the ransom or found another solution, government email accounts would be locked, digital real estate transfers impossible, and payment processing for essentials like utilities cut off.

Ultimately, the city was skeptical of the hackers’ promise of restoration, and they refused to pay the ransom. The subsequent restoration of the city’s computer systems cost the city at least $18 million dollars.

These ransomware attacks are becoming more and more frequent. Other U.S. cities like Greenville, North Carolina, and Atlanta, Georgia, also suffered similar attacks in recent years, and many companies—from Colonial Pipeline to Sony—have suffered heavy blows from criminals who are able to find the cracks in an organization’s cyber armor. While cybercriminals continue to advance, there are things you can do to protect your business from such attacks. Simulated ransomware events can be incredibly helpful in preparing your people for the real thing and can give them the confidence to respond effectively. One of the most popular ways to do so is with a tabletop exercise.

What Is a Ransomware Tabletop Exercise?

A ransomware tabletop exercise is a simulated event where participants are asked to walk through an imagined ransomware scenario. These are just like any other tabletop exercise, but they focus specifically on ransom-seeking cyberattacks.

Elements of a ransomware tabletop exercise

Ransomware tabletop exercises are composed of several distinct pieces that determine the execution and outcome.

PRO TIP: Use AlertMedia’s step-by-step Tabletop Exercise Template to keep track of each part of your exercise in one easy-to-share document.

How to Conduct Tabletop Exercises for Ransomware Attacks

Set goals and objectives

These exercises are meant to provide a safe environment to practice and explore potential responses to a ransomware cyberattack. As the name suggests, these exercises usually take place seated around a table, and they’re conducted somewhat similarly to a tabletop role-playing game. In this relaxed setting, participants are invited to imagine that a ransomware attack has occurred at their organization, and then they simulate their response. By acting these out, potential flaws and oversights can be identified and accounted for in the official emergency plans.

Of course, as this is just a tabletop exercise, people won’t be working on the supposedly affected computer systems and the attack will be imaginary. But by exposing your people to the problems and potential reactions to ransomware, they’ll be prepared to act appropriately if one of these attacks hits your business.

Gather stakeholders

Tabletop exercises require a mix of different people to perform certain functions on the day of the exercise. For this attack scenario you need to fill the following roles:

  • The facilitator is the moderator of the exercise. They know how the exercise is supposed to flow, and they step in with guiding questions if the conversation stalls.
  • You also need to gather your participants, the people who make up the bulk of your group and who will be asked to imagine a ransomware attack at work.
  • Finally, identify the evaluators. Their job is to observe the exercise without participating and takes notes so that they can contribute to an after-action report following the training exercise. In this case, cybersecurity experts at your company, such as IT team members, would be great choices for this role.

Ransomware and other cyber threats such as phishing can target any individual at your company, so you should include representatives from all departments and business levels, if possible. Groups should be limited in size to keep discussions manageable. Your facilitators should be involved in setting up these groups to give their input on how many people they think they can handle at once.

Analyze possible threats

Before you run any tabletop exercise, you need to know what threats you face and how they might affect your business. Perform a cybersecurity threat assessment to identify security vulnerabilities and likely attack vectors. This is, of course, a great thing to do even if you don’t plan on running a tabletop exercise, and obvious security flaws should be patched. However, most hacking attacks include some form of social manipulation, so you need to be aware of the human element of cybersecurity.

Basic security practices, such as password hygiene and verifying suspicious messages through separate communication channels, can greatly affect your information security. Knowing how your people would react to such a situation can be incredibly helpful in uncovering any bad practices or honest mistakes that could open the door to bad actors looking to compromise your business continuity.

Share the results of this analysis with your facilitator so they know what kind of scenarios and complications to introduce when they actually perform the exercise in the next step.

Run the exercise

Once you’ve prepared for the exercise, gather your facilitator, evaluators, and participants in one room or, if required, a call bridge or video conference. The facilitator begins by describing the goals of the exercise. They will then set the scene by describing a normal day at work and identifying the details of a ransomware attack on the organization.

At that point, participants take over and have a conversation about what they would do in this scenario. Employees will be asked to consider how a cyberattack would influence their day—perhaps it would disable certain computer systems or block particular lines of communication. With an understanding of the likely impact of cyberattacks as identified in the threat assessment, the facilitator can also help to fill in details at this stage to ensure participants are considering the full scope of the scenario.

