Why run AI Driven Ransomware Tabletops

Objectives

1. Validate cross-functional incident roles and decision authorities (CISO, Legal, PR, IT, Finance, Board).
2. Exercise triage: detection → negotiation → containment → eradication → recovery.
3. Test extortion management decision points (notify law enforcement? engage negotiator? insurance claims?).
4. Verify backups, restore runbooks, and RTO/RPO assumptions against a realistic encrypted + exfiltrated scenario.
5. Improve evidence collection & legal hold processes for potential litigation / regulators / insurers.

Short primer on ransomware TTPs to use as scenario building blocks

Use the following real, well-documented TTP clusters when designing injects. Each cluster maps to MITRE ATT&CK techniques (useful for detection and detection-injects).

• Initial access & foothold — phishing, stolen credentials, VPN/Remote Desktop exposed services, exploitation of public-facing apps. (Observed across LockBit, Conti, ALPHV).  
• Lateral movement & credential access — AD enumeration, pass-the-hash, RDP, WinRM, PsExec, remote scheduled tasks. (Conti, LockBit).  
• Privilege escalation — abusing domain admin accounts, credential dumping (LSASS, Mimikatz), service abuse.  
• Data discovery & exfiltration — search for sensitive files (PII, IP), compress/encrypt, and exfiltrate (Rclone/SCP to cloud or via staging hosts). Many modern ransomware actors perform extensive exfil first to enable double extortion.  
• Encryption & Disruption — deploy encryptors across Windows/VMware/Unix; often use configuration to exclude certain folders and to destroy backups.
  • (BlackCat/ALPHV and LockBit documented to have multi-OS capabilities).  
• Leak Site & Extortion — actors create dark-web leak pages and send ransom notes with deadlines/countdowns; they may threaten to sell data or publish unless paid.
  • (Observed across LockBit, Conti families).  

(Reference ATT&CK mappings: MITRE pages for Conti and LockBit are authoritative mappings of observed techniques).  

Exercise format & length recommendations

• Duration: 2–4 hours or full-day for table-top + technical walkthrough.
• Participants: Security/IR, SOC analysts, IT ops, Legal, Compliance, PR/Communications, Finance, Executive sponsor, Insurer rep
  • (Optional), External Counsel.
• Facilitators: 1 technical facilitator (IR lead) + 1 business facilitator (Crisis lead). Consider a neutral facilitator to keep the session moving.
• Artifacts participants should leverage AiiR automated case templates to walk through each step.

Scenario Blueprint (“LockBit-style” double-extortion)

Stage 0 (pre-exercise prep)

• Pre-brief: Provide players with normal day-to-day monitoring information and explain that the SOC has detected suspicious authentication events. Don’t reveal the full scenario.

Stage 1 — Initial detection (T+0) — Inject

• SOC alert: Repeated failed admin RDP attempts from foreign IPs; successful login to service account from unusual location.
• Data: Printout of SIEM alert, Windows event ID snippet, and abnormal authentication timeline.

Expected decisions / injects

• Who flags and escalates? SOC analyst? IT?
• Triage: Isolate host, capture memory, snapshot, preserve logs. (Test evidence preservation and legal hold processes.)

Stage 2 — Lateral & discovery (T+30–90m) — Inject

• Forensics finds LSASS dump and scheduled tasks; file shares contain mass read activity and a newly created archive named corp_backup_2025_09.zip staged on a jump host.
• Detection mapping: Credential dumping (T1003), Lateral movement (T1021).  

Expected decisions

• Revoke service account credentials? Reset domain admin? Segment networks? Inform executive team? At what point is CIO/CEO briefed?

Stage 3 — Exfil & ransom note (T+4–8h) — Inject

• Threat actor posts an encrypted sample on a leak site and sends an extortion e-mail. Ransom note includes: proof files, wallet address, and 72-hour countdown to leak. This simulates double extortion (exfil + encryption).  

Expected decisions

• Notify law enforcement/IC3/FBI by running a promptbook? (FBI says victims should report; law enforcement discourages paying ransoms but offers investigative support).  
• Decide whether to engage an external negotiator or cyber insurer vendor. Legal must evaluate breach notification obligations (state regulators, HIPAA, etc.).

