Ransomware Readiness for Indian SMBs: 12 Key Controls

Ransomware readiness for Indian SMBs comes down to one question: can your business recover from a full encryption event within 24 hours without paying a ransom? Most cannot. The 2024 Verizon Data Breach Investigations Report found ransomware involved in 23% of all breaches globally, with small businesses disproportionately targeted because they hold valuable data but invest far less in defences than enterprises. In India, CERT-In processed thousands of ransomware incident reports in the last two years, with manufacturing, healthcare, and financial services among the hardest-hit sectors. This guide gives you 12 prioritized controls, the complete attack lifecycle, a readiness checklist, and India-specific obligations under the CERT-In mandatory reporting directive.

23%Breaches involving ransomware globally (Verizon DBIR 2024)

180%YoY increase in vulnerability exploitation as ransomware entry point (Verizon DBIR 2024)

21 daysMedian recovery time from a ransomware incident (Sophos State of Ransomware 2023)

How Ransomware Actually Kills a Business

Before controls, you need to understand the kill chain. Attackers do not simply "hack in and encrypt." They spend days or weeks moving laterally, stealing data first, then detonating encryption as a final act. By the time you see a ransom note, the breach is weeks old.

graph TD
    A[Initial Access
Phishing email or exposed RDP] -->|Credential theft
or exploit| B[Foothold
Malware dropped on endpoint]
    B --> C[Persistence
Scheduled task or registry key set]
    C --> D[Privilege Escalation
Local admin or domain admin gained]
    D --> E[Lateral Movement
Spread to servers and backups]
    E --> F[Data Exfiltration
Sensitive data copied to attacker C2]
    F --> G[Backup Destruction
VSS copies and NAS backups deleted]
    G --> H[Encryption
All reachable drives encrypted]
    H --> I[Ransom Note
Double extortion threat issued]

    style A fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style B fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style C fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style D fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style E fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style F fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style G fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style H fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style I fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0

Notice that stages A through F are all opportunities to detect and stop the attack. Most SMBs have no visibility at any of these stages, which is why encryption feels sudden even though the attacker was inside for weeks.

Ransomware Initial Access Vectors: Where Attacks Begin

Understanding how attackers get in tells you where to concentrate your early controls.

xychart-beta
    title "Ransomware Initial Access Vectors — Approximate Industry Distribution"
    x-axis ["Phishing", "Exposed RDP", "Software Vuln", "Supply Chain", "Stolen Creds", "Other"]
    y-axis "Relative frequency" 0 --> 45
    bar [41, 22, 16, 8, 7, 6]

Phishing and exposed Remote Desktop Protocol together account for roughly two-thirds of ransomware entry points. These are both preventable with basic controls.

🚨

DANGER

If your staff use RDP directly exposed to the internet on port 3389, you are actively being scanned for exploitation right now. Shodan shows millions of Indian IP addresses with open RDP. Close it immediately and require VPN for remote access.

The 12 Controls, Prioritized

Controls are ordered by impact-per-rupee. Do the first four before anything else — they break the most common attack paths.

Control 1 — Immutable Offsite Backups with the 3-2-1 Rule

This is the single most important ransomware control because it is your last-resort recovery path. The 3-2-1 rule: 3 copies of data, on 2 different media types, with 1 offsite. The critical addition for ransomware: one copy must be immutable — write-once storage that the ransomware cannot delete even if it gains admin access.

AWS S3 Object Lock, Azure Immutable Blob Storage, and Google Cloud Storage retention locks all provide this. Tape air-gap works too. Test your recovery monthly — untested backups are not backups.

⚠️

WARNING

Attackers specifically target and delete online backups before encrypting. If your backup destination is a network share accessible from the same domain, it will be destroyed before you ever see the ransom note. Immutability is non-negotiable.

Control 2 — Multi-Factor Authentication on Every External-Facing System

MFA blocks credential-stuffing and phishing-harvested passwords from turning into full compromise. Apply it to: email (Microsoft 365, Google Workspace), VPN, cloud console (AWS/GCP/Azure), RDP gateways, accounting software, and any SaaS with financial or customer data. Hardware tokens (FIDO2/passkeys) are strongest; TOTP apps (Google Authenticator, Authy) are acceptable; SMS OTP is better than nothing but weakest.

