
The Ransomware Defence Playbook for Indian Enterprises (2026)
An operational ransomware playbook for Indian CISOs, SOC managers, and GRC leads. Learn about RaaS kill chains, hardening controls, immutable backups, and CERT-In, RBI, and DPDP reporting timelines under pressure.
Ransomware is no longer a simple malware problem; it is a highly institutionalized corporate extortion industry. In India, the threat landscape has reached an inflection point. Driven by the proliferation of Ransomware-as-a-Service (RaaS) models, attackers are executing sophisticated campaigns targeting critical infrastructure, financial networks, healthcare systems, and tech supply chains. When an attack strikes, the technical impact of mass encryption is compounded by immediate, strict regulatory reporting deadlines: 6 hours for CERT-In, 2 to 6 hours for RBI, and 72 hours under the DPDP Rules.
For CISOs and SOC architects, defending against these adversaries requires moving past passive "anti-virus" thinking to building active resilience. If your organization lacks a written, tested incident-response runbook and an immutable backup design, you are operating under a high-risk posture. You cannot plan your recovery while your directory services are actively being deleted.
This playbook is a standalone, operational manual for Indian enterprise defenders. We map the modern ransomware attack chain to the MITRE ATT&CK framework, specify initial-access and lateral-movement controls, outline a step-by-step incident-response runbook, and chart the Indian regulatory landscape. To understand how general privacy regulations intersect with these controls, see our companion article DPDP Rules 2025: Operational Compliance Roadmap to May 2027. If you are starting your broader security journey, read our guide on Top 10 Cybersecurity Threats Facing Indian Enterprises.
The 2026 Ransomware Threat Landscape in India
Ransomware attacks in India have matured into highly specialized operations. Organizations must adapt to three main evolutions in attacker strategy:
- Ransomware-as-a-Service (RaaS): Major ransomware groups act as software developers, renting their builders, decryptors, and leak portals to specialized "affiliates." This lowered skill barrier allows rapid, concurrent campaigns.
- Double and Triple Extortion: Attackers no longer just encrypt files. In double extortion, they exfiltrate sensitive data and threaten public release. In triple extortion, they target business partners with DDoS attacks or contact customers directly to multiply the pressure.
- Industry Focus: The hardest-hit sectors in India are BFSI (due to direct financial return), Healthcare (where operational downtime threatens life), and Manufacturing/OT (where physical assembly lines can be paralyzed).
Anatomy of a Ransomware Attack
By mapping the stages of a ransomware intrusion to the MITRE ATT&CK framework, SOC teams can implement specific, layered detection bounds rather than trying to block the final encryption step. A typical enterprise intrusion follows this path:
| Attack Phase | MITRE ATT&CK Techniques | Primary Security Control |
|---|---|---|
| 1. Initial Access | Phishing (T1566), Exposed RDP/VPN (T1133), Public Vulnerabilities (T1190) | Phishing-resistant MFA, IP-whitelisted remote gateways, external vulnerability management. |
| 2. Execution & Persistence | Command and Scripting Interpreter (T1059), Scheduled Task (T1053) | EDR in blocking mode, restricted PowerShell execution, registry auditing rules. |
| 3. Privilege Escalation | LSASS Memory Dumping (T1003.001), Kerberoasting (T1558.003) | Credential Guard, Active Directory security baselines, PAM solutions. |
| 4. Lateral Movement | Remote Services: Remote Desktop (T1021.001), SMB/Windows Admin (T1021.002) | Network micro-segmentation, local admin password isolation (LAPS), disabled lateral WMI/PsExec. |
| 5. Defense Evasion | Impair Defenses: Disable AV (T1562.001), Indicator Removal: Clear Logs (T1070) | Tamper protection on EDR, centralized forwarding of event logs to immutable SIEM repositories. |
| 6. Exfiltration | Exfiltration Over Web Service (T1567), Data Encrypted before Exfil (T1022) | Egress traffic filtering, DNS security gates, DLP monitoring of large data staging points. |
| 7. Impact | Data Encrypted for Impact (T1486), Inhibit System Recovery: Delete Backups (T1490) | Immutable air-gapped backups, canary alert triggers on Volume Shadow Copy deletions. |
Closing the Initial Access Vectors
Adversaries rarely use zero-days. Instead, they exploit the same structural gaps. To secure your perimeter, focus on closing the five primary entry points:
1. Exposed Remote Access (RDP & VPN)
The Threat: Shodan searches instantly reveal open RDP (Remote Desktop) ports. Attackers target these with brute-force tools or credential logs purchased from infostealer marketplaces.
