# Workflows - Ransomware Tabletop Exercise

## Workflow 1: Exercise Planning (4-6 weeks before)

```
Start
  |
  v
[Define exercise objectives] --> What gaps are we testing?
  |
  v
[Select scenario type]
  |-- Double extortion (data theft + encryption)
  |-- Supply chain ransomware (vendor compromise)
  |-- Cloud ransomware (SaaS/IaaS targeted)
  |-- Critical infrastructure disruption
  |
  v
[Choose threat actor model] --> LockBit / ALPHV / Cl0p / Rhysida
  |
  v
[Identify participants]
  |-- Executive leadership (CEO, CFO, COO)
  |-- IT/Security (CISO, SOC, IR team)
  |-- Legal (General Counsel, external counsel)
  |-- Communications (PR, media relations)
  |-- Operations (business unit leaders)
  |-- HR (employee communications)
  |-- External partners (IR firm, insurance)
  |
  v
[Develop scenario with 4 phases and injects]
  |
  v
[Prepare materials: SITREPs, inject cards, evaluation scorecard]
  |
  v
[Schedule 3-4 hour block, distribute pre-reading]
  |
  v
End
```

## Workflow 2: Exercise Execution

```
Exercise Start
  |
  v
[Facilitator opening brief] (10 min)
  |-- Ground rules, objectives, scope
  |-- "This is discussion-based, no wrong answers"
  |
  v
[Phase 1: Initial Detection] (30 min)
  |-- Distribute SITREP 1
  |-- Discussion: Who, what, when, initial actions
  |-- Inject: Additional information changes situation
  |-- Document decisions on worksheet
  |
  v
[Phase 2: Escalation] (30 min)
  |-- Distribute SITREP 2
  |-- Discussion: Scope of impact, containment actions
  |-- Inject: Double extortion element introduced
  |-- Document decisions
  |
  v
[Break] (10 min)
  |
  v
[Phase 3: Critical Decision Points] (45 min)
  |-- Distribute SITREP 3
  |-- Discussion: Ransom payment, law enforcement, notification
  |-- Inject: Public pressure from media/customers
  |-- Document decisions with rationale
  |
  v
[Phase 4: Recovery and Communication] (45 min)
  |-- Distribute SITREP 4
  |-- Discussion: Recovery priority, timeline, customer comms
  |-- Inject: Recovery complication (infected backup, key system fails)
  |-- Document decisions
  |
  v
[Hot wash / Debrief] (20 min)
  |-- Each functional area shares top insight
  |-- Facilitator highlights key observations
  |-- Immediate gap identification
  |
  v
Exercise End
```

## Workflow 3: After-Action Report Development

```
Exercise Complete
  |
  v
[Collect all documentation within 24 hours]
  |-- Decision worksheets
  |-- Facilitator notes
  |-- Evaluation scorecards
  |-- Observer notes (if separate observers present)
  |
  v
[Score each evaluation area (1-5)]
  |
  v
[Identify strengths (what worked well)]
  |
  v
[Identify gaps with severity rating]
  |-- Critical: Would prevent effective response
  |-- High: Would significantly delay/complicate response
  |-- Medium: Would reduce response quality
  |-- Low: Minor improvement opportunity
  |
  v
[Develop remediation actions]
  |-- Each gap gets: action, owner, deadline, priority
  |-- Must be specific and measurable
  |
  v
[Draft AAR within 5 business days]
  |
  v
[Review AAR with exercise sponsor]
  |
  v
[Distribute AAR to participants]
  |
  v
[Track remediation actions quarterly]
  |
  v
End
```