This blog is part of Gate 15’s Summer of Security: Ransomware Resilience Series, highlighting the essential considerations for organizational leaders and cybersecurity professionals.
Why Exercising Your Plan Matters.
Exercising your ransomware response plan is essential to ensure your organization can act quickly and effectively during a real attack. It helps validate that key component like backups, communication protocols, and isolation procedures are functional and up to date. Regular exercises reduce response time by allowing teams to practice their roles and build confidence under pressure. These simulations often uncover hidden gaps, such as outdated contact lists or faulty assumptions about data recovery. They also improve coordination across functional areas such as technical, legal, and executive teams, ensuring everyone knows when and how to act. Practicing your plan strengthens internal communication and enhances your ability to respond externally, including with law enforcement. Ultimately, a tested plan is a trusted plan.
“While everyone’s time is limited, going through an exercise will pay huge dividends for your IT team, your departments, and your agency as a whole.”
Scott Conn, CIO, Mesa, Arizona
Colonial Pipeline Caught Unprepared.
The May 2021 ransomware attack on Colonial Pipeline, executed by the DarkSide group, exposed major cybersecurity gaps in U.S. infrastructure after hackers exploited a single compromised password without multi-factor authentication leading to a ransomware attack. The attack forced a six-day shutdown of a critical fuel pipeline, causing widespread shortages and prompting Colonial to pay a $4.4 million ransom. Colonial Pipeline’s CEO testified before the Senate Homeland Security and Governmental Affairs Committee, acknowledging that while the company had some basic cybersecurity plans in place, it had “no discussion about ransom” before the attack.
Modesto Makes Cyber Preparedness a Priority.
On February 3, 2023 the city of Modesto, CA experienced a ransomware attack, where the threat actor spent three days exfiltrating data before encryption activities alerted network defenders. Fortunately for the city, they had conducted a cybersecurity response tabletop exercise less than two months prior. Scott Conn, former CIO of Modesto (now CIO of Mesa, Arizona), wrote about “The Value of a Cybersecurity Attack Response Tabletop Exercise” for the Municipal Information Systems Association of California (MISAC), citing the exercise allowed for a quick response, drastically reducing the amount of time to both discover and contain the breach. Conn noted that the exercise allowed Modesto to develop a detailed response playbook outlining roles and responsibilities, and finished by recommending others follow the city’s example “While everyone’s time is limited, going through an exercise will pay huge dividends for your IT team, your departments, and your agency as a whole.”
Best Practices for Developing Exercises.
Below are several areas that organizations should consider when developing an exercise. The Homeland Security Exercise Evaluation Program (HSEEP) can also be a useful resource.
- Define Clear Objectives: Decide what you want to test. (e.g., decision-making, communication flow, backup restoration, or legal notification procedures.) Align the exercise with your ransomware response goals.
- Choose a Realistic Scenario: Use a ransomware attack scenario that reflects your actual threat environment (e.g., phishing entry, remote desktop compromise). Include escalating complications like ransom notes, data exfiltration, or media inquiries.
- Involve the Right Participants: Include representatives from IT, legal, communications, HR, compliance, and executive leadership. Make sure each team understands their roles and responsibilities in the response plan.
- Walk through decisions, not just actions: Focus on how decisions are made, who authorizes actions, how priorities are set, and what trade-offs are considered. Push participants to think critically, not just check boxes.
- Inject Real-Time Challenges: Introduce injects (e.g. fake news reports, unexpected system failures, ransom note updates) to test agility and force decision-making under pressure.
- Debrief and Capture Lessons Learned: Hold a hotwash immediately after the exercise to discuss what worked, what didn’t and what needs improvement. Document findings in an after-action report and update your plan accordingly.
In September 2023, both MGM Resorts and Caesars Entertainment were targeted by Scattered Spider. These incidents underscore the critical importance of robust cybersecurity measures and well-practiced response plans in the face of sophisticated cyber threats. Lisa Plaggemeir, Executive Director of the National Cyber Security Alliance said, “the best way to deal with a ransomware attack is to practice having one, to do tabletop exercises. You bring in outside consultants, a third party that runs you through an exercise where you practice having an incident and everybody knows what their role is and how they would respond. That can help you find weaknesses.”
Insights from our Weekly Ransomware Report.
Each week we publish our Weekly Ransomware Report (along with other all-hazards reports) through Gate 15’s Resilience and Intelligence Portal (GRIP). Contact us if you are interested in receiving the full report. Highlights from this week include:
- Most Active Threat Actors (victim number): Sarcoma (4), World Leaks (3), Akira (2), Night Spire (2)
- Dragos Industrial Ransomware Analysis: Q1 2025– In Q1 2025, Dragos reported a significant 87% year-over-year increase in ransomware attacks targeting industrial organizations, with the manufacturing sector bearing the brunt—accounting for 70% of incidents.
- M&S says cyber hackers broke in through third-part contractor– The Marks & Spencer attack provides another example of third-party risk and the effectiveness of social engineering.
Coming Up Next: “Crisis Comms: Talking Clearly When Ransomware Strikes.”
Our next blog in the series will review how communication during a ransomware incident is critical to managing internal coordination and external messaging. This includes having pre-approved templates, designated spokespeople, and clear protocols for informing employees, customers, regulators, and the media. A strong communications plan helps control the narrative, maintain trust, and avoid legal or reputational fallout.
Gate 15 has worked across the Critical Infrastructure environment to develop cybersecurity plans and tabletop exercises for trade associations and owner/operators. We are pleased to offer 10% off ransomware exercises to new clients that are booked before 30 September 2025. Send out an email and mention this blog, and let’s discuss how to boost your organizational resilience together.
Join the GRIP! Stay informed of what’s new in all-hazards homeland security by joining the Gate 15’s Resilience and Intelligence Portal (GRIP). Join the GRIP! and join us in securing America’s people, places, data, and dollars. To join the GRIP, click the link above or here, scroll down and select the “Join the Grip!” button, or email our team at Gate15@Gate15.global.
Gate 15: Technology-enhanced, human-driven, homeland security risk management.
Understand the Threats.
Assess the Risks.
Take Action.