2:47 AM — the page
A Chennai-based NBFC (we'll call them "LoanCo") had Bachao.AI on a retainer for 8 months when the incident page came through. Their CTO called the IR hotline at 2:51 AM: "Three of our application servers are showing ransom notes."
Bachao.AI's named incident commander was on the call by 2:53 AM. War-room Slack channel opened by 2:57 AM.
LoanCo's profile:
- 380 employees, 60,000 active borrowers
- AWS-hosted core lending platform
- 24/7 operations (collections, customer service, disbursements)
- RBI-regulated, CERT-In notification obligations applicable
- 8-month Bachao.AI IR retainer in place
3:00 AM — Initial assessment
Joint call with LoanCo CTO + Bachao IR commander:
- 3 application servers showing ransom notes (LockBit variant per the note format)
- Production database not yet affected (separate VPC, different credentials)
- Backups untouched (separate AWS account, S3 with object lock)
- Borrower-facing app showing 50% error rate (the encrypted servers were API consumers)
3:08 – 3:45 AM — Containment
Bachao.AI walked LoanCo's DevOps lead through:
- Network ACL change isolating the 3 encrypted servers from rest of infrastructure
- IAM credential rotation for the affected service accounts (15 keys rotated)
- Production database read-only mode (precautionary, given uncertainty about lateral movement)
- Borrower-facing app failover to backup region (~12 minutes of full-app downtime; degraded mode for 27 minutes)
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free Scan3:45 – 5:00 AM — Evidence preservation + initial forensics
Bachao.AI forensic team:
- EBS snapshots of all 3 affected servers preserved
- CloudTrail logs for last 30 days exported to a secure analysis environment
- Memory dumps of the affected servers captured before any reboot
- Initial timeline reconstruction began
- Initial access: a forgotten Jenkins server with an outdated plugin (CVE-2024-23899) exposed to the internet. Adversary entered 11 hours before the encryption fire.
- Lateral movement: from Jenkins → service account → 3 application servers. No further lateral movement.
- Data exfiltration: 8 GB transferred to an external IP over 3 hours. Content not yet determined.
5:00 – 6:51 AM — Regulatory notification
By 5:30 AM, the CERT-In notification was drafted. Submitted at 6:51 AM (4 hours 4 minutes after the page, well within the 6-hour requirement).
Parallel: RBI master direction on cyber incidents requires reporting via the bank's nodal officer; LoanCo's compliance head was briefed and ready to file the RBI notification by morning IST.
6:51 AM — End of acute phase
What was achieved in the first 4 hours:
- Attack contained
- No ransom paid
- No customer data lost (production DB never touched)
- ~39 minutes total customer-impacting downtime
- Evidence preserved for criminal investigation
- CERT-In Rule 3 notification filed inside 4 hours
- Communication plan ready for board + customers
Day 1–14 — Investigation and remediation
Day 1–3: Forensic analysis confirmed:
- The 8 GB exfiltrated was internal application code + 2 contractor laptops' staging data. No production borrower data.
- Adversary had been inside the Jenkins server for 11 days before encrypting (long dwell time used for reconnaissance)
- Persistence mechanism: a cron entry on the Jenkins server (now removed)
- Jenkins server decommissioned (moved CI/CD to GitHub Actions)
- All Jenkins-issued tokens rotated
- New WAF rules deployed for CI/CD endpoints
- EDR coverage extended to legacy infrastructure (which Jenkins had been excluded from)
- DPB India notification filed precautionary (no personal data confirmed exfiltrated, but legal opted for transparency)
- Post-incident review with LoanCo board
- Root cause document published internally
- Updated IR runbook reflecting actual response timing
- Communication to LoanCo's customer base (transparent disclosure)
What it cost
| Line item | Cost |
|---|---|
| Bachao.AI IR retainer (monthly) | ₹1.5L × 8 months = ₹12L |
| Incident-specific work (4-hour response + 14-day investigation) | ₹8L additional |
| LoanCo internal time (CTO, CISO, DevOps team, legal) | ~₹6L opportunity cost |
| Hardware/license: replacement CI/CD infrastructure | ~₹4L |
| Total Year-1 IR + incident | ₹30L |
What LoanCo's CTO said
"We had been paying the retainer for 8 months and never used it. Then for 4 hours one night, it was the most valuable money we'd ever spent. The difference between an emergency engagement and a retainer is the difference between explaining your AWS architecture at 3 AM and having a partner who already knows it. We renewed for 2 more years on the spot."
Pattern this engagement followed
This shape of incident is common at Indian NBFCs and fintechs:
- Legacy or forgotten infrastructure as the initial access vector
- Adversary dwell time of days/weeks before detonation
- Regulatory reporting compressed into the response window
- Operational continuity as critical as forensic accuracy
Schedule the IR retainer scoping call →
Related: Cyber Incident Response Methodology India · CERT-In Reporting Workflow
