Ransomware Response Exercises for Executives

October 28, 2021 | By IANS Faculty

A tabletop exercise is an excellent way to practice incident response (IR) capabilities and validate appropriate documentation is available to guide the IR team in the event of a ransomware attack. Executives play a key role in not only the response activities, but also before and after a ransomware attack. This piece provides a ransomware tabletop exercise focused on executive responsibilities, including actions executives should take before and after a ransomware attack

Ransomware Preparation for Executives 

Prior to any cyberattack, it is important that executives are cyber aware, and ensure cybersecurity training and awareness are part of business as usual throughout the organization. Key actions executives must take to prepare the organization for a ransomware attack include: 

  • Empower a cybersecurity lead within the company and provide them with the resources (budget and staff headcount) commensurate with the organization’s size, industry, revenue, threat environment and risk appetite. Risk appetite is determined by the top of the governance structure (e.g., board of directors, executive leadership) and must be communicated to top management. 
  • Communicate the importance of cybersecurity, including that cybersecurity is not an IT issue – it is a shared responsibility for every business unit and employee. 
  • Work with the legal team to understand the organization’s legal and regulatory environment. While legal and regulatory compliance is almost never enough for true cybersecurity, meeting these requirements are table stakes. 
  • Understand the organization’s cybersecurity insurance coverage, including limits and what is not covered. 
  • Determine whether an IR firm is on retainer to call in the event of a ransomware attack. 
  • Determine whether the organization is involved in an information-sharing organization, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). 
  • Reinforce the importance of cybersecurity training for ALL employees. Executives should not exempt themselves or other executives from completing the training. 
  • Request reports on cyber risks and spend time identifying how to address them. This includes avoiding, accepting, mitigating or transferring them, as well as specific plans associated with each approach. It is also important to have a shared understanding of the residual risks. 
  • Ask for identification of the organization’s critical assets and ensure backup plans are in place and tested regularly. 
  • Review the organization’s IR plan and understand the role of executives in it. Be sure it includes when and how executives will be notified of a cyber incident or attack. 

Ransomware Tabletop Exercise Tips 

A tabletop exercise is an important crisis response activity that should be performed at least once a year and should cover the major threats and vulnerabilities the organization faces. A ransomware tabletop exercise is a beneficial way to review and test organization policies and procedures before they are needed during a real incident. Some important tips for executive tabletop exercises include: 

  • Choose a knowledgeable leader. Exercises can be led by an internal technical expert or an external consulting firm. Your cyber insurance company may also be able to recommend an incident response firm that could run a tabletop exercise. 
  • Prep participants fully. Ensure incident response plans and procedures are distributed to all participants prior to the tabletop exercise. 
  • Communicate the importance of participation in the tabletop exercise. Tabletops are a significant investment of time, but as any military or professional sports team will tell you, battles and games are won in practice and preparation. Cybersecurity is no different! 
  • Have an exec kick off the tabletop exercise. The scenario may be about a ransomware attack, but this is an organization-wide exercise. 

The role of executives during a tabletop exercise or real cyber event is to ensure the IR leads are empowered and have the tools and resources necessary to effectively respond and recover. Executives must be prepared to help free up the right staff, make quick decisions based on data presented by the IR team and be an interface to the board of directors or other stakeholders as required by the IR plan. 

Ransomware Tabletop Exercise Example

A tabletop exercise consists of a series of injects, or scenarios steps, that unfold over time, just as a real incident would occur. The details in the first injects may seem rather benign, but as the investigation continues, the injects will build the overall incident or attack. 

Inject 1

It is late on a Friday night when reports come in that online banking is unavailable for all customers. IT personnel report they are unable to remotely perform maintenance on any of the impacted servers and must send someone to the colocation site to investigate. Once personnel get to the colocation site and access the systems locally, they find all the computers are inoperable. 

Executive actions/questions to ask: 

  • Would you expect to be engaged at this point? If so, is this indicated in the IR plan? 
  • Does the IR plan indicate who should be leading the response and what communication is expected of them (frequency, method)? 

