Tabletop Exercise Kit
Ransomware Tabletop Kit
A 60–90 minute exercise for public-sector teams to practice containment, restoration priorities, continuity, communications, and executive decisions when ransomware or destructive encryption disrupts critical services.
Expected time
- Standard: 60–90 minutes
- Short version: 45 minutes
- Extended version: up to 2 hours with deeper hotwash
Best participants
- IT leadership
- security staff
- backup, identity, or infrastructure owners
- executive sponsor / department leadership
- communications / PIO
What this exercise practices
- identifying scope and initial containment priorities
- deciding what gets isolated, restored, or rebuilt first
- testing backup confidence against real recovery pressure
- managing communications, rumor control, and leadership expectations
- handling uncertain attribution and possible exfiltration pressure
- capturing follow-up actions for resilience improvement
Threat context
This exercise can lightly reuse the same fictional threat framing used in the KEV tabletop — Spectral Raccoon / APT-1337 — to make exfiltration uncertainty, extortion pressure, and communications discipline more realistic. The adversary label should support the scenario, not dominate it.
- Use the label to introduce attribution ambiguity and rumor pressure
- Keep the core exercise focused on ransomware decisions and service continuity
- Avoid turning the scenario into a threat-intel lecture
Recommended flow
- Review the facilitator guide and participant brief.
- Tailor the impacted services, dependencies, and restoration priorities to your environment.
- Run the injects using the rolling timestamps to keep pace and force decisions.
- Push participants to make explicit calls on containment, restoration, communications, and escalation.
- Capture gaps and owners in the hotwash.