Key Takeaways
- The first 4 hours decide most outcomes: isolate, preserve, classify, notify, then stand up the war room. Skipping any of these compresses options later.
- Do not pay if you can avoid it. Payment funds future attacks, has variable decryption success, may breach sanctions law in some jurisdictions, and does not guarantee data destruction. Still, payment decisions belong with the Board and Legal, not the SOC.
- Backup integrity is the single most consequential variable. Restorable, offline, recent backups change the outcome. Untested backups are a hope, not a control.
- Forensic preservation matters for insurance claims, regulatory reporting, post-incident lessons, and law enforcement engagement. Wiping and rebuilding too fast destroys evidence.
- Indian regulatory clock: CERT-In within 6 hours, RBI per the framework, DPDP if personal data is involved, sector regulators per their rules. Parallel tracking is mandatory.
The First 4 Hours: Triage and Isolation
The window between detection and full encryption of additional assets is typically 1 to 6 hours, depending on attacker tooling and your network segmentation. Every minute of delay in isolation is an additional encrypted host. The first 4 hours follow a fixed sequence.
- 0 to 30 min: confirm detection (rule out false positive), identify initial compromised host(s), declare ransomware incident through the IRP
- 30 to 60 min: isolate at network level (disable switch ports, ACL drops, VPN cutoff for affected segments), disable affected user accounts at the IdP, pause vulnerable scheduled tasks (especially backup jobs writing to the affected segment)
- 1 to 2 hr: stand up the war room (technical lead, IR lead, legal, comms, executive sponsor on the bridge), engage external IR retainer if held, alert cyber insurer
- 2 to 3 hr: scope assessment (how many hosts affected, what data classes are in scope, ransom note content, indicators of attacker identity), preserve evidence (memory dumps from key affected hosts, disk images where possible without delaying containment)
- 3 to 4 hr: file initial CERT-In notification (the 6-hour clock is hard), notify RBI / SEBI / IRDAI as applicable, draft customer holding statement, brief the Board
The Pay vs Restore Debate
Public guidance from FBI, CISA, NCSC UK, ENISA, and increasingly RBI and CERT-In is consistent: do not pay if you can avoid it. Reasons: payment funds the criminal ecosystem, fuels future attacks against you and others, may violate sanctions law (OFAC has sanctioned several ransomware operators and intermediaries), provides no guarantee of decryption (recovery rate even after payment is variable, typically 50 to 80 percent), and does not prevent data leak even when files are decrypted (double extortion is the norm).
And yet, real-world payment decisions are nuanced. If the business is critical-infrastructure dependent (hospitals, ports, energy), if backups are confirmed unrecoverable, if the encrypted data includes irreplaceable customer-affecting records, the calculus shifts. Codesecure's position aligns with the regulatory guidance: avoid payment if possible, and if payment is being considered, it is a Board + Legal + External Counsel + Insurance decision, never a SOC decision. The IRP must reflect this escalation explicitly.
If payment proceeds, the practical mechanics matter: sanctions screening of the wallet address, legal counsel review of jurisdiction-specific obligations, insurance coverage confirmation, payment via a specialist intermediary (not a direct wire to an unknown wallet), and full documentation of the decision for the post-incident review.
Need Incident Response on Standby?
Codesecure offers retainer-based IR for Indian businesses: 24x7 on-call lead, named OSCP and GCFA consultants, evidence-preserving forensics, regulator-ready reporting and ISO/IEC 27001:2022 certified delivery. Available without retainer for active incidents on best-effort basis.
See IR Services →Backup Integrity Checks and Restoration Sequence
Backup is the single most consequential variable in ransomware response. The questions to answer in the first 6 hours: are recent backups available, are they restorable, are they uncorrupted, and are they outside the attacker's reach?
Mature ransomware affiliates target backups specifically. They look for backup management consoles, NAS shares, cloud backup buckets, and any storage that mounts from the production environment. They delete, encrypt or corrupt backups before triggering the main encryption payload, which is why their dwell time is often weeks. The defensive response is offline immutable backups: a copy that cannot be touched from the production network, ideally object-locked or write-once storage, with periodic restore drills.
Restoration Sequence
Restore in priority order, not all at once. Start with the directory and identity infrastructure (so you can authenticate), then the security tooling (so you can detect re-compromise), then the core business systems (in dependency order), then user-facing systems. Restore into a clean, isolated network segment first, with EDR pre-deployed, and verify integrity before reconnecting to the rest of the recovered estate. Skipping this sequence is how some Indian businesses suffer second-stage compromise during recovery.
Forensic Preservation During the Heat of Response
Containment urgency and forensic preservation are in tension. Wipe and rebuild quickly, and you lose evidence needed for insurance claims, regulatory closure, post-incident lessons and law enforcement engagement. Wait too long to preserve and the business stays down longer than necessary. The balanced approach is: image (or at minimum memory-dump) one or two representative affected hosts before wipe, image the patient-zero host fully if identifiable, preserve all relevant log sources at point-in-time (CloudTrail, Activity Log, EDR telemetry, firewall logs, DNS logs, proxy logs, email gateway logs), retain the ransom note and any attacker communications, and document the chain of custody for everything.
Memory dumps are particularly valuable because they capture in-process secrets, attacker tooling running in memory, network connection state and active processes that disk imaging alone misses. Tools: FTK Imager, KAPE, Velociraptor for triage collection, Volatility for analysis.
