Performing Ransomware Tabletop Exercise

When to Use

Testing organizational ransomware response procedures annually or after major infrastructure changes
Validating decision-making processes for ransom payment, regulatory notification, and public disclosure
Training executives, IT, legal, PR, and operations teams on their roles during a ransomware incident
Meeting cyber insurance policy requirements for documented incident response testing
Identifying gaps in recovery playbooks, communication plans, and backup procedures

Do not use as a substitute for technical controls testing. Tabletop exercises validate procedures and decision-making, not technical detection or prevention capabilities.

Prerequisites

Documented incident response plan (IRP) that participants should have read before the exercise
Identified exercise participants from: executive leadership, IT/security, legal, communications/PR, HR, operations, and external counsel
Facilitator who is independent from the IR team (to provide objective evaluation)
Ransomware scenario designed with injects that escalate over multiple rounds
Evaluation criteria aligned to NIST CSF Respond/Recover functions
Conference room or virtual meeting for 2-4 hours with no interruptions

Workflow

Step 1: Design the Exercise Scenario

Build a realistic scenario based on current threat actor TTPs:

Scenario Structure:

Phase 1: Initial Detection (30 min)
  - SOC receives alert for suspicious process execution on file server
  - EDR detects Cobalt Strike beacon on 3 workstations
  - Inject: External threat intel report links C2 IP to LockBit affiliate

Phase 2: Escalation (30 min)
  - Ransomware executes on 40% of servers during overnight hours
  - Ransom note demands $2M in Bitcoin with 72-hour deadline
  - Inject: Attackers contact media claiming data theft of customer PII

Phase 3: Decision Points (45 min)
  - Backup assessment reveals immutable copies are intact but primary backups encrypted
  - Legal advises on breach notification timeline (72 hours GDPR, varies by US state)
  - Inject: Threat actor publishes sample of stolen data on leak site

Phase 4: Recovery and Communication (45 min)
  - Recovery time estimate: 5-7 days from immutable backups
  - Insurance carrier engages negotiation firm
  - Inject: Major customer threatens contract termination without update within 24 hours

Scenario Variables to Customize:

Threat actor group and known TTPs
Percentage of infrastructure encrypted
Whether backups are intact, partially compromised, or fully destroyed
Type of data exfiltrated (PII, PHI, financial, trade secrets)
Applicable regulatory frameworks (GDPR, HIPAA, PCI DSS, SEC rules)
Ransom amount and payment deadline

Step 2: Prepare Exercise Materials

Create the following documents for participants:

Exercise Overview Briefing - Ground rules, objectives, scope, and participants
Situation Reports (SITREPs) - One per phase, distributed as the exercise progresses
Inject Cards - New information introduced at specific times to force decision-making
Decision Point Worksheets - Structured forms for documenting group decisions
Evaluation Scorecard - Criteria for assessing response quality

Key Decision Points to Include:

When to activate the incident response team
Whether to shut down systems or contain selectively
Whether to engage law enforcement (FBI IC3, CISA)
Whether to pay the ransom and under what conditions
When and how to notify regulators, customers, and the public
How to prioritize system recovery order

Step 3: Facilitate the Exercise

Facilitator Responsibilities:

Present each phase scenario and distribute SITREPs
Introduce injects at predetermined times to increase pressure
Ask probing questions to test decision-making reasoning
Ensure all participant groups contribute (prevent IT from dominating)
Document all decisions, rationales, and action items
Track time management (many teams lose time on early phases)

Probing Questions by Phase:

Phase 1 - Detection:

Who makes the call to declare an incident? What criteria trigger it?
How do we determine the scope of compromise from initial alerts?
Do we have the forensic capability to investigate or do we need external help?

Phase 2 - Escalation:

What is our communication plan for employees? Do they know not to turn on affected machines?
Have we isolated the network to prevent further encryption?
Who authorizes system shutdowns that impact business operations?

Phase 3 - Decision:

Under what conditions would we consider paying the ransom?
What are the legal obligations for notification at this point?
How do we handle the public leak of customer data?