After each run, open the floor for discussion. All of the group, save the evaluators, should talk about what went well, what they think could be improved, and their feelings on the exercise in general. The evaluators should focus on taking careful notes during these parts.

Once you’ve completed the brief review, run it again from the top, but this time introduce a new complication. This could be any variable that forces the group to consider new paths of action during the exercise, such as:

  • The cloud-based backup system is unaffected but hasn’t been updated in two weeks, and all data created since then is encrypted.
  • A key senior leader is out sick that day, disrupting the decision-making hierarchy.
  • Remote workers are locked out of their computers and cannot perform their job functions.

Once you’ve run this a few times, dismiss the group and move on to the review.

Identify and address gaps in your response plans with our Tabletop Exercise Template.

This video will walk you through everything you need to know to run effective tabletop exercises.


After-action report

Once the group completes the exercise, the evaluators’ job begins in earnest. They work together with the facilitator to create an after-action report, made easy by our after-action report template. Using the notes they took during the tabletop exercise itself, they sum up their observations of the proceedings. When reflecting on the exercise, they will think critically about the participants’ answers and discussions to fill out the report.

The contents of the after-action report should include:

  • A summary of expectations and goals
  • A recap of the meeting and its proceedings
  • Things that went well and should be replicated in the future
  • Things that were excluded or didn’t go well
  • Areas of improvement

Once the after-action report is completed, the evaluator will share it with those involved in designing the tabletop exercises. An after-action report should be completed with every exercise and should be considered an integral part of the tabletop exercise process. This evaluation can also guide improvements to your ransomware response plan so you’re more prepared should this type of cyberattack occur in real-life.

2 Ransomware Scenarios to Incorporate in Tabletop Exercises

After you’ve used any tabletop exercise scenario once or twice, it’s probably best to move on to another. Assuming that everyone is participating and performing their role well, you’ll want to introduce new circumstances that give the group opportunities to face unfamiliar challenges and develop new solutions.

If you’re looking for new scenarios to challenge your groups, here are a couple that are popular with our team at AlertMedia:

Software provider compromised

In many cases, the software and services we rely on are owned and operated by third parties. Examples include email providers, video conferencing systems, and a wide variety of business software (e.g., CRM, ERP, HRIS, etc.).

While most of these providers have their own cybersecurity measures, there’s always a possibility that their systems become compromised, leading to downstream consequences for your business.

Think of a software or digital service your organization relies on, and imagine it has been the victim of a ransomware attack. Use that premise to kick off your tabletop exercise.

Follow-up questions:

  • What did the group do immediately to minimize further damage?
  • How did they choose to interact with the affected provider?
  • If the group arrived at a short-term solution, how would that change if and when the provider fixed the issue?
  • Are there any other security gaps you can identify that might leave your systems vulnerable to an internal or external cyberattack?

Physical intrusion

Most ransomware is deployed via the internet and is often perpetrated by criminals located in distant countries so they can more easily evade capture. However, there is a possibility of someone simply walking into an office on your premises, logging in to a computer, and plugging in a USB drive that contains malware.

This scenario demands the intersection of cybersecurity and physical security—known as security convergence—for the most effective response. A threat of this kind will force your people to consider new, physical gaps in your cyber preparedness. Include members of your company’s physical security team in this round of the tabletop exercise to hear their opinions and to give employees practice communicating between departments during an emergency.

Follow-up questions:

  • What digital measures did the team take to prevent future physical intrusions? What physical ones?
  • How did the physical deployment of ransomware compare to one that was deployed remotely?
  • How likely is such a threat at your workplace(s)?
  • Are there other security gaps you can identify that might leave your systems vulnerable to a physical ransomware attack?

Security on All Sides

As your tabletop exercises will reveal, safety and preparedness go beyond a basic incident response plan. To fully prepare your people, systems, and processes, you must look at how they all work together to understand the full scope of any potential threat. This hands-on approach to developing risk awareness and constant readiness to address a range of cyberthreats will go a long way to protecting your people and business continuity.

Tabletop Exercise Template

Please complete the form below to receive this resource.

Like What You're Reading?
Subscribe to Our Newsletter
Subscribe to The Signal by AlertMedia to get updated when we publish new content and receive actionable insights on what’s working right now in emergency preparedness.

Cookies are required to play this video.

Click the blue shield icon on the bottom left of your screen to edit your cookie preferences.

Cookie Notice