The Fix: Close all direct internet-facing RDP access. Wrap remote administrative connections inside a Zero Trust Network Access (ZTNA) gateway or VPN requiring phishing-resistant MFA. Implement strict source-IP whitelisting and lock out accounts after 5 failed attempts.
2. Unpatched External Vulnerabilities
The Threat: Edge networking devices (VPN concentrators, firewalls, and gateway load balancers) are primary targets. Attackers weaponize known CVEs within hours of public disclosure.
The Fix: Establish a dedicated external attack-surface management (EASM) cadence. Implement a strict patching schedule: critical vulnerabilities on perimeter-facing devices must be patched or mitigated within 24 to 72 hours of release. Review our dedicated guide on Vulnerability Management vs Assessment.
3. Phishing and Business Email Compromise (BEC)
The Threat: Malicious links and macro-enabled PDF/Office attachments bypass basic security filters, tricking employees into executing loader scripts (like IcedID or Qakbot) that deploy Cobalt Strike beacons.
The Fix: Implement modern email security gateways with dynamic sandboxing. Enforce macro restrictions via Active Directory GPOs, restrict script file executions (e.g., block .vbs, .js, .wsf by default on user endpoints), and run continuous phishing simulations.
4. Stolen Credentials (Infostealers)
The Threat: Non-work-related browsing on employee devices can lead to infostealer infections. Attackers harvest cached browser passwords, session cookies, and VPN profiles to log in undetected.
The Fix: Disable browser password saving via enterprise policies. Implement host-level isolation, continuously scan dark-web credential leak databases, and require browser-session token invalidation upon administrative logout.
5. Vendor & Third-Party Supply Chains
The Threat: Insufficiently isolated partner integrations (e.g., support portals or external APIs) allow compromise to propagate into internal systems.
The Fix: Restrict partner access to segmented, dedicated landing zones. Enforce MFA on all third-party integrations, audit supplier connection logs, and run supplier risk assessments. See our guide on Cloud Security and Vendor Risk for Fintechs & NBFCs.
Detecting Lateral Movement and Active Directory Abuse
Once inside, the attacker's priority shifts: they need to locate backup repositories and compromise the central identity authority, typically Active Directory (AD). They execute credential dumping (LSASS) to harvest domain-admin credentials and deploy administrative tools like WMI or PsExec to compromise adjacent servers.
To interrupt lateral movement, organizations must implement key hardening controls:
1. Break the Local Admin Chain
If every server shares the same local administrator password, compromising one endpoint compromises the entire network. Implement Microsoft LAPS (Local Administrator Password Solution) to generate unique, rotating local admin credentials across all endpoints.
2. Restrict SMB and RPC Boundaries
Disable lateral SMB (Port 445) communication between user workstations. Administrative tools should only be accessible from dedicated, highly secured Privileged Access Workstations (PAWs) with strict network segmentation.