Phase 4 - Recovery:

What is the recovery priority order? Is it documented or decided ad hoc?
How long until critical business operations resume?
What evidence preservation is required for law enforcement and insurance?

Step 4: Evaluate and Score Responses

Score each functional area against defined criteria:

Evaluation Area	Score (1-5)	Criteria
Detection & Escalation		Timely incident declaration, proper chain of command
Containment		Network isolation, credential reset, scope assessment
Communication - Internal		Employee notification, executive briefing, documented decisions
Communication - External		Regulatory notification, customer communication, media response
Recovery Planning		Backup verification, recovery priority, RTO tracking
Legal & Compliance		Breach notification timelines, evidence preservation, law enforcement engagement
Business Continuity		Manual operations, customer impact mitigation, revenue loss estimation
Payment Decision		Structured framework, legal review, OFAC sanctions check

Step 5: Document Findings and Remediation Plan

Produce an after-action report (AAR) within 5 business days:

AAR Contents:

Exercise overview and objectives
Scenario summary and injects
Key decisions made and rationale
Strengths observed
Gaps identified with severity rating
Remediation actions with owners and deadlines
Comparison to previous exercise results (if applicable)

Key Concepts

Term	Definition
Tabletop Exercise (TTX)	Discussion-based exercise where participants walk through a simulated incident scenario to test plans and procedures
Inject	New information introduced during the exercise to change the scenario and force additional decision-making
SITREP	Situation Report providing current status of the simulated incident at each exercise phase
After-Action Report (AAR)	Post-exercise document capturing findings, gaps, strengths, and remediation actions
Double Extortion	Ransomware tactic where attackers both encrypt data and threaten to publish stolen data unless ransom is paid
OFAC Check	Verification that ransom payment recipient is not on the US Treasury OFAC sanctions list, which would make payment illegal

Tools & Systems

CISA Tabletop Exercise Packages (CTEPs): Free scenario packages from CISA designed for critical infrastructure sectors
FEMA Homeland Security Exercise and Evaluation Program (HSEEP): Methodology for designing, conducting, and evaluating exercises
Immersive Labs: Platform providing interactive cyber crisis simulations with real-time scoring
Tabletop Scenarios (from NCSC UK): Exercise in a Box tool providing free guided tabletop exercises
Ransomware Readiness Assessment (CISA): Self-assessment tool for evaluating ransomware preparedness

Common Scenarios

Scenario: Healthcare System Double Extortion Exercise

Context: A 5-hospital healthcare system conducts an annual ransomware tabletop. Previous exercise revealed gaps in HIPAA breach notification and clinical system recovery priority. This year's scenario simulates a double extortion attack targeting the EMR system.

Approach:

Design scenario based on Cl0p MOO (Managed Operations Operator) TTPs: exploitation of MOVEit vulnerability for initial access, data exfiltration of 500,000 patient records, followed by encryption of EMR database servers
Participants: CISO, CIO, CMO (Chief Medical Officer), General Counsel, VP Communications, Director of Clinical Operations, Privacy Officer, External IR firm representative
Phase 1 inject: EMR system down, emergency department diverting patients to neighboring hospital
Phase 2 inject: HHS OCR (Office for Civil Rights) contacts organization about reports of patient data on dark web
Phase 3 inject: Attacker provides decryption key sample for $3.5M, 48-hour deadline
Key finding: Organization lacks documented criteria for ransom payment decision and had not pre-identified an OFAC-compliant payment mechanism
Remediation: Establish payment decision framework, pre-engage ransomware negotiation firm, update HIPAA breach notification procedures with specific timelines

Pitfalls:

Designing unrealistic scenarios that do not reflect actual ransomware TTPs, reducing exercise credibility
Allowing technical teams to dominate the exercise while business and legal participants remain passive
Not testing the communication plan (many organizations discover their notification list is outdated during the actual incident)
Failing to follow up on remediation actions identified in the AAR, negating the exercise value