Control 3 — Patch Management: 30-Day SLA for Critical CVEs

The 2024 DBIR found that exploitation of vulnerabilities as an initial access vector grew by 180% year-over-year. Unpatched VPNs, firewalls, and email gateways are ransomware group shopping lists. Establish a formal patch SLA: critical CVEs (CVSS 9.0+) patched within 30 days, high within 60 days. Automate OS patching where possible. Maintain an asset inventory — you cannot patch what you do not know exists.

Control 4 — Email Security: Anti-Phishing Gateway

Since phishing drives 41% of ransomware incidents, a properly configured email security gateway pays for itself with a single prevented incident. Configure SPF, DKIM, and DMARC records for your domain. Enable attachment sandboxing and URL rewriting. Block macro-enabled Office files by default unless the sender is explicitly trusted. Microsoft Defender for Office 365 and similar products provide this for SMBs at reasonable cost.

Control 5 — Endpoint Detection and Response

Basic antivirus is signature-based and misses novel ransomware variants. EDR tools observe behaviour: process injection, mass file renaming, shadow copy deletion, lateral movement via SMB. Many EDR products for SMBs (SentinelOne Singularity, CrowdStrike Falcon Go, Microsoft Defender for Business) offer automated rollback that can reverse encryption within minutes of detection. Deploy EDR on all endpoints, servers, and domain controllers.

Control 6 — Network Segmentation

Lateral movement is how ransomware goes from one infected laptop to a business-ending full-domain compromise. Flat networks where every device can reach every other device are ransomware's favourite environment. Segment at minimum: separate finance/accounting systems from general staff workstations, isolate servers from the office WiFi network, and place operational technology (if applicable) on a dedicated VLAN. Even basic firewall rules dramatically slow lateral movement and give your EDR time to detect.

Control 7 — Least Privilege Access

Review who has local administrator rights on workstations. Almost nobody needs it day-to-day. Remove local admin from standard users. Audit Active Directory group memberships — domain admin accounts should be fewer than five people in most SMBs, used only for specific administrative tasks, never for email or browsing. Just-In-Time (JIT) privilege elevation tools like Microsoft's PAW model or CyberArk PAM for SMBs limit the blast radius of any single compromised credential.

Control 8 — Phishing Simulation and Security Awareness Training

Humans are the primary entry point. Regular phishing simulations — not just annual "security awareness" checkbox training — measurably reduce click rates. Tools like KnowBe4, Proofpoint Security Awareness, or even free GoPhish let you run realistic campaigns. Track click rates by department. Target repeat clickers with additional training. A staff member who recognises a phishing email and reports it can stop a ransomware incident at stage A of the kill chain.

Control 9 — Incident Response Plan

When ransomware detonates, every minute of confusion costs you. An IR plan documented and tested before an incident compresses recovery time from weeks to days. Your plan must answer: who declares an incident, who calls your cyber insurance provider (mandatory first step), who isolates affected systems, who communicates to customers and regulators, and who manages media inquiries. Keep printed copies — your digital copies may be encrypted.

Control 10 — CERT-In Mandatory Reporting

Under the CERT-In Directions (April 2022), ransomware incidents must be reported to CERT-In within 6 hours of detection at incident@cert-in.org.in. This is a legal obligation for all Indian entities regardless of size. Failure to report is a punishable offence. Collect: timestamps, affected systems, indicators of compromise, and any ransom note text. Designate a Point of Contact (PoC) and maintain CERT-In's contact details in your IR plan. More details at cert-in.org.in.

ℹ️

INFO

CERT-In reporting does not require you to have stopped the attack. Report as soon as you detect it, even if the incident is ongoing. The 6-hour clock starts from detection, not from containment.

Control 11 — Security Monitoring and Log Retention

You cannot investigate what you did not log. Enable centralised logging for: Windows Event Logs (authentication events, process creation, PowerShell execution), firewall connection logs, DNS query logs, and email gateway logs. Retain logs for at minimum 180 days (CERT-In mandates a 180-day log retention period under the 2022 Directions). A basic SIEM — even Wazuh, which is open-source — can alert on known ransomware behaviours like mass file renaming or VSS deletion in near real-time.

