By Shira Landau, Editor-in-Chief,


Ransomware attacks can have devastating consequences for organizations. In the last 12 months alone, ransomware attacks have increased by more than 37%, with an average ransomware payment demand in excess of $5 million.

Proactively preparing for ransomware attacks can limit the impact of actual ransomware incidents. Ransomware tabletop exercises are critical pieces of any strategy designed to bolster ransomware and cyber readiness.

In this article, discover 5 ransomware tabletop exercise recommendations that can help you protect your organization from this formidable threat.

What is a ransomware tabletop exercise?

A ransomware tabletop exercise provides a practical framework through which leaders and teams can prepare for and understand their roles in incident response.

In more concrete terms, a ransomware tabletop exercise involves imagining a threat scenario, allowing stakeholders to problem-solve, mitigating the fictitious incident’s impact, and updating the response strategy accordingly.

In most cases, a facilitator ensures a collaborative approach, moderates any discussions, provides scenario updates, and asks appropriate follow-up questions.

5 ransomware tabletop recommendations

1. Education and preparation. All employees involved in ransomware exercises should know why and how an organization might encounter a ransomware incident. If the tabletop exercise spans beyond the cyber security team, information pertaining to key terminology, the purpose of activities, and related procedure documents should be distributed to all.
The more that participants understand about the context of a ransomware tabletop exercise, the more supportive and responsive they’ll be during the exercise itself.

2. Collaborative environment. An often overlooked aspect of tabletop exercises is the development of a stress-free, no-fault learning environment where everyone feels comfortable speaking up and providing input. Facilitators should explain that the idea is to evaluate systems, capabilities and processes with the shared goal of enhancing the organization’s cyber security posture. Be sure to set the right tone for your ransomware tabletop exercise.

3. Realistic scenarios. At the heart of any effective tabletop exercise is a realistic scenario. For example, a realistic scenario might involve a ransomware attack that starts with a phishing email and that leads to the encryption of sensitive customer data. The scenario should progress through breach discovery, notification of law-enforcement, a ransom demand, restoration of systems from backups and/or the decision-making process around whether or not to pay a ransom.

4. Scenario variations. Ahead of time, exercise leaders should come up with multiple, plausible ‘wrenches’ that can be thrown into the exercise itself. For instance, in one scenario, the ransom demand could be exorbitant. In another scenario, a second ransomware attack that relies on a different strain of ransomware, could occur within 24 hours. Variations enable teams to adapt to unexpected circumstances and to test different aspects of the incident response plan.

5. Post-exercise evaluation. Once the walk-through concludes, conduct a thorough evaluation. In so doing, identify team strengths, areas for improvement and revise the incident response plan accordingly. Consider:

  • What worked well during the exercise?
  • Where were there communication snags, if any?
  • Did the team adhere to set policies and procedures?
  • How did any unexpected challenges impact the response?

As noted earlier, the main purpose of a ransomware tabletop exercise is to allow an organization to enhance its cyber security preparedness. Insights gained from post-exercise evaluation will allow for fine-tuning of plans.

Further thoughts

In an environment where ransomware attacks are growing in volume and sophistication, organizations can’t afford to be unprepared. Ransomware tabletop exercises serve as proactive approach in fortifying defenses and ensuring a coordinated response in the event of a real incident.

The five recommendations in this article can help your organization strengthen resilience against ransomware threats and minimize an attack’s impact.

For more cyber resilience insights, please see’s CISO’s Guide to Resilience eBook. Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the newsletter.