For cyber attackers, ransomware is the gift that keeps on giving. Blocking access to a company’s business-critical data puts organisations that fail to mitigate against attacks in a difficult position. They can either pay out what is likely to be a sizable ransom or lose days or even weeks of business continuity.
Six in 10 organisations (59%) suffered ransomware attempts in 2024, according to cyber vendor Sophos’ State of Ransomware Report. Organisations with over $5bn (£3.85bn) in annual revenue were hit the hardest, with 67% affected by ransomware in some capacity. This means most companies can expect to be targeted by a ransomware attack as some point.
The financial and reputational impacts on businesses can be devastating. On an individual level, security personnel have also suffered PTSD-like symptoms after dealing with the fallout from such incidents.
Well-kept data back-ups, fail-safe systems and robust perimeter defence are all essentials for weathering the ransomware storm. Equally important is keeping a cool head in crisis – showing confidence in decision-making and calmly working to resolve the situation.
That means ensuring all stakeholders, not just security teams, are prepared. But what kind of training exercises can help? And how can security leaders ensure these are effective?
Ransomware simulations: can ‘red teams’ help?
Ambushing employees with fake cyber attacks was once a popular method. This often involved sending spoof phishing emails to test whether employees would click on a dodgy link. However, these techniques are increasingly being eschewed for more open and transparent training.
One method is engaging so-called red teams (often brought in from outside the organisation) to blind-test the cyber defence of blue teams, the cyber defenders within an organisation. Here, the red team takes on the role of attacker, simulating the kinds of malware or ransomware used by cybercriminals. The blue team must surface these threats, protect against them and repair any damage done.
These simulated attacks take place on portioned-off parts of a network using synthetic, junk data, so as not to put the business at risk.
One big exercise a year with the same 20 executives is not sufficient
The purpose of these exercises is to expose gaps in cyber defence. This could mean differentiating between false alerts and real threats, being able to find those threats in the first place or coordinating a successful response once an incident is in progress.
If they have the expertise, organisations might create their own internal red team/blue team standoffs. Alternatively there are red team vendors, who offer ‘blind’ red-team services, with little to no knowledge from the defending side. These vendors argue that such exercises create an effective environment for testing the real-world capabilities of cybersecurity teams.
Red teaming can be a “great opportunity to test a company’s preparedness, detection and response processes and technologies in a way that mimics real-world conditions”, says Lorenzo Grillo, head of Alvarez & Marsal’s cyber risk services. That’s because they assess the “entire control environment” to simulate how skilled and motivated cyber threat actors would target an organisation.
However, he adds, surprise attacks can put too much pressure on staff and risk making them feel as if they’re under constant scrutiny. This can lead to trust issues between stakeholders. “If you have a drill without telling someone it’s a drill, it can actually be just as disruptive as a real attack,” says Alan Woodward, professor of cybersecurity at the University of Surrey. “And that doesn’t make any sense for the business.”
Blind testing, Woodward says, is a little akin to letting smoke canisters off in the office and screaming “fire” during a drill. Such an approach can burn out or panic staff and lead to poorer productivity.
While red teaming can iron out some kinks or expose certain vulnerabilities, if you don’t trust your teams to perform well in a crisis, that “says more about your recruitment processes than anything”, he adds.
Ransomware simulations: how tabletop exercises can help
Instead, Woodward recommends an open and transparent approach to cyber drills. He suggests regular tabletop exercises – typically an hour-and-a-half long role-playing session that sets out cyber scenarios for teams and leaders to work through. The National Cyber Crime Centre and the US government’s CISA website provide some useful examples.
These games usually involve a ‘facilitator’, who will run the exercise, inform participants of what’s happening and instruct them to make decisions. Ultimately the aim is to create a plausible, realistic scenario and test responses to it, allowing participants to audit their current decision-making processes, technical defences and continuity plans.
IT teams, cyber experts and C-suite executives typically participate in these exercises. Businesses should include representatives from each of the ‘gold, silver, bronze’ command structure (strategists, tacticians and operational employees), at a minimum.
Properly defined and managed tabletop exercises can help test a company’s ability to respond to cyber crises, Grillo says. Businesses should find the right balance between these two approaches, he adds: “Red teaming can expose gaps and enhance defensive skills, while tabletop exercises offer room for safe practice and learning without constant stress.”
Why leadership buy-in is essential for cyber preparedness
During a real-world ransomware attack, an organisation’s leadership must make tough business decisions. It will be up to them to decide whether to pay the ransom, issue a statement and to find a way to ensure business continuity while restoring systems. This means it’s critically important the C-suite is briefed properly and in a language they understand.
“Executives don’t need to know how you perform log analysis or reverse engineer malware,” says Dan Potter, senior director of operational resilience at cyber preparedness vendor Immersive Labs. “They do need to know the teams at their disposal have the capability to do those and that they can show they’re improving over time.”
If you have a drill without telling people it’s a drill, it can be just as disruptive as a real attack
In the past, he adds, security teams have succeeded in terrifying leadership with details of cyber disasters and briefings on advanced persistent threat groups, but they have been less effective at engaging the business. The facilitator of any tabletop exercises must prioritise inclusivity and encourage participants to speak a common language.
However, the goal should really be continuous learning, says Potter. “One big exercise a year with the same 20 executives is not sufficient. It’s not providing the regular cadence or the validation of process that organisations need.”
Given the busy schedules of C-suite executives, it may prove difficult to find a time slot for multiple tabletop exercises. This puts the onus on security leaders to keep teams sharp. Potter suggests frequent, smaller exercises for first-line responders. This could include hands-on labs, technical skill development training or small-team simulations.
Security teams can then use these activities to brief senior executives on the progress made, while helping avoid exercise fatigue among leadership. This can open conversations with leaders about what concerns and priorities should be. Ongoing exercises will equip cyber teams with the data to inform leaders of their progress or areas where there’s room for improvement, ultimately instilling confidence in the team.
The ethical considerations of ransomware simulations
Making training exercises a success requires building a security culture that’s rooted in collaboration and improvement rather than shame or ridicule.
Employees should understand the need for rehearsals and be clear that exercises are not about catching people out, criticising teams or blaming systems, says Jason Nurse, reader in cybersecurity at the University of Kent. The goal is to establish where there’s room for improvement.
Organisations should consider the targets, timing and nature of ransomware attacks carefully in their simulations. They should ensure that they don’t unfairly target certain groups and acknowledge the state of the business at any time they’re undertaken.
“For instance, is it the last day of the financial year?” asks Nurse. “Or is the simulation due on the day new software will be installed across the business? While there are certainly advantages to running simulations at these times – and ransomware groups themselves may find these ideal target times – they may cause significant additional stress for employees.”
Finally, anyone setting up a simulation should consider if the content is appropriate. There have been instances where organisations have conducted attack simulations that were in poor taste and didn’t consider employee or customer context.
“We’ve seen attack simulations offering bonuses or alerting to Ebola outbreaks,” Nurse explains. “There’s a balance to be maintained in achieving and testing security processes without also compromising employee morale.”
Running cyber attack role-playing sessions might sound like corporate Dungeons and Dragons, but the benefits can be significant. By discussing actions needed to address these imaginary attacks, organisations can identify weak points in their security systems and skills gaps. When ransomware can lead to the destruction of businesses, running simulations can make all the difference.
