The 90-Minute Ransomware Tabletop

Tabletop exercises are invaluable for preparedness, yet many organizations struggle to conduct them effectively. A common pitfall is designing these simulations as quizzes, where participants are expected to demonstrate memorized procedures or technical trivia. This approach often leads to superficial engagement and fails to expose critical decision-making gaps. The true purpose of a tabletop exercise, particularly for a leadership audience, is to surface complex decisions, identify points of friction, and clarify roles and responsibilities under duress, rather than to test recall of obscure facts.

This article outlines a condensed, leadership-focused ransomware tabletop exercise designed to be completed in approximately 90 minutes. This structure allows for an efficient exploration of high-level strategic responses without requiring external consultants or extensive preparation beyond gathering key stakeholders. The exercise is intentionally crafted to be proactive and revealing, providing a clear roadmap for post-tabletop improvements.

The Agenda: A Focused Scenario for Critical Decisions

The core of this 90-minute tabletop revolves around a concise, impactful scenario designed to immediately thrust participants into high-stakes decision-making. Each agenda item prompts a discussion that uncovers operational, legal, and financial considerations.

1. Inject: Encrypted file share at 6:47 AM on a Saturday. The exercise begins with a clear, time-sensitive incident. Participants are informed that a significant portion of the organization's file shares has been encrypted, discovered early on a weekend morning. This specific timing (weekend, early morning) is chosen to simulate a worst-case scenario when typical operational staff might not be readily available, amplifying the initial chaos and testing the resilience of reporting and escalation procedures. This inject forces immediate consideration of initial detection, confirmation protocols, and the activation of response teams.

2. Who declares an incident? Who calls legal counsel? Who calls cyber insurance? This critical juncture focuses on the initial notification and engagement of key external and internal stakeholders. Participants must identify the specific individual or role authorized to formally declare a cybersecurity incident, understanding the cascading implications of such a declaration. Furthermore, the discussion should detail the process and criteria for engaging external legal counsel, not just who makes the call, but when and why specific legal expertise (e.g., privacy law, regulatory compliance, incident response counsel) would be required. Simultaneously, the steps for notifying the organization's cyber insurance carrier must be clarified. This includes identifying the policyholder's contact person, understanding reporting timelines, and knowing what initial information the insurer will require to activate coverage. This probes the organization's incident response plan for clarity on initial escalation chains and stakeholder engagement protocols.

3. What's the public statement at hour 24? As the incident progresses, external communication becomes paramount. This item challenges participants to craft the essence of a public statement within 24 hours of discovery, assuming the ransomware attack has become publicly known or is imminent to be so. This isn't about drafting a verbatim press release, but rather discussing the core messaging, the level of detail to disclose, and the posture the organization will adopt. Considerations include managing reputational damage, reassuring customers and partners, and adhering to any regulatory disclosure requirements. This portion highlights the need for pre-approved communication templates and a clear communication strategy matrix.

4. Do we pay the ransom? Under what conditions? This is often the most contentious and revealing part of the exercise, forcing a direct confrontation with the ethical, operational, and financial dilemmas posed by a ransomware attack. Participants must debate the criteria for considering a ransom payment, which might include the potential loss of critical data, the estimated downtime impact versus the ransom cost, the availability of viable backups, and any legal constraints (e.g., sanction lists, terrorist financing laws). The discussion should also cover who makes this ultimate decision (e.g., CEO, Board, Incident Response Steering Committee) and what information would be required to support such a significant choice. The implications of paying (funding criminal enterprises, no guarantee of decryption, potential for re-victimization) versus not paying (extended downtime, data loss, reputational damage) must be thoroughly explored.

5. What does "recovered" mean for this company? Moving beyond immediate incident containment, this question pivots to defining successful recovery from a business perspective. "Recovery" is not merely about restoring data; it encompasses the full return to normal business operations, potentially with enhanced security measures. Participants need to articulate specific, measurable criteria for declaring the incident fully resolved and the organization "recovered." This could involve metrics such as critical systems operational, all data restored to a specific point-in-time, customer-facing services fully functional, regulatory notifications completed, and post-incident forensic analysis concluded. This discussion helps to align technical recovery efforts with broader business objectives and highlights the need for comprehensive recovery playbooks.

Identifying and Addressing Gaps

The inherent value of this tabletop exercise lies not just in the discussions themselves, but in the explicit identification of gaps. As each agenda item is addressed, a designated facilitator or scribe should diligently record every instance where:

• There is no clear owner for a critical decision or action.
• Protocols are undefined or unknown to key stakeholders.
• Communication channels are unclear or inefficient.
• Resources (human, technical, financial) are deemed insufficient.
• Conflicting priorities or assumptions emerge among different departments or leaders.

These identified gaps form the foundation of a concrete, actionable post-tabletop roadmap. This roadmap should prioritize findings, assign clear ownership for remediation, and establish realistic timelines for addressing each deficiency. By focusing on these tangible outcomes, this 90-minute exercise transcends a mere simulation, transforming into a powerful tool for enhancing an organization's actual resilience against ransomware and other cyber threats.