Stage 4 — Escalation (T+Day) — Inject

• Ransom deadline approaches; actor publishes part of the stolen data on the leak site.
• Board and PR now demand a course of action.

Tabletop objectives at this stage

• Test call tree activation, external communications, and whether the team can implement containment and restore critical services with available backups.

How to map each inject to technical detection/response exercises

For each inject, include a short detection exercise the SOC/IR team must perform:

• Credential compromise inject → SOC: hunt for abnormal Kerberos Ticket Granting Ticket (TGT) issuance, look for unusual netstat connections, suspicious privileged logons (T1078). Provide snippets of logs the team must analyze. (See MITRE mappings on Conti/LockBit).  
• Data exfiltration inject → Request SOC to show evidence of data transfers to unsanctioned cloud storage or unapproved IPs; show S3 access logs or cloud identity logs. Include a simulated Rclone command in a red-team artifact (as an artifact to find) — do not show how to run it. Instead, provide logs showing large uploads from a known host to a cloud endpoint.
• Leak site proof → Provide screenshot of a fabricated leak site entry (redacted PII) and ask Legal/PR to draft a public statement; test notification templates and regulator reporting thresholds.

Decision matrix: pay / don’t pay (what spokes must weigh)

Create a decision matrix card for execs during the tabletop:

Business Impact | Regulatory Risk | Likelihood of Recovery via Backups | Insurance Coverage | Law Enforcement Input | Reputational Risk

→ Decision (Pay / Don’t Pay / Negotiate / Partial Disclosure).

Put realistic constraints in the scenario: e.g., backups for critical ledger system are 24 hrs old (RPO = 24h), partial corruption of secondary backups observed, insurer T&Cs require notification within X hours to preserve coverage.

Cite: CISA and law enforcement guidance emphasize engaging law enforcement and caution about payment.  

Communications playbook — sample templates

1. Holding statement (first 2 hours) — short, factual, non-speculative: “We are investigating unusual activity affecting internal systems. We have activated our incident response plan and engaged external specialists. We will provide updates as they become available.”
2. Regulator notification checklist — compile list of triggers (PII exposed? HIPAA? NY DFS?) and timelines. Legal should own this.
3. Customer notification template — brief, remedial steps (password resets, monitoring), contact email, and assurance of resources being mobilized.

Technical playbook: detection, containment, eradication, recovery (concise checklist)

Detection / Triage

• Confirm scope (Crown jewels: file servers, AD). Query EDR for IOCs/behavioral indicators.
• Capture volatile evidence (memory, running processes) and take VSS or snapshots.

Containment

• Isolate infected systems (network ACLs, VLAN segmentation), block known C2 IPs/domains, revoke compromised credentials (with care to avoid breaking forensic evidence).
• Preserve forensic images for at least 1 snapshot; coordinate with Legal on chain of custody.

Eradication

• Remove persistence (scheduled tasks, services, registry autoruns), rotate credentials for service and privileged accounts, patch exploited vulnerabilities on internet-facing assets.

Recovery

• Validate backups offline before restore; restore to isolated recovery environment; monitor restored systems for re-infection.
• Do full integrity validation for transactional systems.

(Use CISA StopRansomware guidance as a reference checklist.)  

Table: Example MITRE ATT&CK mappings

Initial access

Phishing (T1566), Exploit Public-Facing App (T1190)

LockBit, Conti.  

Execution

Command-line (T1059), Scheduled Task (T1053)

LockBit/Conti artifacts.  

Credential access

Credential dumping (T1003)

Conti reports.  

Exfiltration

Exfil via cloud storage (T1537)

StopRansomware advisories.  

Impact

Data encrypted for impact (T1486) and data leak extortion

Observed in ALPHV/BlackCat, LockBit.  

