Close this search box.

Running a Ransomware Tabletop Exercise

The author

If you ever played tabletop role-playing games, you can think about a tabletop exercise as an IT version of Dungeons & Dragons. Pretend an attack is underway, then your team role-plays through how they will perform your incident response (IR) and disaster recovery (DR) plans. It’s an excellent tool for practicing and testing your plans.

Example Exercise Scenarios

If you’re short on ideas, consider these possible scenarios:

  • Your enterprise storage has been encrypted. The attack was so thorough that even your onsite backups are encrypted. You have no offsite backups to fall back on. What do you do?
  • You have an offsite backup, but it’s on tape and will take days to restore from. Your production environment is down now. What do you do?
  • You have no backups whatsoever, so the only option is to rebuild your infrastructure. Where do you begin?
  • You’ve tried everything–removing the ransomware, decrypting your data, and restoring from backup–and all attempts have failed. The clock is ticking, so at what point do you give in to the ransom’s demands, and how can you minimize loss doing so?

Refer to our infographic tips on who should attend these exercises.

Structuring Your Exercise

Your tabletop exercise can begin with a visual presentation, such as a PowerPoint or PDF document, that walks the team through each step.

There are many possible approaches, but consider this basic structure, broken into sequential phases, as a starting template:

  1. Introduction: State the purpose and goals of the exercise.
  2. Detail the attack: How was the pretend attack detected, what symptoms are observed, where has it spread to, and what damage has been done?
  3. Pop quiz actions: Who performs what action first, and where?
  4. “What if” questions: What if onsite backups are compromised? What if offsite backups are not readily available? What if you can’t restore your data within the ransom’s time limit?
  5. Debrief: What did everyone learn? What security gaps were found? What new action items are taken away?

Repeat these steps through multiple scenarios.

Sign Up For Our Newsletter

Don’t worry, we hate spam too!

Get The Latest On Ransomware Right In Your Inbox

Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too

Is This Your Business?
Get In Touch

Contact Us To Sponsor Your Business Listing & Learn More About The Benfits.

Before You Go!
Sign up to stay up to date with everything ransomware

Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too

JUST RELEASED: The 2024 State of Ransomware Survey is in.


Share via
Copy link
Powered by Social Snap