The Ransomware Defence Playbook for Indian Enterprises (2026) background
Back to Journal
Threat Intelligence

The Ransomware Defence Playbook for Indian Enterprises (2026)

Peyush Baranwal
June 22, 2026
16 min read

An operational ransomware playbook for Indian CISOs, SOC managers, and GRC leads. Learn about RaaS kill chains, hardening controls, immutable backups, and CERT-In, RBI, and DPDP reporting timelines under pressure.

Ransomware is no longer a simple malware problem; it is a highly institutionalized corporate extortion industry. In India, the threat landscape has reached an inflection point. Driven by the proliferation of Ransomware-as-a-Service (RaaS) models, attackers are executing sophisticated campaigns targeting critical infrastructure, financial networks, healthcare systems, and tech supply chains. When an attack strikes, the technical impact of mass encryption is compounded by immediate, strict regulatory reporting deadlines: 6 hours for CERT-In, 2 to 6 hours for RBI, and 72 hours under the DPDP Rules.

For CISOs and SOC architects, defending against these adversaries requires moving past passive "anti-virus" thinking to building active resilience. If your organization lacks a written, tested incident-response runbook and an immutable backup design, you are operating under a high-risk posture. You cannot plan your recovery while your directory services are actively being deleted.

This playbook is a standalone, operational manual for Indian enterprise defenders. We map the modern ransomware attack chain to the MITRE ATT&CK framework, specify initial-access and lateral-movement controls, outline a step-by-step incident-response runbook, and chart the Indian regulatory landscape. To understand how general privacy regulations intersect with these controls, see our companion article DPDP Rules 2025: Operational Compliance Roadmap to May 2027. If you are starting your broader security journey, read our guide on Top 10 Cybersecurity Threats Facing Indian Enterprises.

6 Hours
CERT-In Reporting Deadline
3-2-1-1-0
Resilience Backup Rule
180 Days
Mandatory System Log Retention
Double
Extortion (Encrypt + Exfiltrate)

The 2026 Ransomware Threat Landscape in India

Ransomware attacks in India have matured into highly specialized operations. Organizations must adapt to three main evolutions in attacker strategy:

  • Ransomware-as-a-Service (RaaS): Major ransomware groups act as software developers, renting their builders, decryptors, and leak portals to specialized "affiliates." This lowered skill barrier allows rapid, concurrent campaigns.
  • Double and Triple Extortion: Attackers no longer just encrypt files. In double extortion, they exfiltrate sensitive data and threaten public release. In triple extortion, they target business partners with DDoS attacks or contact customers directly to multiply the pressure.
  • Industry Focus: The hardest-hit sectors in India are BFSI (due to direct financial return), Healthcare (where operational downtime threatens life), and Manufacturing/OT (where physical assembly lines can be paralyzed).

Anatomy of a Ransomware Attack

By mapping the stages of a ransomware intrusion to the MITRE ATT&CK framework, SOC teams can implement specific, layered detection bounds rather than trying to block the final encryption step. A typical enterprise intrusion follows this path:

Attack Phase MITRE ATT&CK Techniques Primary Security Control
1. Initial Access Phishing (T1566), Exposed RDP/VPN (T1133), Public Vulnerabilities (T1190) Phishing-resistant MFA, IP-whitelisted remote gateways, external vulnerability management.
2. Execution & Persistence Command and Scripting Interpreter (T1059), Scheduled Task (T1053) EDR in blocking mode, restricted PowerShell execution, registry auditing rules.
3. Privilege Escalation LSASS Memory Dumping (T1003.001), Kerberoasting (T1558.003) Credential Guard, Active Directory security baselines, PAM solutions.
4. Lateral Movement Remote Services: Remote Desktop (T1021.001), SMB/Windows Admin (T1021.002) Network micro-segmentation, local admin password isolation (LAPS), disabled lateral WMI/PsExec.
5. Defense Evasion Impair Defenses: Disable AV (T1562.001), Indicator Removal: Clear Logs (T1070) Tamper protection on EDR, centralized forwarding of event logs to immutable SIEM repositories.
6. Exfiltration Exfiltration Over Web Service (T1567), Data Encrypted before Exfil (T1022) Egress traffic filtering, DNS security gates, DLP monitoring of large data staging points.
7. Impact Data Encrypted for Impact (T1486), Inhibit System Recovery: Delete Backups (T1490) Immutable air-gapped backups, canary alert triggers on Volume Shadow Copy deletions.

Closing the Initial Access Vectors

Adversaries rarely use zero-days. Instead, they exploit the same structural gaps. To secure your perimeter, focus on closing the five primary entry points:

1. Exposed Remote Access (RDP & VPN)

The Threat: Shodan searches instantly reveal open RDP (Remote Desktop) ports. Attackers target these with brute-force tools or credential logs purchased from infostealer marketplaces.

