Ransomware Incident Response Runbook · India 2026
First 72 hours of a ransomware incident in India — containment, evidence preservation, CERT-In reporting and the negotiation question.
Ransomware is the single most-likely existential cyber event for Indian mid-and-large enterprises in 2026. This runbook documents the first 72 hours — what to do, what to preserve, what to report, and the decisions that have to be made by the right people in the right order. Calibrated to Indian regulators (CERT-In, RBI, SEBI, IRDAI) and operational realities. Macksofy DFIR has run this playbook on live engagements across BFSI, manufacturing and healthcare.
Hour 0–1 — Detection + initial triage
- Confirm scope: how many endpoints / servers / domains showing encryption activity?
- Identify the ransomware family (note file extension, ransom note filename, leak site banner)
- Activate Incident Command — name CISO / IT-Ops Lead / Legal / Comms / Macksofy DFIR retainer
- Cut external network connectivity to affected segments — preserve forensics, halt exfil
- Do NOT shut down systems — RAM contains keys; preserve as-is for forensics
Hour 1–6 — Containment + reporting clock starts
- VLAN-level isolation of affected segments (faster than per-host)
- Disable AD accounts known-good before encryption to prevent lateral spread
- Snapshot all VMs — encrypted state is still valuable as evidence
- Begin memory capture from non-encrypted hosts (winpmem / DumpIt / LiME)
- Identify and isolate Domain Controllers — DC compromise is the most-likely scenario
- Start CERT-In reporting workflow — 6-hour window for cyber incidents per the 2022 directive
Per CERT-In's April 2022 Cyber Security Directions, reportable cyber incidents (which ransomware qualifies for) must be reported within 6 hours of noticing the incident. Filing happens through the prescribed form on incident.cert-in.org.in. RBI / SEBI / IRDAI parallel reporting timelines (typically 2-6 hours, sector-specific) apply too.
Hour 6–24 — Forensic preservation + scope expansion
- Memory captures from every still-running endpoint of interest (priority: DCs, file servers, jump hosts)
- Disk imaging from selected hosts using FTK Imager / dd / dcfldd with hash verification
- Identify patient-zero — first encrypted host, oldest persistence indicator
- Map the attack chain backwards: encryption → privilege escalation → lateral movement → initial access
- Engage external counsel + cyber insurance carrier (if covered)
- Decide on negotiator engagement — see decision framework below
Hour 24–72 — Eradication + recovery sequencing
| Asset class | Recovery action | Validate before reconnect |
|---|---|---|
| Domain Controller | Restore from offline backup OR rebuild from media | Tier-0 hygiene + golden-ticket check |
| File servers | Restore from backup with malware-free validation | YARA scan against active ransomware family |
| Endpoints | Wipe and re-image | EDR baseline before joining domain |
| Email gateway | Reset; identify if it was the initial-access vector | Anti-phishing + DMARC tightening |
| VPN / RDP gateway | Reset credentials, MFA enforcement | Conditional Access + geo-block |
| Backups | Validate integrity offline before any restore | Tabletop-test restore on isolated VLAN |
The negotiation decision — Macksofy is non-prescriptive but documents the framework
- Is data exfiltration confirmed (leak-site posting or staging activity)? — if yes, restoration alone may not be sufficient
- Is restore-from-backup viable on the timeline business survival demands? — if no, the calculus changes
- Is the threat actor sanctioned (OFAC list or analogous)? — if yes, payment is legally restricted
- What does cyber insurance policy mandate / permit? — read the IR clause
- What does board / external counsel advise as fiduciary position?
- Macksofy does not facilitate ransom payments. We coordinate with negotiator firms (Coveware, Kivu, others) under client direction, and document the IR position for regulators.
Reporting deliverables (post-incident)
- CERT-In incident report (filed within 6 hours; updated as scope evolves)
- Sectoral regulator notification (RBI / SEBI / IRDAI / DPDP Board)
- Cyber insurance carrier claim package
- Board / audit-committee incident-brief deck
- Customer notification (if PII / customer data exposed; DPDP §16 may apply)
- Post-incident review (PIR) with root-cause + control-improvement backlog
Hour-0 of a ransomware event is too late to choose an IR firm. A pre-signed Macksofy DFIR retainer (24×7 SLA, 4-hour activation) means containment is in motion within the CERT-In reporting window, not after.
Macksofy offers full-service engagements that map directly to this resource. Common starting points:
- Digital Forensics & Incident Response (DFIR) →
- Malware Analysis & Reverse Engineering →
- Cyber Threat Intelligence →