Hardening the Enterprise Defense Pillars
Ransomware resilience requires a shift toward **Zero Trust** security principles: assume breach, verify explicitly, and limit the blast radius. Hardening should be structured across four key pillars:
| Defense Pillar | Hardening Controls Specification |
|---|---|
| Identity Security | Enforce FIDO2 passwordless or app-based push MFA. Disable legacy authentication protocols (like NTLMv1 and Basic Auth). Implement tiered administrative access: Domain Admin accounts must never log in to standard user endpoints where they can be cached and dumped. |
| Endpoint Protection | Deploy modern Endpoint Detection & Response (EDR) or Extended Detection & Response (XDR) in blocking mode. Enable EDR tamper-protection rules to prevent local administrators or malware from disabling the sensor. Restrict local administrative privileges for standard users. |
| Network Segmentation | Isolate system zones. User networks, corporate applications, production databases, and backup interfaces must be separated by firewalls. Restrict all egress traffic from servers to the internet using strict whitelisting. Learn more in our Zero Trust Architecture Guide. |
| Detection Engineering | Build specific detection queries for administrative tools (like psexec.exe or vssadmin.exe delete shadows). Centralize security logs inside a 24Γ7 Managed SOC. Discover how our SOC services compare in Managed SOC vs In-House SOC. |
Backups and Recovery: The Last Line of Defence
If prevention fails, your backups are the only shield against extortion. However, attackers know this: they spend days mapping your network specifically to locate and delete backup repositories before launching encryption. If your backup administration is joined to your primary Active Directory domain, it is vulnerable.
To ensure recovery capability, structure backups under the **3-2-1-1-0 Resilience Rule**:
π‘ The 3-2-1-1-0 Backup Rule:
- 3 Maintain at least three (3) copies of your data (one primary and two backups).
- 2 Store backups across two (2) different media types (e.g., local SSD and cloud storage).
- 1 Keep at least one (1) copy offsite (e.g., a secondary cloud region or remote datacenter).
- 1 Keep at least one (1) copy immutable or air-gapped (write-once-read-many (WORM) storage, or physically disconnected offline storage).
- 0 Verify that restores complete with zero (0) errors through automated testing campaigns.
Additionally, backup credentials must be separated. The backup admin console must use an isolated identity provider (IdP) completely separate from the primary domain. If your Active Directory is compromised, the backup portal remains locked. Define precise **Recovery Time Objectives (RTO)** and **Recovery Point Objectives (RPO)** and test complete infrastructure recovery monthly.
The Incident Response Runbook
When ransomware strikes, execution speed determines the blast radius. This step-by-step incident response runbook aligns with the **NIST Incident Response Lifecycle (NIST SP 800-61)**, focusing on containing active threats and protecting forensic data:
Phase 1: Detection & Triage (The First Hour)
Validate alerts and assess severity.
- β Identify indicators of mass file modification or Volume Shadow Copy deletion on endpoints.
- β Locate the source account and originating host generating the modifications.
- β Triage severity: is it isolated to a single server, or is it spreading laterally across the domain?
Phase 2: Containment (Hours 1β3)
Isolate systems and stop lateral spread. Crucial Forensics Directive: Isolate network connections; do not shut down systems or pull plugs, as this destroys volatile memory forensics.
- β Trigger EDR host isolation for all affected systems.
- β Block internal SMB traffic (Port 445) and disconnect Active Directory domain controllers from adjacent subnets.
- β Revoke administrative credentials and disable active VPN/ZTNA gateway access keys.
Phase 3: Eradication & Recovery (Hours 3β24)
Clean assets and rebuild services safely.
- β Identify the initial entry vector (e.g., unpatched edge VPN) and block/close it.
- β Scan all backup repositories for indicators of compromise before starting restores.
- β Rebuild Active Directory from clean, offline system-state backups. Do not restore infected hosts directly.
Having an experienced Incident Response team on retainer ensures that forensics, containment, and system recovery are handled in parallel. If you need to establish a structured responder pipeline, read our SOC Incident Management Guide.