The Fix: Close all direct internet-facing RDP access. Wrap remote administrative connections inside a Zero Trust Network Access (ZTNA) gateway or VPN requiring phishing-resistant MFA. Implement strict source-IP whitelisting and lock out accounts after 5 failed attempts.

2. Unpatched External Vulnerabilities

The Threat: Edge networking devices (VPN concentrators, firewalls, and gateway load balancers) are primary targets. Attackers weaponize known CVEs within hours of public disclosure.

The Fix: Establish a dedicated external attack-surface management (EASM) cadence. Implement a strict patching schedule: critical vulnerabilities on perimeter-facing devices must be patched or mitigated within 24 to 72 hours of release. Review our dedicated guide on Vulnerability Management vs Assessment.

3. Phishing and Business Email Compromise (BEC)

The Threat: Malicious links and macro-enabled PDF/Office attachments bypass basic security filters, tricking employees into executing loader scripts (like IcedID or Qakbot) that deploy Cobalt Strike beacons.

The Fix: Implement modern email security gateways with dynamic sandboxing. Enforce macro restrictions via Active Directory GPOs, restrict script file executions (e.g., block .vbs, .js, .wsf by default on user endpoints), and run continuous phishing simulations.

4. Stolen Credentials (Infostealers)

The Threat: Non-work-related browsing on employee devices can lead to infostealer infections. Attackers harvest cached browser passwords, session cookies, and VPN profiles to log in undetected.

The Fix: Disable browser password saving via enterprise policies. Implement host-level isolation, continuously scan dark-web credential leak databases, and require browser-session token invalidation upon administrative logout.

5. Vendor & Third-Party Supply Chains

The Threat: Insufficiently isolated partner integrations (e.g., support portals or external APIs) allow compromise to propagate into internal systems.

The Fix: Restrict partner access to segmented, dedicated landing zones. Enforce MFA on all third-party integrations, audit supplier connection logs, and run supplier risk assessments. See our guide on Cloud Security and Vendor Risk for Fintechs & NBFCs.

Detecting Lateral Movement and Active Directory Abuse

Once inside, the attacker's priority shifts: they need to locate backup repositories and compromise the central identity authority, typically Active Directory (AD). They execute credential dumping (LSASS) to harvest domain-admin credentials and deploy administrative tools like WMI or PsExec to compromise adjacent servers.

To interrupt lateral movement, organizations must implement key hardening controls:

1. Break the Local Admin Chain

If every server shares the same local administrator password, compromising one endpoint compromises the entire network. Implement Microsoft LAPS (Local Administrator Password Solution) to generate unique, rotating local admin credentials across all endpoints.

2. Restrict SMB and RPC Boundaries

Disable lateral SMB (Port 445) communication between user workstations. Administrative tools should only be accessible from dedicated, highly secured Privileged Access Workstations (PAWs) with strict network segmentation.

Hardening the Enterprise Defense Pillars

Ransomware resilience requires a shift toward **Zero Trust** security principles: assume breach, verify explicitly, and limit the blast radius. Hardening should be structured across four key pillars:

Defense Pillar Hardening Controls Specification
Identity Security Enforce FIDO2 passwordless or app-based push MFA. Disable legacy authentication protocols (like NTLMv1 and Basic Auth). Implement tiered administrative access: Domain Admin accounts must never log in to standard user endpoints where they can be cached and dumped.
Endpoint Protection Deploy modern Endpoint Detection & Response (EDR) or Extended Detection & Response (XDR) in blocking mode. Enable EDR tamper-protection rules to prevent local administrators or malware from disabling the sensor. Restrict local administrative privileges for standard users.
Network Segmentation Isolate system zones. User networks, corporate applications, production databases, and backup interfaces must be separated by firewalls. Restrict all egress traffic from servers to the internet using strict whitelisting. Learn more in our Zero Trust Architecture Guide.
Detection Engineering Build specific detection queries for administrative tools (like psexec.exe or vssadmin.exe delete shadows). Centralize security logs inside a 24Γ—7 Managed SOC. Discover how our SOC services compare in Managed SOC vs In-House SOC.

Backups and Recovery: The Last Line of Defence

If prevention fails, your backups are the only shield against extortion. However, attackers know this: they spend days mapping your network specifically to locate and delete backup repositories before launching encryption. If your backup administration is joined to your primary Active Directory domain, it is vulnerable.

