Ransomware in Indian BFSI isn't an IT incident — it's a regulatory, customer-impact and board-level event. The readiness checklist that works is the one written against the RBI Cyber Security Framework, the CERT-In 6-hour clock and the realistic recovery economics, not the vendor pitch deck.
Three ransomware patterns have dominated Indian BFSI engagements over the last 24 months: double-extortion (encrypt-then-leak) against NBFCs and mid-tier private banks, supply-chain ransomware against shared-services vendors that cascades into multiple bank customers, and targeted data-exfiltration against insurers where the encryption is secondary. Each pattern needs a different readiness posture. This post is the unified readiness checklist that covers all three, mapped to the RBI Cyber Security Framework control families.
The regulatory frame — what the inspector reads
The RBI Cyber Security Framework for scheduled commercial banks (2016, with subsequent updates) and the equivalent guidance for NBFCs, UCBs and primary co-operative banks mandates specific ransomware readiness expectations: documented IR plan with ransomware-specific procedures, segregated and tested backups, network segmentation, EDR coverage, SOC monitoring, regular IR drills, and reporting workflows. CERT-In Direction 20(3)/2022 layers the 6-hour reporting clock on top. IRDAI's Information & Cyber Security guidelines extend equivalent expectations to insurers. The DPDP Act §8(6) adds data-subject notification once the rules operationalise.
Prevention — the controls RBI inspects
- Email security — secure email gateway with attachment sandboxing, URL rewriting, DMARC enforcement (p=reject), and inbound-attachment policy that blocks executable + macro-enabled documents.
- Endpoint protection — EDR on every workstation and server with active blocking, not just monitoring. Behavioural detection enabled for ransomware-class TTPs.
- Vulnerability management — patch SLA of 7 days for critical, 30 days for high. Internet-facing assets patched within 48 hours of vendor release for actively-exploited CVEs.
- Identity hardening — MFA on every external-facing service, FIDO2 for privileged identities, PAM for admin workflows, no standing Domain Admin membership.
- Network segmentation — flat networks are the single biggest ransomware accelerator. Microsegmentation at the application tier; VLAN-based segmentation at minimum.
- Backup architecture — 3-2-1-1-0 model: 3 copies, 2 media, 1 offsite, 1 immutable, 0 errors. Immutable backups (object-lock or air-gapped) for the data classes that matter.
- Third-party access — every vendor accessing the bank's network does so through a vendor-PAM portal with session recording and just-in-time entitlement.
- Cyber hygiene drills — phishing simulation quarterly, IR tabletop quarterly, full IR drill annually.
Detection — the signals that matter
Modern ransomware operators have shifted from immediate detonation to dwell-and-exfiltrate. The detection signals that catch this pattern early are different from the older mass-encryption indicators. Across our BFSI DFIR engagements, the top early-warning signals have been:
- Anomalous Kerberos activity — Kerberoasting attempts (4769 with unusual encryption types), AS-REP roasting, password-spraying patterns.
- Unexpected outbound traffic to cloud storage providers (Mega, MediaFire, Rclone-style patterns) — exfiltration precedes encryption by days.
- Sudden use of legitimate admin tools (PsExec, WMIC, BITSAdmin, certutil) from non-admin workstations.
- Volume-shadow-copy deletion events (vssadmin delete shadows) on file servers.
- Suspicious modifications to boot configuration (bcdedit /set recoveryenabled No).
- EDR detections of dual-use tools (Cobalt Strike, Brute Ratel, Sliver) — even if quarantined, the presence is a Phase-1 trigger.
Response — the first 6 hours
The first 6 hours from awareness define whether the bank meets the CERT-In reporting clock and whether the operational impact stays bounded. The decision sequence is deterministic — there is no time for committee debate.
| Hour | Action | Owner |
|---|---|---|
| 0-1 | War-room bridge opened; CISO, CIO, GRC, legal, comms on the line | CISO |
| 1-2 | Initial scope assessment — affected hosts, encryption status, exfiltration evidence | DFIR lead |
| 2-3 | Containment actions begin — network isolation of confirmed hosts, KRBTGT reset if AD compromise | IT Ops + DFIR |
| 3-4 | Regulatory reporting decision; draft CERT-In report; alert RBI/SEBI/IRDAI as applicable | CISO + GRC + legal |
| 4-6 | CERT-In report filed; preliminary regulator notification sent; board notification initiated | GRC lead |
| 6-12 | Customer-impact assessment; payment-system continuity check; recovery-track activation | CIO + business heads |
Recovery — the decisions no playbook can make for you
Three decisions during recovery cannot be delegated to the playbook: (1) whether to negotiate or refuse, (2) which backups to restore from, (3) whether to declare 'operational' before the full audit completes. Each has a regulator dimension.
- Negotiation posture — Indian banks are increasingly aligning with the international 'no ransom' consensus, but the decision is the board's, not the CISO's. RBI does not (today) prohibit payment, but the optics and the customer-trust impact are severe. Document the decision and the rationale for the next audit cycle.
- Backup restore point — restore from a backup taken before the attacker's confirmed foothold, not the last successful backup. The forensic team should confirm the timeline before restore begins.
- Operational-readiness declaration — premature 'all clear' is the most common post-incident regulator finding. The 30-day follow-up audit should confirm the eradication before the bank declares full operational restoration.
Lessons-learned cadence
RBI inspections look for evidence that the bank not only suffered the incident but learned from it. The post-incident review should land within 12 weeks of detection, feed into the next IT/Risk Committee agenda, drive backlog items for the security programme, and be referenced in the next year's RBI CSF self-assessment. Macksofy includes the post-incident review and the regulator-ready briefing pack as standard deliverables on ransomware IR engagements.
The drill cadence that survives RBI inspection
- Phishing simulation — quarterly, with reporting against industry-benchmark click rates (we use the /services/phishing-simulation service for this in client engagements).
- IR tabletop — quarterly, with the executive team (M.D., CISO, CIO, head of operations, head of legal, head of communications).
- Full IR drill — annually, with a live containment scenario in a clone of production.
- Backup-restore drill — quarterly, with a full restore-to-isolated-environment exercise.
- Vendor-incident drill — annually, simulating a supply-chain incident at a shared-services vendor.
How Macksofy helps
Our DFIR practice delivers ransomware IR retainers, ransomware-readiness assessments, and post-incident reviews for Indian banks, NBFCs and insurers. CERT-In empanelled; RBI CSF and IRDAI Information & Cyber Security alignment as standard output. See /services/dfir for the retainer scope, /resources/ransomware-ir-runbook-india for the operational runbook we publish openly, and /services/phishing-simulation for the prevention-pillar service.