The threat of a ransomware attack is a reality for organizations and businesses of all sizes. While prevention is critical, having a robust incident response and disaster recovery plan is equally important. This is where tabletop exercises come into play. These simulations allow your company to test the plans’ response capabilities, identify gaps, and refine their processes in a controlled environment.

This post walks through a cybersecurity incident response tabletop exercise designed to simulate a ransomware attack, providing insights into how your business can prepare for such a crisis.

Laying the Foundation

Before getting into the exercise, it’s crucial to establish a strong foundation. A tabletop exercise is most effective when supported by:

#1. A Comprehensive Disaster Recovery Plan (DRP)

Your Disaster Recovery Plan should document detailed steps for responding to various types of IT disasters, including ransomware attacks. This includes:

• A list of key personnel and their roles.
• Backup and recovery procedures.
• Communication strategies.

Without this plan, the tabletop exercise may highlight chaos rather than readiness.

To get started with your plan, download our Disaster Recovery Plan checklist. 

#2. Incident Response Plan

Your incident response plan outlines immediate actions in response to security incidents. It includes:

• Procedures for identifying and confirming threats.
• Steps for containment and mitigation.
• Escalation protocols to ensure the right teams are engaged promptly.

#3. Team Readiness

Identify the participants: IT staff, management, and other key stakeholders. Then ensure all participants understand their roles and responsibilities in advance.

With these three elements in place, the stage is set for a realistic and productive tabletop simulation.

Purpose of a Tabletop Exercise

A tabletop exercise simulates a cyber incident in a controlled setting, allowing teams to:

• Test the effectiveness of their Disaster Recovery and Incident Response Plans.
• Improve coordination and communication among departments and employees in your organization.
• Identify vulnerabilities and areas for improvement.
• Build confidence in handling real-world scenarios.

Now, let’s walk through a ransomware attack tabletop exercise and how it unfolds.

Ransomware Attack Simulation

The exercise is structured around a simulated ransomware attack, with participants guided through several stages of response and recovery.

Initial Notification: Unusual Network Activity

The simulation begins with an IT manager receiving a notification from a third-party Security Operations Center (SOC) about unusual network activity. Indicators from the SOC can suggest that multiple files have been encrypted and that the encryption is spreading across the network.

Discussion Points:

• Immediate Actions: Confirm the alert, identify affected systems, and notify the incident response team.
• Assessment: Evaluate the scope of the attack and determine next steps.

Participants must deliberate on whether to isolate systems immediately or gather more data to understand the full extent of the compromise.

Incident Escalation: Growing Anomalies

As the scenario progresses, staff report additional problems, such as inaccessible files and unresponsive systems. The team then debates:

• Containment Strategies: Disconnecting infected devices versus shutting down the entire network.
• Communication Plans: Shifting to unaffected channels, such as cell phones or secure messaging platforms, to ensure ongoing coordination.

Clear communication is emphasized as critical for avoiding panic and maintaining order during the incident.

Ransomware Confirmation and Containment

The attack is then confirmed to be ransomware. The malware has encrypted critical systems, like file servers, active directories and employee workstations. 

At this stage of the exercise participants must react by:

• Shutting down affected systems promptly to contain the spread.
• Communicating effectively with employees to prevent further infections.
• Collaborating on a unified response, balancing speed with accuracy.

Ransom Demand

The attackers issue a ransom demand of $600,000 in Bitcoin. In this stage of the exercise, you will explore:

• Decision-Making: The risks of paying the ransom versus relying on backups.
• Backup Strategy: Initiating recovery using the organization’s backup system, such as a Datto Cirrus device, to restore servers and critical data.

Participants in the scenario simulate:

• How to conduct a scan of your backups to ensure they are not infected.
• Spinning up servers in the cloud for rapid recovery.
• Planning a phased approach to restoration.

Recovery and Business Continuity

With containment achieved, the focus then shifts to recovery:

• Restoring encrypted data from backups.
• Rebuilding compromised systems.
• Testing restored systems to ensure no residual malware.

Discussions also address:

• Business Continuity: Ensuring operations can proceed during recovery, such as prioritizing payroll and project-critical systems.
• Employee Support: Providing spare laptops and other resources to minimize downtime.

Participants work through logistics to maintain functionality for remote and field staff while IT systems are rebuilt.

Final Steps and Lessons Learned

The exercise concludes with a reflection on potential worst-case scenarios, such as:

• Backups being incomplete or compromised.
• Evaluating the last-resort option of paying the ransom.

This phase underscores:

• The importance of frequent, secure backups.
• The value of practicing disaster recovery scenarios to improve response times and decision-making.

Key Takeaways from the Tabletop Exercise

The ransomware tabletop exercise highlights several critical components of an effective incident response and recovery strategy:

• Preparation is Paramount – A well-documented DRP and IRP are non-negotiable. These plans provide the blueprint for navigating a crisis.
• Clear Communication is Critical – During a disaster, confusion can amplify damage. Establishing secure, reliable communication channels is essential for coordination.
• Backup and Recovery Systems Must Be Reliable – Regularly test backups to ensure they are functional and free from malware. Cloud-based recovery solutions can accelerate restoration and minimize downtime.
• Business Continuity Requires Creativity – Having spare equipment and prioritizing critical systems can keep operations running, even during significant disruptions.
• Practice Builds Confidence – Tabletop exercises provide a safe space to test plans, identify weaknesses, and refine strategies without real-world consequences.

Why Every Organization Needs Tabletop Exercises

Ransomware attacks are no longer a matter of “if” but “when.” Conducting regular tabletop exercises allows organizations to:

• Build muscle memory for responding to incidents.
• Foster collaboration across teams.
• Mitigate risks and minimize downtime during real-world events.

By investing time in preparation and practice, organizations can transform potential chaos into coordinated action, protecting their data, operations, and reputation.

Tabletop exercises are not just a best practice—they are a necessity. Is your business ready to face the next cybersecurity challenge?

Contact us for a free Cybersecurity Assessment

With Horn IT, you’re choosing a partner dedicated to driving your business forward. From advanced cybersecurity to strategic guidance, rapid support, and cost-effective solutions, our comprehensive approach empowers your success.   

Contact Horn IT today for a free cybersecurity assessment and discover how we can elevate your business.