Output Format

## Ransomware Tabletop Exercise - After Action Report

**Exercise Date**: [Date]
**Facilitator**: [Name]
**Scenario**: [Brief description]
**Duration**: [Hours]
**Participants**: [Count by department]

### Exercise Objectives
1. [Objective] - Met / Partially Met / Not Met
2. [Objective] - Met / Partially Met / Not Met

### Key Decisions Log
| Time | Decision Point | Decision Made | Rationale | Assessment |
|------|---------------|--------------|-----------|------------|

### Strengths Observed
1. [Strength]

### Gaps Identified
| Gap | Severity | Affected Area | Current State | Desired State |
|-----|----------|--------------|---------------|---------------|

### Remediation Actions
| Action | Owner | Deadline | Priority | Status |
|--------|-------|----------|----------|--------|

### Comparison to Previous Exercise
| Area | Previous Score | Current Score | Trend |
|------|---------------|--------------|-------|

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC7.2 (Anomaly Detection), CC7.4 (Incident Response), CC7.5 (Recovery)
ISO 27001: A.12.2 (Malware Protection), A.12.3 (Backup), A.16.1 (Incident Management)
NIST 800-53: SI-3 (Malicious Code Protection), CP-9 (System Backup), IR-4 (Incident Handling)
NIST CSF: PR.IP (Information Protection), DE.CM (Continuous Monitoring), RC.RP (Recovery Planning)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add performing-ransomware-tabletop-exercise

# Or load dynamically via MCP
grc.load_skill("performing-ransomware-tabletop-exercise")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Performing Ransomware Tabletop Exercise

When to Use

Testing organizational ransomware response procedures annually or after major infrastructure changes
Validating decision-making processes for ransom payment, regulatory notification, and public disclosure
Training executives, IT, legal, PR, and operations teams on their roles during a ransomware incident
Meeting cyber insurance policy requirements for documented incident response testing
Identifying gaps in recovery playbooks, communication plans, and backup procedures

Do not use as a substitute for technical controls testing. Tabletop exercises validate procedures and decision-making, not technical detection or prevention capabilities.

Prerequisites

Documented incident response plan (IRP) that participants should have read before the exercise
Identified exercise participants from: executive leadership, IT/security, legal, communications/PR, HR, operations, and external counsel
Facilitator who is independent from the IR team (to provide objective evaluation)
Ransomware scenario designed with injects that escalate over multiple rounds
Evaluation criteria aligned to NIST CSF Respond/Recover functions
Conference room or virtual meeting for 2-4 hours with no interruptions

Workflow

Step 1: Design the Exercise Scenario

Build a realistic scenario based on current threat actor TTPs:

Scenario Structure:

Phase 1: Initial Detection (30 min)
  - SOC receives alert for suspicious process execution on file server
  - EDR detects Cobalt Strike beacon on 3 workstations
  - Inject: External threat intel report links C2 IP to LockBit affiliate

Phase 2: Escalation (30 min)
  - Ransomware executes on 40% of servers during overnight hours
  - Ransom note demands $2M in Bitcoin with 72-hour deadline
  - Inject: Attackers contact media claiming data theft of customer PII

Phase 3: Decision Points (45 min)
  - Backup assessment reveals immutable copies are intact but primary backups encrypted
  - Legal advises on breach notification timeline (72 hours GDPR, varies by US state)
  - Inject: Threat actor publishes sample of stolen data on leak site

Phase 4: Recovery and Communication (45 min)
  - Recovery time estimate: 5-7 days from immutable backups
  - Insurance carrier engages negotiation firm
  - Inject: Major customer threatens contract termination without update within 24 hours

Scenario Variables to Customize:

Threat actor group and known TTPs
Percentage of infrastructure encrypted
Whether backups are intact, partially compromised, or fully destroyed
Type of data exfiltrated (PII, PHI, financial, trade secrets)
Applicable regulatory frameworks (GDPR, HIPAA, PCI DSS, SEC rules)
Ransom amount and payment deadline

Step 2: Prepare Exercise Materials

Create the following documents for participants:

Exercise Overview Briefing - Ground rules, objectives, scope, and participants
Situation Reports (SITREPs) - One per phase, distributed as the exercise progresses
Inject Cards - New information introduced at specific times to force decision-making
Decision Point Worksheets - Structured forms for documenting group decisions
Evaluation Scorecard - Criteria for assessing response quality

Key Decision Points to Include:

When to activate the incident response team
Whether to shut down systems or contain selectively
Whether to engage law enforcement (FBI IC3, CISA)
Whether to pay the ransom and under what conditions
When and how to notify regulators, customers, and the public
How to prioritize system recovery order

Step 3: Facilitate the Exercise

Facilitator Responsibilities:

Present each phase scenario and distribute SITREPs
Introduce injects at predetermined times to increase pressure
Ask probing questions to test decision-making reasoning
Ensure all participant groups contribute (prevent IT from dominating)
Document all decisions, rationales, and action items
Track time management (many teams lose time on early phases)

Probing Questions by Phase:

Phase 1 - Detection:

Who makes the call to declare an incident? What criteria trigger it?
How do we determine the scope of compromise from initial alerts?
Do we have the forensic capability to investigate or do we need external help?

Phase 2 - Escalation:

What is our communication plan for employees? Do they know not to turn on affected machines?
Have we isolated the network to prevent further encryption?
Who authorizes system shutdowns that impact business operations?

Phase 3 - Decision:

Under what conditions would we consider paying the ransom?
What are the legal obligations for notification at this point?
How do we handle the public leak of customer data?

Phase 4 - Recovery:

What is the recovery priority order? Is it documented or decided ad hoc?
How long until critical business operations resume?
What evidence preservation is required for law enforcement and insurance?

Step 4: Evaluate and Score Responses

Score each functional area against defined criteria:

Evaluation Area	Score (1-5)	Criteria
Detection & Escalation		Timely incident declaration, proper chain of command
Containment		Network isolation, credential reset, scope assessment
Communication - Internal		Employee notification, executive briefing, documented decisions
Communication - External		Regulatory notification, customer communication, media response
Recovery Planning		Backup verification, recovery priority, RTO tracking
Legal & Compliance		Breach notification timelines, evidence preservation, law enforcement engagement
Business Continuity		Manual operations, customer impact mitigation, revenue loss estimation
Payment Decision		Structured framework, legal review, OFAC sanctions check

Step 5: Document Findings and Remediation Plan

Produce an after-action report (AAR) within 5 business days:

AAR Contents:

Exercise overview and objectives
Scenario summary and injects
Key decisions made and rationale
Strengths observed
Gaps identified with severity rating
Remediation actions with owners and deadlines
Comparison to previous exercise results (if applicable)

Key Concepts

Term	Definition
Tabletop Exercise (TTX)	Discussion-based exercise where participants walk through a simulated incident scenario to test plans and procedures
Inject	New information introduced during the exercise to change the scenario and force additional decision-making
SITREP	Situation Report providing current status of the simulated incident at each exercise phase
After-Action Report (AAR)	Post-exercise document capturing findings, gaps, strengths, and remediation actions
Double Extortion	Ransomware tactic where attackers both encrypt data and threaten to publish stolen data unless ransom is paid
OFAC Check	Verification that ransom payment recipient is not on the US Treasury OFAC sanctions list, which would make payment illegal

Tools & Systems

CISA Tabletop Exercise Packages (CTEPs): Free scenario packages from CISA designed for critical infrastructure sectors
FEMA Homeland Security Exercise and Evaluation Program (HSEEP): Methodology for designing, conducting, and evaluating exercises
Immersive Labs: Platform providing interactive cyber crisis simulations with real-time scoring
Tabletop Scenarios (from NCSC UK): Exercise in a Box tool providing free guided tabletop exercises
Ransomware Readiness Assessment (CISA): Self-assessment tool for evaluating ransomware preparedness

Common Scenarios

Scenario: Healthcare System Double Extortion Exercise

Approach:

Design scenario based on Cl0p MOO (Managed Operations Operator) TTPs: exploitation of MOVEit vulnerability for initial access, data exfiltration of 500,000 patient records, followed by encryption of EMR database servers
Participants: CISO, CIO, CMO (Chief Medical Officer), General Counsel, VP Communications, Director of Clinical Operations, Privacy Officer, External IR firm representative
Phase 1 inject: EMR system down, emergency department diverting patients to neighboring hospital
Phase 2 inject: HHS OCR (Office for Civil Rights) contacts organization about reports of patient data on dark web
Phase 3 inject: Attacker provides decryption key sample for $3.5M, 48-hour deadline
Key finding: Organization lacks documented criteria for ransom payment decision and had not pre-identified an OFAC-compliant payment mechanism
Remediation: Establish payment decision framework, pre-engage ransomware negotiation firm, update HIPAA breach notification procedures with specific timelines

Pitfalls:

Designing unrealistic scenarios that do not reflect actual ransomware TTPs, reducing exercise credibility
Allowing technical teams to dominate the exercise while business and legal participants remain passive
Not testing the communication plan (many organizations discover their notification list is outdated during the actual incident)
Failing to follow up on remediation actions identified in the AAR, negating the exercise value

Output Format

## Ransomware Tabletop Exercise - After Action Report

**Exercise Date**: [Date]
**Facilitator**: [Name]
**Scenario**: [Brief description]
**Duration**: [Hours]
**Participants**: [Count by department]

### Exercise Objectives
1. [Objective] - Met / Partially Met / Not Met
2. [Objective] - Met / Partially Met / Not Met

### Key Decisions Log
| Time | Decision Point | Decision Made | Rationale | Assessment |
|------|---------------|--------------|-----------|------------|

### Strengths Observed
1. [Strength]

### Gaps Identified
| Gap | Severity | Affected Area | Current State | Desired State |
|-----|----------|--------------|---------------|---------------|

### Remediation Actions
| Action | Owner | Deadline | Priority | Status |
|--------|-------|----------|----------|--------|

### Comparison to Previous Exercise
| Area | Previous Score | Current Score | Trend |
|------|---------------|--------------|-------|

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC7.2 (Anomaly Detection), CC7.4 (Incident Response), CC7.5 (Recovery)
ISO 27001: A.12.2 (Malware Protection), A.12.3 (Backup), A.16.1 (Incident Management)
NIST 800-53: SI-3 (Malicious Code Protection), CP-9 (System Backup), IR-4 (Incident Handling)
NIST CSF: PR.IP (Information Protection), DE.CM (Continuous Monitoring), RC.RP (Recovery Planning)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add performing-ransomware-tabletop-exercise

# Or load dynamically via MCP
grc.load_skill("performing-ransomware-tabletop-exercise")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Prerequisites

Performing Ransomware Tabletop Exercise

When to Use

Prerequisites

Workflow

Step 1: Design the Exercise Scenario

Step 2: Prepare Exercise Materials

Step 3: Facilitate the Exercise

Step 4: Evaluate and Score Responses

Step 5: Document Findings and Remediation Plan

Key Concepts

Tools & Systems

Common Scenarios

Scenario: Healthcare System Double Extortion Exercise

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Detecting Ransomware Precursors in Network

Implementing Ransomware Backup Strategy

Recovering from Ransomware Attack

Deploying Ransomware Canary Files

Implementing Honeypot for Ransomware Detection

Implementing Immutable Backup with Restic

Prerequisites

Performing Ransomware Tabletop Exercise

When to Use

Prerequisites

Workflow

Step 1: Design the Exercise Scenario

Step 2: Prepare Exercise Materials

Step 3: Facilitate the Exercise

Step 4: Evaluate and Score Responses

Step 5: Document Findings and Remediation Plan

Key Concepts

Tools & Systems

Common Scenarios

Scenario: Healthcare System Double Extortion Exercise

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Detecting Ransomware Precursors in Network

Implementing Ransomware Backup Strategy

Recovering from Ransomware Attack

Deploying Ransomware Canary Files

Implementing Honeypot for Ransomware Detection

Implementing Immutable Backup with Restic