Ransomware Protection for Indian Businesses 2026 — Prevention, Detection & Response

On Uncategorized

Ransomware Protection for Indian Businesses 2026 — Prevention, Detection & Response

India is now consistently ranked among the top five countries globally for ransomware attacks. In 2024 and 2025, Indian organisations faced a 50%+ year-over-year increase in ransomware incidents, with attacks targeting hospitals, banks, government departments, and private enterprises alike. The AIIMS Delhi ransomware attack in 2022 disrupted patient care for weeks. BSNL has been breached multiple times. LockBit and RansomHub have publicly listed multiple Indian victims on their leak sites.

Ransomware is no longer a remote risk for Indian organisations — it is a when, not if, scenario. The organisations that survive ransomware attacks are those that prepared for them before they happened. This guide provides a comprehensive framework for ransomware prevention, detection, and response for Indian businesses in 2026.

The Scale of India’s Ransomware Problem

  • India ranks among the top 5 most ransomware-targeted countries globally (Q1–Q2 2025, multiple threat intelligence reports)
  • The healthcare sector in India saw a 95% increase in ransomware attacks in 2024
  • Average ransomware recovery cost for an Indian enterprise: ₹3–15 crore (including downtime, recovery, and reputational costs)
  • Average downtime following a ransomware attack in India: 18–23 days
  • Less than 30% of Indian SMEs have a tested, documented incident response plan
  • The AIIMS Delhi attack (November 2022) affected approximately 40 million patients’ data and took weeks to restore basic digital functionality

How Ransomware Enters Indian Organisations

1. Phishing Emails (Most Common — ~60% of Cases)

A malicious email contains either an infected attachment (Word macro, PDF exploit, Excel file) or a link to a credential harvesting page. The victim opens the file or enters credentials, giving the attacker an initial foothold. In India, business email compromise (BEC) phishing targeting finance and accounts teams is particularly common.

2. RDP Brute Force and Exposed Remote Access (~20% of Cases)

Remote Desktop Protocol (RDP) exposed directly to the internet is a favourite entry point. Attackers scan the internet for open RDP ports (3389), brute-force credentials, and gain direct access to Windows servers. Many Indian SMEs and mid-size enterprises still expose RDP directly to the internet for remote work convenience.

3. Unpatched Vulnerabilities (~10% of Cases)

Ransomware groups actively scan for and exploit known vulnerabilities in internet-facing systems — VPN appliances (Fortinet, Citrix, Pulse Secure), Exchange servers, and web applications. When a critical CVE is published, threat actors race to exploit unpatched systems within hours.

4. Supply Chain and Third-Party Compromise (~7% of Cases)

Attackers compromise a trusted software vendor, MSP, or IT service provider and use that access to pivot into their customers’ environments. The SolarWinds-style attack model has been replicated at smaller scales against Indian IT service companies and their SME clients.

5. Malicious Insiders and Compromised Credentials (~3% of Cases)

Stolen credentials — purchased from initial access brokers on dark web forums or phished from employees — are used to log in to VPNs, RDP, or cloud consoles with legitimate-looking access.

Ransomware Attack Stages — MITRE ATT&CK Mapping

Modern ransomware attacks follow a predictable progression. Understanding the stages helps you identify where your defences can interrupt the attack chain:

Stage What Happens MITRE ATT&CK Tactic Detection Opportunity
1. Initial Access Phishing email opened, RDP brute-forced, or vulnerability exploited Initial Access (TA0001) Email gateway, endpoint detection, failed login monitoring
2. Execution Malicious payload runs on victim system Execution (TA0002) EDR process creation alerts, macro execution
3. Persistence Backdoor or scheduled task installed for continued access Persistence (TA0003) Registry changes, new scheduled tasks, service installations
4. Privilege Escalation Attacker gains administrator or domain admin rights Privilege Escalation (TA0004) New local admin accounts, token manipulation
5. Defence Evasion Antivirus disabled, logs cleared, processes obfuscated Defence Evasion (TA0005) AV disabled alerts, log gaps, process injection
6. Credential Access Mimikatz-style credential dumping from LSASS Credential Access (TA0006) LSASS access, credential manager queries
7. Discovery Network scanning, AD enumeration, backup identification Discovery (TA0007) Unusual AD queries, port scanning from internal hosts
8. Lateral Movement Attacker moves from initial victim to servers, domain controller Lateral Movement (TA0008) Pass-the-hash, PsExec, WMI remote execution
9. Data Exfiltration Sensitive data copied to attacker infrastructure before encryption Exfiltration (TA0010) Large outbound data transfers, cloud upload anomalies
10. Impact (Encryption) Files encrypted; ransom note dropped; backups deleted Impact (TA0040) Mass file modification, shadow copy deletion, ransom note creation

