Ransomware Tabletop Exercise Template for Security and IT Teams

Ransomware attacks have become one of the most common and costly cybersecurity incidents facing organizations today. Hospitals, municipalities, universities, and private companies have all experienced operational shutdowns caused by ransomware.

Most organizations invest heavily in cybersecurity tools, but far fewer prepare their leadership teams to respond effectively when an attack occurs.

A ransomware tabletop exercise allows IT, security, legal, communications, and executive leadership to walk through a simulated cyber incident and evaluate how they would respond.

The goal is not to test technical defenses, but to evaluate coordination, decision making, and communication during a crisis.

Regular tabletop exercises help organizations identify weaknesses in response procedures before a real incident occurs.

What is a Ransomware Tabletop Exercise?

A ransomware tabletop exercise is a structured discussion-based simulation where participants work through a hypothetical ransomware attack.

Participants discuss how their organization would respond to a series of events during the attack, including:

1. detecting the incident
2. isolating affected systems
3. communicating with leadership
4. responding to ransom demands
5. notifying customers or regulators
6. restoring business operations

These exercises help ensure that both technical and leadership teams understand their roles during a cyber incident.

Unlike penetration testing or red-team exercises, tabletop exercises focus primarily on decision making and coordination rather than technical response.

Why Organizations Must Run Ransomware Exercises

When ransomware incidents occur, organizations must make rapid decisions under pressure.

Without preparation, teams often struggle with questions such as:

1. Who has authority to shut down systems?
2. When should executives be notified?
3. Should law enforcement be contacted?
4. Should the organization consider paying a ransom?
5. How should customers or partners be notified?

Running ransomware tabletop exercises helps organizations prepare for these decisions.

Benefits include:

Improved coordination between departments

IT, security, legal, and leadership teams understand their responsibilities during an incident.

Faster decision making

Leadership becomes familiar with the types of decisions required during a ransomware attack.

Identification of response gaps

Exercises frequently reveal weaknesses in incident response plans or communication procedures.

Example Ransomware Scenario

Scenario Overview

At 8:30 AM on a Monday morning, several employees report that files on the company network drive cannot be opened.

An IT technician discovers a message on affected systems stating:

"Your files have been encrypted. Pay 40 Bitcoin within 72 hours to restore access."

Shortly afterward, additional systems begin showing encryption warnings and employees report that several internal applications are no longer functioning.

At the same time, the security team notices unusual network traffic originating from a workstation in the finance department.

Step-by-Step Exercise Guide

Step 1: Define Objectives

Determine what the exercise is intended to evaluate, such as incident response procedures or executive decision making.

Step 2: Assemble Participants

Typical participants include:

1. IT security leadership
2. corporate security
3. executive leadership
4. legal counsel
5. communications or public relations

Step 3: Present the Scenario

Introduce the initial ransomware discovery and allow participants to discuss their immediate response.

Step 4: Introduce Scenario Updates

Provide new developments during the exercise such as additional system failures, ransom demands, or media inquiries.

Step 5: Document Observations

Record communication challenges, unclear procedures, or gaps in response planning.

Discussion Questions

Use these prompts to guide the exercise discussion.

1. Who declares a cybersecurity incident?
2. Should affected systems be isolated or shut down?
3. Who notifies executive leadership?
4. Should law enforcement or cybersecurity authorities be contacted?
5. Who communicates with customers or partners if services are disrupted?
6. What factors influence the decision to pay or refuse a ransom?

After Action Review Template

After the exercise, conduct an After Action Review to document findings.

What worked well

1. effective communication between teams
2. rapid incident escalation

Areas for improvement

1. unclear incident authority
2. delayed decision making
3. gaps in response procedures

Recommended actions

1. update the incident response plan
2. clarify executive decision authority
3. improve communication procedures

How DrillsForge Automates Tabletop Exercises

Running tabletop exercises manually often requires significant preparation and coordination. Many organizations rely on slide presentations or outside consultants to guide the exercise.

DrillsForge simplifies this process by allowing organizations to run structured tabletop exercises online with automated scenario prompts and guided discussion questions.

Security and IT teams can quickly launch realistic incident simulations, record responses, and generate after-action reports in a single platform.

Regular exercises help organizations strengthen preparedness and improve coordination during cyber incidents.