Performing Ransomware Tabletop Exercise

When to Use

• Testing organizational ransomware response procedures annually or after major infrastructure changes
• Validating decision-making processes for ransom payment, regulatory notification, and public disclosure
• Training executives, IT, legal, PR, and operations teams on their roles during a ransomware incident
• Meeting cyber insurance policy requirements for documented incident response testing
• Identifying gaps in recovery playbooks, communication plans, and backup procedures

Do not use as a substitute for technical controls testing. Tabletop exercises validate procedures and decision-making, not technical detection or prevention capabilities.

Prerequisites

• Documented incident response plan (IRP) that participants should have read before the exercise
• Identified exercise participants from: executive leadership, IT/security, legal, communications/PR, HR, operations, and external counsel
• Facilitator who is independent from the IR team (to provide objective evaluation)
• Ransomware scenario designed with injects that escalate over multiple rounds
• Evaluation criteria aligned to NIST CSF Respond/Recover functions
• Conference room or virtual meeting for 2-4 hours with no interruptions