Indian Regulatory Reporting Obligations
For Indian enterprises, managing the technical response is only half the battle. Under Indian law, fiduciaries must comply with strict, concurrent reporting deadlines to various regulators. The table below outlines the regulatory requirements in case of a ransomware incident:
| Regulator | Reporting Window | Key Mandate & Details | Non-Compliance Penalty |
|---|---|---|---|
| CERT-In (National Cyber Security Agency) | Within 6 Hours | Mandatory reporting of ransomware incidents from the moment of awareness (e.g., initial SIEM alert or user notification) under the Directions of 28 April 2022. Forward reports to [email protected]. Clocks must be synced with NIC/NPL NTP servers, and logs must be stored within India for 180 days. |
Up to 1 year imprisonment and/or βΉ1 lakh fine (IT Act Sec 70B(7)). Proposed to rise to βΉ1 crore. |
| Reserve Bank of India (RBI) | Within 2 to 6 Hours | Applicable to Scheduled Commercial Banks, Upper Layer NBFCs, and Payment Operators. Parallel reporting of any cyber incident causing service disruptions or data breach to the RBI portal. For banking networks, refer to our RBI CISO Implementation Guide. | Supervisory review, operational restrictions, or direct financial penalties. |
| Data Protection Board of India (DPB) | Within 72 Hours | Triggered if personal data (PII) of Indian residents is exposed or exfiltrated during double-extortion. Requires detailed notification to the DPB and affected Data Principals under the DPDP Rules 2025. | Fines up to βΉ250 crore for lapses in security safeguards (DPDP Act). |
| SEBI & Insurers (IRDAI) | Prompt / Within 24 Hours | Listed companies must disclose material cyber incidents under SEBI LODR rules within 24 hours of confirmation. Insurers must report breaches to IRDAI. | Regulatory warnings, listings penalties, or stock exchange audit reviews. |
To Pay or Not to Pay: The Extortion Dilemma
When operations are down and recovery is slow, boards often face the pressure to pay the ransom. However, cybersecurity and regulatory authorities strongly discourage payment due to three critical factors:
- No Decryption Guarantee: Decryptor tools provided by attackers are notoriously slow and buggy, often corrupting large databases during the recovery process. Industry statistics show that organizations recover only a portion of their data post-payment.
- Repeat-Targeting Risks: Paying a ransom flags your organization as a cooperative target. Ransomware affiliates regularly re-sell access to the same network, leading to secondary intrusions within months.
- Legal and Sanctions Risks: Transferring money to designated threat actor groups (many associated with sanctioned organizations) can expose your board to legal liability and financial regulatory penalties. Under Indian law, payment may itself violate reporting and foreign exchange guidelines.
Ultimately, ransom payment is a complex board-level legal decision, not a technical recovery strategy. Organizations must involve qualified legal counsel and law enforcement agencies at the outset of any ransomware crisis.
Your 90-Day Ransomware Resilience Roadmap
Achieving ransomware resilience is a phased process. Use this prioritized checklist to guide your team's execution over the next 90 days:
Days 1β30: Identify & Secure Backups
Focus on protecting your recovery capability.
- β Audit all backup repositories and enforce strict immutability rules.
- β Separate backup administrative credentials from the primary Active Directory domain.
- β Run a full restore test of your Active Directory and core transaction databases.
Days 31β60: Secure Identity & Perimeter
Harden key access controls to reduce the entry surface.
- β Enforce MFA across all external access portals, VPNs, and email accounts.
- β Shut down open external RDP connections and implement a ZTNA gateway.
- β Deploy unique administrative passwords using Microsoft LAPS or a PAM tool.
Days 61β75: Deploy EDR & Centralize Logs
Establish baseline detection capabilities.
- β Ensure 100% EDR/XDR deployment across all server nodes and endpoints.
- β Configure SIEM ingestion rules to lock security and access logs for 180 days within India.
- β Setup clocks to synchronize with official NIC/NPL NTP servers.
Days 76β90: Runbook Testing & Retainer
Train stakeholders and prepare response channels.
- β Finalize the incident-response runbook and draft CERT-In notification templates.