Critical insight: Modern ransomware attackers spend an average of 5–21 days in the network before deploying the encryption payload. This dwell time is your detection window — a properly configured SOC with EDR and SIEM should detect the intrusion long before the ransomware deploys.

Ransomware Prevention Framework — 10 Controls

Control 1: Patch Management

Implement a formal patch management process. Critical patches (CVSS 9.0+) must be applied within 72 hours. High severity patches (CVSS 7.0–8.9) within 14 days. Use automated patch management tools — Microsoft WSUS, SCCM, or a commercial solution. Prioritise internet-facing systems, VPN appliances, and domain controllers.

Control 2: Multi-Factor Authentication (MFA)

Enforce MFA on all remote access methods — VPN, RDP, cloud consoles, email (especially Microsoft 365 and Google Workspace), and privileged administrative accounts. MFA blocks over 99% of automated credential-stuffing attacks and makes stolen credentials significantly less useful to attackers.

Control 3: Endpoint Protection (EDR)

Replace legacy antivirus with a modern Endpoint Detection and Response (EDR) solution — Microsoft Defender for Endpoint, CrowdStrike Falcon, or SentinelOne. EDR products detect behavioural indicators of ransomware activity (mass file encryption, shadow copy deletion, LSASS access) that signature-based antivirus misses. Ensure EDR is deployed on all endpoints including servers, and that tamper protection is enabled so ransomware cannot disable the agent.

Control 4: Email Security

Deploy a secure email gateway with anti-phishing, anti-malware, URL rewriting, and sandboxing capabilities. Microsoft Defender for Office 365 Plan 2 or Proofpoint are enterprise standards. Enable DMARC, DKIM, and SPF on all company email domains. Train users to report suspicious emails and measure reporting rates.

Control 5: Network Segmentation

Segment your network so that a compromise in one zone cannot instantly spread to the entire environment. Separate workstations from servers, and servers from backup systems. Use VLANs and firewall rules to restrict lateral movement. Never allow workstations to communicate directly with each other (peer-to-peer) — all traffic should traverse a firewall or switch with ACLs.

Control 6: The 3-2-1 Backup Rule (with Immutability)

Three copies of data. Two different storage media. One offsite copy. But in 2026, the 3-2-1 rule is not sufficient without adding immutability. Ransomware specifically targets and deletes backup copies. Your offline or immutable backup is your last line of defence:

  • Keep at least one backup copy offline (physically disconnected) or air-gapped
  • Use immutable cloud backup — AWS S3 Object Lock, Azure Immutable Blob Storage
  • Disable backup software’s ability to delete or overwrite previous backups from any workstation
  • Test restoration monthly — not just backup completion

Control 7: Eliminate Exposed Remote Access

Remove RDP from the public internet immediately. Use a VPN with MFA for all remote access, or adopt a Zero Trust Network Access (ZTNA) solution. If cloud-hosted, use bastion hosts or Systems Manager Session Manager instead of direct RDP/SSH exposure. Scan your internet-facing perimeter regularly with Shodan to identify exposed services.

Control 8: Security Awareness Training and Phishing Simulations

Since phishing is the primary initial access vector, training employees to identify and report phishing emails directly reduces your ransomware risk. Conduct phishing simulations quarterly and use click rates as a KPI. Employees who repeatedly click on simulated phishing should receive targeted training.

