A ransomware exercise is a structured way to test how your organization would handle a real ransomware attack, without putting live systems at risk. To run one well, you simulate the key moments of an attack and observe how your people and processes respond.
The goal is to learn what actually happens, not what your plan says should happen.
What is a Ransomware Exercise?
Did you know that the US is the most targeted country for ransomware attacks?
A ransomware exercise is a controlled simulation of a ransomware incident. You create a believable attack scenario and see how your team detects it, responds to it, and recovers from it.
A ransomware exercise can take several forms, including:
- Tabletop exercise: Focuses on discussion-based scenarios, where participants talk through decisions and responses without touching live systems.
- Technical simulation: Uses controlled, realistic malware simulations or synthetic alerts to test systems and processes more actively.
- Red team engagement: A full-scale, highly realistic attack simulation where a dedicated team emulates real-world attackers, testing both human and technical defenses.
No real malware is used on production systems. Instead, you model the decisions and actions that would happen during a real event. The value comes from watching how people work together when time is tight and information is incomplete.
Step-By-Step: Conduct a Ransomware Exercise
Decide What You Want to Learn
Start by being honest about what you are uncertain about. Most teams run a ransomware exercise because something feels untested. It might be whether alerts reach the right people, whether backups can really be restored, or whether leadership can make decisions under pressure.
Choose one or two focus areas and build the exercise around them. Consider tracking metrics like:
- Time to detect the incident
- Time to escalate to leadership
- Recovery success for critical systems
Avoid turning this into a broad test of whether you are “secure.” That question is too big and usually leads to vague answers.
Build a Scenario That Feels Real
The scenario should look like something your organization could actually face. That usually means starting with a small, ordinary problem instead of an obvious crisis.
It might begin with a:
- A help desk ticket about a slow computer
- A single alert about unusual file activity
- A fake phishing email targeting a common workflow
From there, the situation gets worse: files begin to encrypt, a shared system goes down, or a ransom note appears.
You do not need to script every detail or know how the situation will progress if no one acts, and how it will change if people respond quickly. This lets you adapt to their decisions without losing control of the exercise.
If the scenario feels exaggerated, people will treat it like a drill. If it feels realistic, they will act the way they would in a real incident.
Involve the Right People
A ransomware exercise does not work if it only tests the security team. Real incidents involve more than a technical response.
Include the people who would be involved during an actual attack. This usually means:
- IT operations
- Security
- Legal or compliance
- Communications
- Leadership
- Optional: Finance (if ransomware affects invoicing), HR (for internal communications)
Do not tell participants how to solve the problem. Share information as it becomes available and let them decide what to do. If they ask for something that would be possible in a real situation, give them a reasonable answer.
Remember: You are observing behavior, not testing knowledge.
Run It Like a Real Incident
During the exercise, you act as the source of truth. You control what participants see and when they see it, for example:
- If they isolate a system, describe the result
- If they delay a decision, let the situation get worse
- If they escalate quickly, reflect that in what happens next
Keep notes on:
- How long it takes for someone to recognize this as an incident
- Who makes the key decisions
- Where confusion shows up
- What information people ask for but do not have
You do not need complex scoring. Simple timelines and observations usually show where problems exist.
Try not to stop the exercise to explain mistakes. When something goes wrong, that is often the most valuable part.
Turn What Happened Into Changes
After the exercise, review what actually happened from start to finish by asking people what they expected to happen and what actually happened.
You will usually find issues such as unclear ownership, missing contact details, or steps in the response plan that do not match how people work in practice. These are not failures – they are the point of the exercise.
Next steps include:
- Ask participants what they expected vs. what actually occurred
- Identify unclear ownership or missing contact details
- Update the incident response plan accordingly
- Adjust alerting rules and notification flows
- Implement training where gaps were observed
What Often Goes Wrong
Ransomware exercises tend to fail for predictable reasons, as most of them are not technical.
Common problems include:
- Scenario is too clean: Everyone knows it’s an exercise, the clues are obvious, and the “attack” unfolds exactly as planned
- Unclear ownership: Security assumes IT will lead, IT waits for leadership, and legal is not contacted because no one thinks to call them
- Focus only on tools: Teams may prove that alerts fire correctly, but never test decision-making (who reads alerts, approves isolation, or shuts down critical systems)
- No follow-up action: Issues are identified, but no changes are made, leaving the same gaps for the next exercise
The goal is not to avoid these problems, but to surface them safely and fix them before a real attacker forces the issue.
Choose Rootshell Security for Your Ransomware Exercise
Running a ransomware exercise is one of the best ways to see how your organization responds under pressure.
For enterprises looking for expert guidance, Rootshell Security offers tailored ransomware assessments and penetration testing services. Our team combines automated tools with manual testing to simulate realistic attacks and identify gaps before real threats hit.
Using Rootshell’s platform, you can monitor vulnerabilities, streamline incident response, and make actionable improvements to strengthen your security posture.
For guidance on recovery post-ransomware, see How to Recover from a Ransomware Attack.
Frequently Asked Question
How long should a ransomware exercise last?
Most exercises run for a few hours to a full day. Tabletop discussions can be shorter, while technical simulations take longer to observe system responses and recovery.
Do we need to use real malware?
No. You can safely simulate ransomware behavior without using actual malware. The focus is on decision-making and process testing.
How many people should participate?
Include all roles that would respond to a real attack. That usually means security, IT operations, legal, communications, and leadership.
How often should we run these exercises?
Once a year is sufficient for many organizations. Rotate the focus each time – detection, decision-making, recovery – to cover different gaps.
What if the exercise shows serious weaknesses?
That’s the point. Use the findings to update plans, train staff, improve alerts, and test backups to lead to improvements.
