Ransomware Response Playbook: The First 60 Minutes for Indian Businesses

• 26 June, 2026
• No Comments

Ransomware attacks on Indian enterprises have increased 300% since 2023. Manufacturing, BFSI, healthcare, and IT/ITES are the most targeted sectors. The average recovery cost for an Indian mid-size enterprise is ₹3-8 crore, including downtime, forensic investigation, regulatory penalties, and reputational damage.

This playbook covers the critical first 60 minutes of a ransomware incident. It’s designed for Indian IT teams and MSSPs — practical, actionable, and adapted for the specific regulatory and operational environment of Indian businesses.

Prerequisites: Before the Incident

This playbook assumes you have the following in place. If you don’t, your first 60 minutes will be significantly harder:

• ✅ Network segmentation — at minimum, separate VLANs for corporate, production, IoT, and guest traffic
• ✅ Immutable backups — backups stored on write-once media or an isolated backup domain, tested monthly
• ✅ Centralised logging — SIEM or log management capturing firewall, EDR, AD, and switch logs with 180-day retention (CERT-In compliant)
• ✅ Documented asset inventory — IP, hostname, VLAN, owner, and criticality for every device
• ✅ Incident response team roster — 3-5 named individuals with defined roles and after-hours contact details
• ✅ Cyber insurance with IR retainer — current policy with a 24/7 breach response hotline

The 60-Minute Timeline

T+0 to T+5 — Detection and Verification

Actions:

• Verify the alert from an isolated admin workstation. Do NOT log into any system from within the potentially affected network segment.
• Confirm ransomware indicators: mass file rename events, encryption extension patterns, ransom note files dropped across shares, EDR alerts for ransomware behaviour.
• Check your SIEM/SOAR for scope: how many endpoints are affected? Is the domain controller showing unusual authentication patterns? Are there large outbound data transfers?
• Open an incident ticket with a dedicated Slack/Teams channel for the response team.

FortiGate/SOAR automation (if using PrahiX Ora or FortiSOAR):

• Automatically disable the affected user’s AD account
• Block the affected endpoint’s MAC at the switch port level (if SNMP access is configured)
• Block known ransomware C2 domains/IPs from the FortiGuard threat feed
• Send a broadcast alert to all security team members

T+5 to T+15 — Containment

Network containment:

• Block inter-VLAN traffic at the FortiGate from the affected segment to all other segments. Affected systems can still reach the internet (to prevent C2 communication stalls from breaking encryption mid-process), but cannot reach any other internal network.
• Disable switch ports connected to confirmed infected endpoints.
• If the domain controller is in the affected segment or shows signs of compromise: isolate the DC, disable the KRBTGT account (force password reset), and prepare for a full domain recovery scenario.

Backup verification:

• Check backup infrastructure from an isolated management station. Confirm that the most recent clean backup (pre-encryption) is intact and restorable.
• If backups are stored on the same network as affected systems: assume they are compromised. If they’re immutable/air-gapped and separate from the affected domain: you have a recovery path.
• Document the timestamp of the last known-good backup.

T+15 to T+30 — Triage and Assessment

Determine the variant:

• Submit a sample (the ransom note and 2-3 encrypted files) to NoMoreRansom.org or VirusTotal. Identify the ransomware family.
• Check for known decryption tools. LockBit, BlackCat, Akira, and some LockBit variants have had decryptors released by law enforcement.
• Check for data exfiltration. Review firewall logs for unusual outbound traffic volumes from the affected segment in the 24-72 hours before encryption started.

Determine the scope:

• Enumerate all encrypted shares, databases, and endpoints from your monitoring tools.
• Classify affected assets by criticality: production (Tier 1), business operations (Tier 2), administrative (Tier 3).
• Determine if the ransomware has spread beyond the initial segment. This tells you if your containment was effective.

T+30 to T+45 — Communication

Internal escalation:

• CISO/IT Head: Full briefing with scope, variant (if identified), containment status, and backup status.
• CEO/MD: “We have a confirmed ransomware incident affecting [systems]. Containment is in progress. Our backups are [intact/compromised]. Estimated recovery timeline: [X hours/days]. We will update you in 60 minutes.”
• Legal counsel: Brief on DPDP Act implications. If data exfiltration is confirmed: the 72-hour breach notification clock has started.
• Cyber insurance: Notify the 24/7 hotline. Request IR firm assignment if included in your policy.

External (prepare, don’t send):

• Prepare a holding statement for customers/partners if the incident affects external-facing systems.
• Do NOT communicate with the attacker or visit any ransom payment portal without legal and IR team guidance. Paying the ransom is a decision that should involve the board, legal counsel, and law enforcement.

T+45 to T+60 — Recovery Planning

If backups are intact:

• Stand up a clean, isolated restoration environment — separate VLAN, separate admin credentials, no network connectivity to production or affected systems.
• Begin restoration of Tier 1 systems first (ERP, production management, core applications). Validate data integrity after restoration.
• Plan for forensic preservation: capture memory dumps, logs, and disk images from affected systems before starting any recovery that would alter the affected state. This evidence may be needed for insurance claims, legal proceedings, or law enforcement investigation.
• Estimated restoration time for a 50-200 server environment: 24-72 hours with dedicated team and clean infrastructure.

If backups are compromised:

• This is the worst-case scenario. Your options are limited to: (a) negotiate with the attacker via a professional ransomware negotiation firm, (b) rebuild infrastructure from scratch using clean OS images and data from offline archives, or (c) engage law enforcement (CERT-In, local cyber crime cell).
• Do NOT pay the ransom without professional negotiation support. Statistics show that organisations using professional negotiators pay 40-60% less than those who negotiate independently, and are more likely to receive a working decryptor.
• Engage CERT-In (incident@cert-in.org.in or 1800-11-4949) for notification and guidance.

Post-Incident (Days 1-30)

After the immediate crisis is contained, the following steps are critical for compliance, insurance, and prevention:

1. DPDP Act notification: If personal data was exfiltrated, file the breach notification with the Data Protection Board of India within 72 hours of confirmation.
2. Forensic report: Commission a forensic investigation to determine the initial access vector (phishing? unpatched vulnerability? compromised credentials?). Without this, you can’t prevent the same attack from recurring.
3. CERT-In reporting: File the incident report with CERT-In as required by their directions on cyber incident reporting.
4. Lessons learned: Conduct a formal post-mortem within 14 days. Document what worked, what didn’t, and what process/technology changes are needed.
5. Improvements: Implement the findings — network segmentation, MFA rollout, backup architecture changes, IR plan updates.

Download the Response Checklist

We’ve created a one-page PDF checklist of this 60-minute ransomware response timeline for Indian IT teams. Contact us to receive a copy, or ask about our ransomware readiness assessment — we’ll audit your current response capability, backup architecture, and network segmentation against this playbook.

P J Networks is a leading Indian MSSP with 24/7 SOC/NOC services and ransomware incident response expertise. We support clients across manufacturing, BFSI, healthcare, and government sectors.