Runbook artifacts to prepare before the exercise

• SOC playbooks for the above techniques (hunt queries for credential dumping, unusual RDP, large outbound uploads).
• Backup inventory with restore owners and test status.
• Contact list for law enforcement and cyber insurance adjuster.
• Pre-signed NDAs/engagements with external negotiator and forensic vendor (so executive decisions can be made quickly).

Relevant public advisories like CISA’s STOPRANSOMWARE and MITRE’s software pages have ready IOCs and detection hints you can import into SOC rules.  

Exercise inject bank

Below are ready inject examples (deliver to facilitator to drop in at planned times):

1. Inject A — SIEM alert: “10:12: Failed admin RDP attempts x37 from 185.42.198.62 → 10.12.4.22; successful login 10:13.” (SOC must escalate within 10 minutes or facilitators push second inject).
2. Inject B — Forensics find: “LSASS dump and dir listing with corp_financials_2024.xlsx compressed into Q2_backup.zip and placed on \10.12.99.45\staging.” (SOC must identify exfil target)
3. Inject C — Ransom note / leak page screenshot: “We have exfiltrated customer PII; pay 4 BTC to wallet X or data will be published; 72-hr countdown.” (Trigger legal/PR matrix)
4. Inject D — Insurance claim update: “Insurer says: coverage applies if notified within 48 hours; deductible $50k; appointed vendor is VendorX (forensic + negotiator).” (Finance must evaluate cost and vendor engagement)

After-action & metrics to capture

• Time to detection (TTD) and time to containment (TTC).
• Time from detection to first executive briefing.
• Percent of critical services restored within documented RTO.
• Number of missed / ambiguous responsibilities during the incident.
• Cost estimate: direct remediation + insurance claim recovery + reputational mitigation.

Legal & law enforcement considerations

• Report early. FBI/IC3 encourages reporting and may provide investigative support. Victims should also check reporting obligations for data breaches (state laws, sector regulations). The FBI discourages payment as a policy position, but law enforcement is a resource for investigation.  
• Insurer coordination. Understand the insurer’s vendor panels, reporting timelines, and whether engaging a negotiator is permitted/required. Recent guidance and evolving reporting rules may affect insurer obligations.  

How AiiR Response Elevates Tabletop Exercises

Traditional ransomware tabletops validate decision-making, detection, and communication, but AiiR Response takes this one step further. By embedding automation, intelligence, and structured workflows into the exercise, AiiR transforms tabletops from static roleplay into dynamic, repeatable simulations.

Case Templates and Playbooks

AiiR provides pre-built case templates for ransomware events that mirror real-world scenarios like LockBit, Conti, or ALPHV double-extortion campaigns. Each template includes:

• Predefined tasks across Legal, PR, IT, SOC, Finance, and Executives.
• Trigger-based automation (e.g., once a ransom note is introduced, tasks for Legal notification, insurer engagement, and regulator reporting are automatically queued).
• Role-based guidance so participants see only what’s relevant to their responsibilities, preventing confusion and driving muscle memory.

Automated Task Orchestration

During tabletop runs, AiiR automatically assigns and sequences tasks as injects unfold. Instead of facilitators manually tracking progress, the platform orchestrates task assignment, deadlines, and escalation. This ensures exercises stay realistic, and every step is recorded for after-action reporting.

Negotiation Engine Simulation

Perhaps the most unique capability is AiiR’s AI-powered negotiation engine. In tabletop mode, AiiR simulates the behavior of ransomware operators by:

• Generating realistic ransom notes and extortion emails.
• Adjusting actor responses in real time based on participant decisions (e.g., delaying payment, asking for proof of data deletion).
• Incorporating FINCEN, OFAC, and insurance coverage checks into the workflow, so decision-makers experience the same legal and regulatory pressures they would face in reality.

Benefits for Organizations

• Faster prep: Run repeatable exercises with minimal facilitator overhead.
• Cross-team alignment: Ensure Legal, SOC, IT and PR all work from the same playbook.
• Metrics-driven improvement: Every action is logged, allowing teams to measure detection times, decision delays, and communication gaps.
• Realism at scale: By blending automated tasks with simulated negotiations, AiiR turns a one-off exercise into a scalable training program.

‍