Inject 2 

An email is received at 1 a.m. by the account info@bank.com, saying bank servers have been taken over and encrypted, and demanding a ransom of $15 million in bitcoin. The deadline to pay the ransom is 48 hours, after which data will begin to be released and the ransom demand will double. 

Executive actions/questions to ask: 

  • How would you find out about the status of the backups and what other systems are impacted? 
  • Can we communicate securely on current email/teleconferencing systems? 
  • What data was impacted and what are our legal/regulatory requirements for notification? 
  • Do we have access to external resources to support IR? 
  • Have we reached out to our cyber insurance provider for guidance? Do we have access to a breach coach? 
  • Is it time to notify the FBI/law enforcement? Who does this? 

Inject 3

An emergency conference call with the IR team and executives is initiated early Saturday morning via email invitation. Halfway through the conference call, a participant realizes an unauthorized person is listening to the call. It turns out to be the adversary, who was monitoring all internal email and received the conference call details. 

Executive actions/questions to ask: 

  • What are the organization’s alternate communication paths? 
  • Is it time to get the team together physically at an offsite location, like a hotel with a conference room? 

Inject 4 

All personnel move communications to an alternate system using pre-paid mobile phones and all computers and servers are shut down to prevent further damage from the adversary, who still has remote control of systems. IT personnel report it will take 10 working days to wipe all computer systems and restore from backups – and that backups have not been tested in over a year. If the ransom is paid, the systems could be restored in two days. 

Executive actions/questions to ask: 

  • Who is communicating with the adversary and what is the latest information on negotiation? 
  • What is being communicated externally and internally? How is it being communicated (e.g., website redirect)? Do we have boilerplate templates ready for this communication? 
  • How sensitive is the information that has been accessed or exfiltrated? 
  • Do the costs of refusing to pay the ransom (continued business disruption, the impact to systems or customers, negative publicity or reputational harm) exceed the ransom demand? 
  • Is the threat actor tied to a company that is on the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned-entity list? (If so, it may be illegal under U.S. law to pay the ransom.) 
  • If a ransom is to be paid, who will negotiate the amount and who will obtain the bitcoin cryptocurrency to make the payment? 
  • What is covered by insurance and what does the organization have in reserves? Who needs to authorize the payment according to organization governance? 

Injects will continue addressing actions such as media communication along with a determination of whether or not to pay the ransom. Following that decision, the tabletop exercise can focus on recovery steps. 

Post-Ransomware Attack Executive Communications

After the incident/tabletop exercise, executives should also play a role in ransomware recovery and lessons learned. Consider the following for post-breach communications: 

  • Respond quickly but be careful not to overcommunicate. 
  • Place a primary focus on customers/clients with public-facing communications, rather than your organization. 
  • Consider creating a landing page or separate area of your website where all stakeholders can access up-to-date information on the incident and your response. 
  • Clearly communicate the proactive response steps being taken by your company 

Other executive actions include: 

  • Set expectations for reporting on forensics and breach analysis. 
  • Participate in the lessons learned meeting and asking for remediation steps, along with expectations on frequency of reporting updates. 
  • Work closely with your legal/compliance team(s) to help garner a more complete scope of the implications. 

Tabletop exercises can often devolve into the team ignoring documentation and doing what the group thinks is the right thing to do. The idea is NOT to blindly follow the documentation, but rather to use the tabletop exercise as an opportunity to identify updates that are needed to the documentation so that if a real incident occurs, the documentation CAN be used as a guide or template for actions. 

Ransomware Response Tips for Executives

Getting executives involved in tabletop exercises, especially on ransomware, is a great way to ensure they are well versed in the issues and understand there is a plan in place to respond. To ensure executives get the most from your tabletops: 

  • Test proactively. Do not wait until an incident to exercise your IR plan. 
  • Ensure execs actively participate. With enough practice, the response to a real attack will be almost muscle memory for them. 
  • Focus on the role execs play. Their job as an executive is to ensure the team is ready to respond and recover. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice. 


Find additional resources from our security practitioners.


2021 CISO Compensation Benchmark Report