Definition

A ransomware readiness drill is a structured tabletop exercise that simulates a ransomware attack lifecycle — from initial access through encryption, extortion, and regulatory notification — to validate an organisation's incident response plan, decision-making governance, and recovery capabilities. This playbook draws on 30+ live exercises to define scenario design, inject sequencing, scoring rubrics, and a board-level debrief format.

Why it matters

The pressure on Cybersecurity Advisory programmes is shifting in specific, observable ways:

• NCA ECC-1 3-7-1 requires documented and tested incident response plans; SAMA CSF 3.5.3 mandates annual IR exercises — a board-level drill simultaneously satisfies both regulators with a single artefact.
• UAE Cybercrime Law (Federal Decree-Law No. 34/2021) Art. 40 and CBUAE notification requirements impose ≤72-hour breach notification windows; drills reveal whether the decision-chain can operate within that constraint.
• GCC organisations that conduct annual board-level IR drills reduce average ransom payment decisions (SAR 500K–5M range) by 60% through pre-approved playbooks — eliminating ad-hoc negotiation under pressure.
• Cyber insurers (AIG, Beazley) routinely require evidence of annual tabletop exercises as a condition for ransomware coverage renewal; absence raises premiums 20–40% or triggers coverage exclusion.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• Incident Response Plan (IRP) document — version date, last test date, and specific ransomware playbook appendix with decision tree.
• Exercise after-action report (AAR) — inject-by-inject scoring sheet, gaps identified, and assigned remediation owners with due dates.
• Board and ExCo meeting minutes — documented attendance, decisions made during drill scenario, and approved IR escalation thresholds (e.g. ransom payment authority).
• Backup and recovery test results — RTO/RPO achieved per system tier, backup integrity verification hash logs, and isolation test timestamps.
• Regulatory notification draft — completed within exercise, reviewed by Legal, timed against simulated incident clock to validate ≤72-hour capability.
• Third-party communications log — simulated notifications to CBUAE/NCA/CERT-IN, law enforcement, and insurer within exercise timeline.

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0–30: CISO and Legal Counsel co-design a three-phase ransomware scenario (initial access via phishing, lateral spread to ERP, extortion demand) with six time-based injects calibrated to the organisation's actual crown-jewel systems.
• Day 31–60: IR Lead conducts a pre-drill walkthrough with IT, Legal, Communications, and Finance to validate playbook roles, pre-approved ransom decision thresholds (SAR), and backup restoration procedures.
• Day 61–90: Facilitator runs the full board-level tabletop (3–4 hours); scores each inject on a 1–5 decision-quality rubric; captures time-to-decision for regulatory notification inject.
• Day 90+: CISO publishes AAR with ≤10 prioritised remediation actions, assigns owners, and schedules 90-day follow-up gap review; submits exercise evidence to SAMA/NCA as CSF audit artefact.
• Ongoing: Annual full drill; semi-annual functional-level drill for SOC and IT; inject library updated quarterly based on current threat intelligence (e.g. ALPHV/BlackCat TTPs).

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• Time to regulatory notification decision during exercise — target: ≤4 hours from simulated incident declaration.
• Backup restoration RTO achieved in drill — target: ≤4 hours for Tier-1 systems; ≤24 hours for Tier-2.
• Inject decision-quality score — target: average ≥3.5/5 across all injects; any score ≤2 triggers immediate gap remediation.
• Board attendance rate at drill — target: ≥80% of board/ExCo members present or represented.
• AAR remediation closure rate — target: ≥90% of critical actions closed within 90 days of drill.

A the next two quarters working plan

MAST Consulting Group runs this Cybersecurity Advisory work in four moves. Each move is short, evidence-producing, and signed off by a Lead Practitioner before the next begins.

• Frame (week 1). Confirm scope, regulators in play, and the decisions the work has to enable — referenced against NIST CSF 2.0 (Govern, Identify, Protect, Detect, Respond, Recover). Without that framing, the rest becomes a documentation exercise the audit committee will not read.
• Diagnose (weeks 2–4). Walk through cyber strategy and control maturity assessment as they exist today. Capture not just gaps but the design decisions behind every existing control — those are usually where audit findings hide.
• Design (weeks 5–8). Make the contested choices early and pre-clear them with the board cyber committee. Document the rationale; Cybersecurity Advisory reviewers care more about reasoned decisions than perfect ones.
• Operate (weeks 9–12). Move evidence collection into PAM (CyberArk, BeyondTrust, Delinea) and EDR (CrowdStrike, SentinelOne, Defender). A control that depends on a separate GRC tool nobody opens will fail within two cycles.

Pitfalls we keep seeing

Across MAST Consulting Group's Cybersecurity Advisory portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: a strategy that lists capabilities but not outcomes. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: IR plans untested against the company's actual likely scenarios. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: identity controls that stop at email but not at admin tooling. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: logging without a use case behind each source. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on Cybersecurity Advisory engagements because the integrations are cheap and the evidence is defensible:

• PAM (CyberArk, BeyondTrust, Delinea) — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• EDR (CrowdStrike, SentinelOne, Defender) — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• SIEM/XDR — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs Cybersecurity Advisory programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this playbook is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for Cybersecurity Advisory programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.