To ensure recovery capability, structure backups under the **3-2-1-1-0 Resilience Rule**:

πŸ›‘ The 3-2-1-1-0 Backup Rule:

  • 3 Maintain at least three (3) copies of your data (one primary and two backups).
  • 2 Store backups across two (2) different media types (e.g., local SSD and cloud storage).
  • 1 Keep at least one (1) copy offsite (e.g., a secondary cloud region or remote datacenter).
  • 1 Keep at least one (1) copy immutable or air-gapped (write-once-read-many (WORM) storage, or physically disconnected offline storage).
  • 0 Verify that restores complete with zero (0) errors through automated testing campaigns.

Additionally, backup credentials must be separated. The backup admin console must use an isolated identity provider (IdP) completely separate from the primary domain. If your Active Directory is compromised, the backup portal remains locked. Define precise **Recovery Time Objectives (RTO)** and **Recovery Point Objectives (RPO)** and test complete infrastructure recovery monthly.

The Incident Response Runbook

When ransomware strikes, execution speed determines the blast radius. This step-by-step incident response runbook aligns with the **NIST Incident Response Lifecycle (NIST SP 800-61)**, focusing on containing active threats and protecting forensic data:

Phase 1: Detection & Triage (The First Hour)

Validate alerts and assess severity.

  • ☐ Identify indicators of mass file modification or Volume Shadow Copy deletion on endpoints.
  • ☐ Locate the source account and originating host generating the modifications.
  • ☐ Triage severity: is it isolated to a single server, or is it spreading laterally across the domain?

Phase 2: Containment (Hours 1–3)

Isolate systems and stop lateral spread. Crucial Forensics Directive: Isolate network connections; do not shut down systems or pull plugs, as this destroys volatile memory forensics.

  • ☐ Trigger EDR host isolation for all affected systems.
  • ☐ Block internal SMB traffic (Port 445) and disconnect Active Directory domain controllers from adjacent subnets.
  • ☐ Revoke administrative credentials and disable active VPN/ZTNA gateway access keys.

Phase 3: Eradication & Recovery (Hours 3–24)

Clean assets and rebuild services safely.

  • ☐ Identify the initial entry vector (e.g., unpatched edge VPN) and block/close it.
  • ☐ Scan all backup repositories for indicators of compromise before starting restores.
  • ☐ Rebuild Active Directory from clean, offline system-state backups. Do not restore infected hosts directly.

Having an experienced Incident Response team on retainer ensures that forensics, containment, and system recovery are handled in parallel. If you need to establish a structured responder pipeline, read our SOC Incident Management Guide.

Indian Regulatory Reporting Obligations

For Indian enterprises, managing the technical response is only half the battle. Under Indian law, fiduciaries must comply with strict, concurrent reporting deadlines to various regulators. The table below outlines the regulatory requirements in case of a ransomware incident:

Regulator Reporting Window Key Mandate & Details Non-Compliance Penalty
CERT-In (National Cyber Security Agency) Within 6 Hours Mandatory reporting of ransomware incidents from the moment of awareness (e.g., initial SIEM alert or user notification) under the Directions of 28 April 2022. Forward reports to [email protected]. Clocks must be synced with NIC/NPL NTP servers, and logs must be stored within India for 180 days. Up to 1 year imprisonment and/or β‚Ή1 lakh fine (IT Act Sec 70B(7)). Proposed to rise to β‚Ή1 crore.
Reserve Bank of India (RBI) Within 2 to 6 Hours Applicable to Scheduled Commercial Banks, Upper Layer NBFCs, and Payment Operators. Parallel reporting of any cyber incident causing service disruptions or data breach to the RBI portal. For banking networks, refer to our RBI CISO Implementation Guide. Supervisory review, operational restrictions, or direct financial penalties.
Data Protection Board of India (DPB) Within 72 Hours Triggered if personal data (PII) of Indian residents is exposed or exfiltrated during double-extortion. Requires detailed notification to the DPB and affected Data Principals under the DPDP Rules 2025. Fines up to β‚Ή250 crore for lapses in security safeguards (DPDP Act).
SEBI & Insurers (IRDAI) Prompt / Within 24 Hours Listed companies must disclose material cyber incidents under SEBI LODR rules within 24 hours of confirmation. Insurers must report breaches to IRDAI. Regulatory warnings, listings penalties, or stock exchange audit reviews.

To Pay or Not to Pay: The Extortion Dilemma

When operations are down and recovery is slow, boards often face the pressure to pay the ransom. However, cybersecurity and regulatory authorities strongly discourage payment due to three critical factors:

  • No Decryption Guarantee: Decryptor tools provided by attackers are notoriously slow and buggy, often corrupting large databases during the recovery process. Industry statistics show that organizations recover only a portion of their data post-payment.
  • Repeat-Targeting Risks: Paying a ransom flags your organization as a cooperative target. Ransomware affiliates regularly re-sell access to the same network, leading to secondary intrusions within months.
  • Legal and Sanctions Risks: Transferring money to designated threat actor groups (many associated with sanctioned organizations) can expose your board to legal liability and financial regulatory penalties. Under Indian law, payment may itself violate reporting and foreign exchange guidelines.