Recovery, Hardening and Trust Restoration
Recovery is not 'restore from backup'. It is 'restore from backup with confidence the attacker is not still inside'. The recovery sequence includes: rotate every credential the attacker could have accessed (passwords, API keys, certificates, OAuth tokens, kubeconfigs, cloud access keys, KMS keys where the policy is not certain), rebuild Active Directory if compromise reached AD (krbtgt rotation twice 10 hours apart at minimum), rebuild critical systems from known-clean media rather than just decrypting them, and conduct a focused threat hunt for persistence (scheduled tasks, services, WMI subscriptions, golden / silver tickets, OAuth consent grants, cloud IAM backdoors).
Hardening uplifts that the post-mortem typically recommends: MFA on every privileged path, tiered admin model with PAWs, EDR on every endpoint and server, segmentation between user network and crown jewels, immutable backup, monthly tabletop, and an external IR retainer if not already in place.
Building an IR Programme From Scratch?
Whether you need an IR plan, a tabletop exercise, a SOAR rollout, or DFIR readiness for SOC 2 / ISO 27001 / DPDP, our IR lead is available for a 30-minute free scoping call. No obligation, no slideware.
Talk to an IR Lead →Business Continuity During the Attack
Production is partly or fully down. Customers are calling. Sales pipeline is stalling. Employees may not have email. The business continuity dimension of ransomware response is operational, not technical, and is often where Indian businesses underprepare.
Items to plan in the IRP: alternative communication channels (a vendor-hosted email and chat backup that is separate from the primary stack and stays online even when the main domain mail is down), a customer status page (hosted off-network) that the comms team can update without internal infrastructure, manual workflows for the most critical customer-facing processes (so orders can still be taken, deliveries still confirmed), payroll continuity (the HR and finance team often discovers payroll processing is dependent on the same network being recovered), and pre-negotiated emergency contracts with infrastructure providers for rapid replacement capacity if needed.
India-Specific Ransomware Trends and Considerations
India has been near the top of regional ransomware target lists since 2022 and remains so in 2026. Sectors disproportionately affected: manufacturing, healthcare, energy, transportation, government, professional services, IT services. The attack patterns common in Indian incidents: initial access via phishing, exposed RDP or VPN, exploited internet-facing vulnerabilities (Citrix, Fortinet, Ivanti, Cisco), then lateral movement through Active Directory, then encryption.
Indian regulatory engagement during a ransomware incident: CERT-In notification (6 hours from awareness, per the April 2022 directions), sector regulator notification (RBI, SEBI, IRDAI as applicable), DPDP notification to the Data Protection Board and affected data principals if personal data is exposed, NCIIPC notification if the entity is critical information infrastructure, contractual customer notification per the contracts, public disclosure decision per market obligations.
Law enforcement engagement: complaint to the State Police cyber crime unit, additional engagement with CBI for cross-border elements, CERT-In coordination. Codesecure helps clients structure the law-enforcement engagement so it supports the investigation without compromising forensic preservation or regulatory timelines.
Frequently Asked Questions
Should we pay the ransom?
Default answer: no. Reasons: funds criminal ecosystem, sanctions risk, no guarantee of decryption, no guarantee of data destruction. Real-world payment decisions are Board + Legal + External Counsel + Insurance, not SOC. The IRP must escalate the decision to the right authority and not let it default to whoever is in the room when the deadline expires.
How long does ransomware recovery take?
Range: 3 days for a well-prepared organisation with offline backups and a current IR retainer, 3 weeks for an unprepared organisation, 3 months for a catastrophically unprepared organisation including the long tail of trust restoration and customer notification. Median for Indian mid-size organisations in 2024 to 2025 was 10 to 14 days.
Will our cyber insurance cover ransomware?
Depends on the policy. Most modern policies cover incident response, forensics, legal, notification, restoration costs and business interruption. Ransom payment coverage varies and is increasingly excluded or capped. Read the policy before the incident, not during. Many policies require the insured to use panel IR firms; verify Codesecure or your preferred firm is approved in advance if relevant.
How do we know we got the attacker out?
You do not, with certainty. You reach high confidence through: credential rotation across the estate, AD rebuild if AD was reached, threat hunting for persistence mechanisms, EDR deployment to every endpoint and server, network telemetry review for outbound C2 patterns, and a follow-up assessment 30 to 60 days post-recovery. Codesecure delivers a 'clean and confirmed' assessment as part of standard ransomware engagement.
Should we engage law enforcement?
Yes, generally. Engagement with the State Police cyber crime unit and CERT-In supports the wider investigation, contributes to threat intelligence that protects future targets, and is sometimes required by regulator or insurer. Engagement does not delay recovery; the IR firm coordinates so technical response and law enforcement requests run in parallel.
Can Codesecure respond to a ransomware incident right now?
Yes. Codesecure operates on retainer for in-house IR and on best-effort for active incidents without prior retainer. Retainer clients receive defined response SLAs (typically 1 to 2 hour acknowledgement, on-site or remote engagement within 4 hours). Contact the IR team at contact@codesecure.in or call the 24x7 number on file with retainer customers.
Be Ransomware Ready Before The Day You Are Tested
Codesecure delivers ransomware-specific IR playbook design, tabletop exercises, retainer-based 24x7 response and post-incident hardening. ISO/IEC 27001:2022 certified delivery, named GCFA / GCIH consultants, Indian regulatory tracker.
