Ransomware Tabletop Exercise: A Walkthrough That Surfaces Real Gaps

Many ransomware tabletops stop at one question: pay or restore. Real incidents layer encryption, possible exfiltration, clinical or revenue impact, insurance, regulators, and media attention—all at once.

A strong exercise strings those tensions together so ownership, sequencing, and communication get tested, not just policy quotes.

Below is a healthcare-flavored scenario you can adapt; swap sector details for your environment.

The Setup

Organization: A mid-size healthcare company with 2,000 employees. Three hospitals, multiple clinics, shared IT infrastructure.

Day 1, 6:47 AM: Your SOC analyst notices an alert from your EDR platform — a PowerShell script running on a domain controller. It was flagged as suspicious but not blocked. The analyst checks the logs and sees similar activity on two other servers.

Question for the room: What's your first call? Who do you notify? Do you pull the plug on the domain controller?

Inject 1: It's Worse Than You Thought

7:30 AM: The attacker has moved laterally. You now see evidence of Cobalt Strike beacons on 15 endpoints. Active Directory is compromised. The attacker has created three new admin accounts.

Key decisions:

• Do you isolate the entire network? That takes down the hospitals.
• Do you call your incident response retainer firm? Do you even have one?
• Who tells the CEO? What do you tell them — "we think" or "we know"?

Inject 2: The Ransom Note

9:15 AM: Ransomware deploys across the network. File servers, EMR systems, imaging systems — all encrypted. A ransom note demands 100 BTC (roughly $6.5M) and claims they've exfiltrated patient records. They include a sample of 500 patient files as proof.

Key decisions:

• Do you pay? Who makes that call? Your CISO? CEO? The board?
• You have backups, but how confident are you they're not compromised?
• HIPAA requires breach notification within 60 days. When do you start that clock?
• Patients are being diverted to other hospitals. When does this become a patient safety issue?

Inject 3: The Media Finds Out

2:00 PM: A local news station reports that your hospitals are diverting ambulances due to a "computer problem." Your communications team has 30 minutes before the story goes national.

Key decisions:

• What's your public statement? "We're investigating" or something more transparent?
• Has anyone notified your cyber insurance carrier?
• The board chair is calling. What do you tell them?

Inject 4: The Recovery Decision

Day 2, 10:00 AM: Your IR firm confirms that backups for two of three hospitals are clean. One hospital's backups were also compromised — the attacker was in your network for 3 weeks before deploying ransomware.

Key decisions:

• Do you restore from backup and accept the data loss for one hospital?
• Do you negotiate with the attacker for a decryption key for the third hospital?
• HHS (Health and Human Services) is now asking questions. Who manages that relationship?

Inject 5: The Long Tail

Day 7: Systems are mostly restored, but you discover the attacker accessed a database with 150,000 patient records before encryption. The sample they provided was real. You now have a confirmed data breach on top of the ransomware incident.

Key decisions:

• Individual notification for 150,000 patients — how long will that take?
• Do you offer credit monitoring? Identity theft protection?
• The board wants a post-incident presentation. What's the narrative — "we responded well" or "we had gaps"?

How to Run This Scenario

Time needed: 90 minutes

Participants: IR lead, CISO, CTO, legal counsel, communications lead, and ideally someone from the C-suite.

Facilitation tips:

• Don't reveal all the injects upfront. Present them one at a time.
• After each inject, ask "what do you do?" and let the team debate for 10-15 minutes.
• Push back on vague answers: "We'd follow the playbook" — great, what does the playbook say? Can you pull it up right now?
• Take notes on every gap and every disagreement. Those are your deliverables.

If you want to run this as an interactive exercise with branching paths and timed decisions, you can try it in our scenario player or customize it for your organization in the builder.

What This Scenario Typically Exposes

After running variations of this exercise with dozens of teams, here's what usually surfaces:

1. Nobody knows who decides whether to pay. The CISO thinks it's the CEO. The CEO thinks it's the board. The board has never discussed it.
2. Backup confidence is lower than expected. Teams say "we have backups" but can't confirm they're isolated, tested, or clean.
3. Legal notification timelines are vague. Everyone knows "we have to notify" but nobody knows the specific regulatory requirements for their jurisdiction.
4. Communications is always an afterthought. The comms team is brought in hours after the media is already reporting.

For more scenario ideas beyond ransomware, check out our list of 10 scenarios every CISO should practice. And for the basics of running any tabletop exercise, see our complete IR tabletop guide.

---

Focus: Ransomware tabletops are not a referendum on payment—they rehearse how your organization prioritizes, escalates, and speaks under uncertainty. Build a variant for your stack and policy set. IR teams · Pricing.