Ultimately, ransom payment is a complex board-level legal decision, not a technical recovery strategy. Organizations must involve qualified legal counsel and law enforcement agencies at the outset of any ransomware crisis.

Your 90-Day Ransomware Resilience Roadmap

Achieving ransomware resilience is a phased process. Use this prioritized checklist to guide your team's execution over the next 90 days:

Days 1–30: Identify & Secure Backups

Focus on protecting your recovery capability.

  • ☐ Audit all backup repositories and enforce strict immutability rules.
  • ☐ Separate backup administrative credentials from the primary Active Directory domain.
  • ☐ Run a full restore test of your Active Directory and core transaction databases.

Days 31–60: Secure Identity & Perimeter

Harden key access controls to reduce the entry surface.

  • ☐ Enforce MFA across all external access portals, VPNs, and email accounts.
  • ☐ Shut down open external RDP connections and implement a ZTNA gateway.
  • ☐ Deploy unique administrative passwords using Microsoft LAPS or a PAM tool.

Days 61–75: Deploy EDR & Centralize Logs

Establish baseline detection capabilities.

  • ☐ Ensure 100% EDR/XDR deployment across all server nodes and endpoints.
  • ☐ Configure SIEM ingestion rules to lock security and access logs for 180 days within India.
  • ☐ Setup clocks to synchronize with official NIC/NPL NTP servers.

Days 76–90: Runbook Testing & Retainer

Train stakeholders and prepare response channels.

  • ☐ Finalize the incident-response runbook and draft CERT-In notification templates.
  • ☐ Run a ransomware crisis tabletop simulation involving executives, GRC, and PR.
  • ☐ Secure a digital forensics and incident response (DFIR) retainer.

How Adayptus Helps

Building ransomware resilience requires deep-dive expertise across threat hunting, infrastructure hardening, and GRC strategy. At **Adayptus**, our security consultants work alongside your teams to implement end-to-end defenses:

Secure Your Infrastructure with Adayptus

Do not wait for an alert to test your resilience. Contact our threat consultants today to evaluate your backup postures, establish incident response readiness, and secure your systems.

Frequently Asked Questions

Click any question to expand the answer.

Q What is the CERT-In ransomware reporting deadline for Indian businesses?

Under the CERT-In Directions of April 2022, organizations must report ransomware attacks within 6 hours of becoming aware of the incident. Reports should be sent to [email protected].

Q What are the log retention requirements under CERT-In guidelines?

Organizations are required to maintain all ICT system logs for a rolling period of 180 days. These logs must be stored within India and made available to CERT-In upon request during incident investigations.

Q Should we shut down servers immediately during a ransomware attack?

No. Shutting down or pulling the power cord destroys volatile memory (RAM) where active threat processes, cached encryption keys, and lateral movement traces reside. Instead, isolate systems at the network layer (e.g., using EDR host-isolation, blocking port 445, or unplugging network cables) to contain the spread while preserving forensic evidence.

Q What is an immutable backup?

An immutable backup is stored using write-once-read-many (WORM) parameters, preventing the files from being modified, overwritten, or deleted by any user (including administrators) for a fixed retention duration. This protects backups from active ransomware processes that attempt to delete historical recovery points.

Q What are the penalties for not reporting a ransomware attack to CERT-In?

Under Section 70B(7) of the IT Act, 2000, failing to report a mandatory cyber security incident like ransomware can lead to penalties including imprisonment up to 1 year, a fine up to β‚Ή1 lakh, or both. Legal amendments have proposed raising the statutory fine thresholds significantly for corporate entities.

Q Why is paying a ransom discouraged?

Paying a ransom does not guarantee successful recovery of files, as decryptor tools regularly fail. It funds criminal infrastructure and exposes the company to secondary attacks, as they are categorized as willing payers. Additionally, transferring funds to threat actors can violate national security sanctions and legal frameworks.

Disclaimer: This playbook provides operational guidance for ransomware defence and response as of June 2026. It is intended for educational purposes and does not constitute formal legal advice. During an active incident, immediately contact legal counsel, executive leadership, and local law enforcement.

Share this Insight
CybersecurityThreat IntelligenceAdayptus Intelligence
P

Peyush Baranwal

Principal Incident Response Consultant & SOC Architect

Peyush Baranwal is a principal incident response consultant and SOC architect at Adayptus, specializing in threat hunting, Active Directory security, and regulatory compliance for enterprise networks.

Executive Intelligence Briefing

Join top security executives receiving our curated analysis of zero-days, compliance shifts, and architectural vulnerabilitiesβ€”delivered completely ad-free.

Zero Spam. Unsubscribe Anytime.