Control 9: Vulnerability Assessment and Penetration Testing (VAPT)

Conduct VAPT at least annually on all internet-facing systems and critical internal infrastructure. VAPT identifies exploitable vulnerabilities before ransomware operators do. Ensure VAPT is conducted by a CERT-In empanelled provider for regulatory compliance and quality assurance.

Control 10: 24×7 SOC Monitoring

Implement continuous security monitoring through either an in-house SOC or SOC-as-a-Service. With a SOC monitoring your SIEM for the attack patterns described in the MITRE ATT&CK stage table above, you have a realistic chance of detecting and stopping a ransomware attack during the dwell period — before the encryption payload deploys.

What to Do During a Ransomware Attack

If ransomware deploys in your environment, follow these steps immediately:

  1. Isolate affected systems immediately: Disconnect affected machines from the network (physically unplug or disable the network adapter). Do not shut down — memory may contain forensic evidence and encryption keys.
  2. Report to CERT-In within 6 hours: CERT-In mandatory reporting requires notification of a ransomware incident within 6 hours of detection. Report at https://www.cert-in.org.in. This is a legal obligation, not optional.
  3. Do not pay the ransom without expert advice: Paying does not guarantee recovery of data. It funds criminal operations and may violate sanctions (some ransomware groups are under US OFAC sanctions). Engage a professional incident response team before making any payment decision.
  4. Preserve evidence: Before wiping any affected system, take memory dumps and disk images for forensic analysis. This evidence is needed for root cause analysis, legal proceedings, and insurance claims.
  5. Contact your incident response team: If you have an IR retainer, activate it immediately. If not, contact a CERT-In empanelled IR provider like MDIT Services.
  6. Notify relevant stakeholders: Brief your CISO, CEO, legal counsel, and board. If personal data has been exfiltrated, DPDP Act obligations may require notification of affected individuals.
  7. Assess backup integrity: Determine which backups are clean and available. Calculate potential data loss and recovery timeline.

Recovery Steps Post-Ransomware

  1. Complete forensic investigation to identify initial access vector, dwell time, and full scope of compromise
  2. Rebuild affected systems from known-clean images — do not restore from potentially infected backups without scanning
  3. Restore data from the most recent clean backup
  4. Change all passwords and invalidate all active sessions and tokens across the environment
  5. Patch the vulnerability that was exploited for initial access before bringing systems back online
  6. Implement additional controls to prevent recurrence of the specific attack chain
  7. File insurance claim if cyber insurance is in place
  8. Prepare and submit Root Cause Analysis to CERT-In within 21 days

Cyber Insurance Considerations for Indian Businesses

Cyber insurance has become an increasingly important component of ransomware risk management. Key considerations for Indian organisations:

  • Most cyber insurance policies cover ransomware ransom payments, business interruption losses, forensic investigation costs, and PR/notification costs
  • Insurers in India are tightening underwriting requirements — MFA, EDR, and backup controls are now often prerequisites for coverage
  • Pre-loss security assessments conducted by CERT-In empanelled firms can support the underwriting process and potentially reduce premiums
  • Read the policy exclusions carefully — some policies exclude state-sponsored attacks (war exclusion), which is significant given the attribution of some India-targeted ransomware campaigns

MDIT Services Ransomware Protection and Response

MDIT Services provides a comprehensive ransomware protection programme for Indian enterprises, combining preventive controls, detection monitoring, and rapid incident response:

  • Ransomware Readiness Assessment: Evaluate your current controls against the 10-control framework above and identify gaps
  • VAPT: Identify exploitable vulnerabilities before ransomware operators do
  • SOC as a Service: 24×7 monitoring for ransomware precursor activity with playbooks for early intervention
  • Incident Response Retainer: MDIT’s DFIR team on retainer for rapid response to ransomware incidents — including containment, forensics, recovery, and CERT-In reporting
  • Tabletop Exercise: Simulated ransomware incident to test your team’s response capability and identify procedural gaps
  • Active Ransomware Response: If you are currently under attack, contact us immediately for emergency IR services

Emergency Response: +91-11-XXXX-XXXX (24×7) | Email: ir@mditservices.in | Website: mditservices.in

About Author

Free Consult