- β Run a ransomware crisis tabletop simulation involving executives, GRC, and PR.
- β Secure a digital forensics and incident response (DFIR) retainer.
How Adayptus Helps
Building ransomware resilience requires deep-dive expertise across threat hunting, infrastructure hardening, and GRC strategy. At **Adayptus**, our security consultants work alongside your teams to implement end-to-end defenses:
- Ransomware Readiness Assessments: We evaluate your backup strategies, Active Directory security posture, network segmentation, and EDR controls against real-world threat indicators.
- 24/7 Managed SOC & MDR: Our analysts monitor your endpoints, cloud systems, and directories around the clock, detecting and isolating ransomware activity before encryption can begin.
- DFIR & Incident Response Retainer: Get immediate access to certified threat responders to isolate hosts, preserve log evidence, and coordinate regulatory reports under pressure.
- Executive Tabletop Simulations: We design custom ransomware scenarios to train your leadership, IT, legal, and PR teams on managing high-stress decisions.
Secure Your Infrastructure with Adayptus
Do not wait for an alert to test your resilience. Contact our threat consultants today to evaluate your backup postures, establish incident response readiness, and secure your systems.
Frequently Asked Questions
Click any question to expand the answer.
Q What is the CERT-In ransomware reporting deadline for Indian businesses?
Under the CERT-In Directions of April 2022, organizations must report ransomware attacks within 6 hours of becoming aware of the incident. Reports should be sent to [email protected].
Q What are the log retention requirements under CERT-In guidelines?
Organizations are required to maintain all ICT system logs for a rolling period of 180 days. These logs must be stored within India and made available to CERT-In upon request during incident investigations.
Q Should we shut down servers immediately during a ransomware attack?
No. Shutting down or pulling the power cord destroys volatile memory (RAM) where active threat processes, cached encryption keys, and lateral movement traces reside. Instead, isolate systems at the network layer (e.g., using EDR host-isolation, blocking port 445, or unplugging network cables) to contain the spread while preserving forensic evidence.
Q What is an immutable backup?
An immutable backup is stored using write-once-read-many (WORM) parameters, preventing the files from being modified, overwritten, or deleted by any user (including administrators) for a fixed retention duration. This protects backups from active ransomware processes that attempt to delete historical recovery points.
Q What are the penalties for not reporting a ransomware attack to CERT-In?
Under Section 70B(7) of the IT Act, 2000, failing to report a mandatory cyber security incident like ransomware can lead to penalties including imprisonment up to 1 year, a fine up to βΉ1 lakh, or both. Legal amendments have proposed raising the statutory fine thresholds significantly for corporate entities.
Q Why is paying a ransom discouraged?
Paying a ransom does not guarantee successful recovery of files, as decryptor tools regularly fail. It funds criminal infrastructure and exposes the company to secondary attacks, as they are categorized as willing payers. Additionally, transferring funds to threat actors can violate national security sanctions and legal frameworks.
Peyush Baranwal
Principal Incident Response Consultant & SOC Architect
Peyush Baranwal is a principal incident response consultant and SOC architect at Adayptus, specializing in threat hunting, Active Directory security, and regulatory compliance for enterprise networks.
Executive Intelligence Briefing
Join top security executives receiving our curated analysis of zero-days, compliance shifts, and architectural vulnerabilitiesβdelivered completely ad-free.
On This Page
- The 2026 Ransomware Threat Landscape in India
- Anatomy of a Ransomware Attack
- Closing the Initial Access Vectors
- Detecting Lateral Movement and Active Directory Abuse
- Hardening the Enterprise Defense Pillars
- Backups and Recovery: The Last Line of Defence
- The Incident Response Runbook
- Indian Regulatory Reporting Obligations
- To Pay or Not to Pay: The Extortion Dilemma
- Your 90-Day Ransomware Resilience Roadmap
- How Adayptus Helps
- Frequently Asked Questions