Control 12 — Tabletop Drills

Quarterly tabletop exercises are the difference between a team that panics and a team that executes. A tabletop drill is a facilitated discussion-based exercise: "It's 2 AM, finance reports all files show .locked extension, what do we do?" Walk through your IR plan step by step. Identify gaps — typically: who has out-of-band communication when email is down, where are the recovery media, who has the cyber insurance policy number. Fix those gaps before the real incident.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

Ransomware Readiness Checklist

Control	Priority	Status Check
Immutable offsite backups (3-2-1)	P0	Can you restore all critical data from a snapshot untouched by malware?
MFA on all external systems	P0	Is email, VPN, and cloud console protected by TOTP or hardware token?
Patch management SLA	P0	Are all internet-facing systems patched within 30 days of critical CVE?
Email anti-phishing gateway	P0	Are SPF/DKIM/DMARC configured? Is sandboxing enabled?
EDR on all endpoints and servers	P1	Is behavioural detection and auto-rollback active?
Network segmentation	P1	Are finance systems isolated from general staff network?
Least privilege — remove local admin	P1	Do standard users lack local administrator rights?
Phishing simulation programme	P1	Is simulated phishing run at least quarterly?
Documented IR plan with CERT-In PoC	P1	Is the plan printed, tested, and known to all responders?
CERT-In 6-hour reporting process	P1	Is incident@cert-in.org.in in your IR plan with reporting template?
Centralised logging — 180-day retention	P2	Are Windows events, DNS, and firewall logs centralised and retained?
Quarterly tabletop drills	P2	Has your team simulated a ransomware event in the last 90 days?

💡

TIP

Start with the four P0 controls. A company with immutable backups, MFA, current patches, and email security has neutralised the majority of ransomware attack paths. Add P1 controls over the following quarter. P2 controls close the remaining gap.

The India Context: What Makes SMBs Here Uniquely Exposed

Indian SMBs face a specific set of compounding factors. Legacy Windows XP and Windows 7 systems remain common in manufacturing, retail, and logistics — particularly in Tier-2 and Tier-3 cities. Shared credentials across teams ("everyone uses the same password") are standard practice. Accounting software like Tally is often run on single shared workstations without backups. IT is frequently managed by a single person or outsourced to a local vendor without security expertise.

The DSCI India Cyber Threat Report and CERT-In annual reports both document the concentration of ransomware in these sectors. Indian ransomware groups have also emerged domestically, targeting mid-market companies that lack enterprise-grade defences but hold sufficiently valuable data.

Under the Digital Personal Data Protection Act 2023, a ransomware event that exposes personal data carries substantial regulatory consequences beyond the operational damage. Incident notification obligations now extend to data principals (your customers and employees). Organisations undergoing a VAPT with a CERT-In empanelled partner as part of their security programme demonstrate due diligence that regulators consider favourably. You can run a free VAPT scan on your public-facing infrastructure to identify which vulnerabilities ransomware groups are most likely to exploit first.

Bachao.AI, built by Dhisattva AI Pvt Ltd, automates the vulnerability discovery phase so SMBs can act on findings without waiting months for manual assessments.

Why Paying the Ransom Is Not a Recovery Strategy

Paying a ransom is not a recovery strategy. IBM's 2023 Cost of a Data Breach Report found that total incident costs — forensics, legal fees, customer notification, reputational damage, and weeks of operational disruption — far exceed the ransom itself. Sophos State of Ransomware 2023 found that approximately one-third of organisations that pay do not recover all their data, and median recovery time is 21 days even after payment. In India, payments to groups operating from sanctioned jurisdictions may also create legal exposure under FEMA and other regulations. The correct path: report to CERT-In within 6 hours, engage your cyber insurer, and recover from tested immutable backups.

Building Your Ransomware Defence Programme

Implement in three phases. Phase 1 (30 days): Deploy immutable backups, enable MFA on all external systems, audit patch status, configure email security — these four P0 controls eliminate the most common attack paths. Phase 2 (60–90 days): Deploy EDR, segment the network, remove local admin rights from standard users, launch phishing simulations, and document the IR plan with CERT-In reporting procedures. Phase 3 (ongoing): Run quarterly tabletop drills, centralise logging with 180-day retention, and conduct annual VAPT assessments to catch new vulnerabilities before attackers do. Review the Bachao.AI blog for ongoing threat intelligence relevant to Indian SMBs.

🎯Key Takeaway

Ransomware does not defeat prepared organisations — it defeats organisations with flat networks, no MFA, no tested backups, and no incident plan. The 12 controls above, implemented in priority order, give an Indian SMB a defensible security posture against the majority of ransomware attack paths at a fraction of enterprise cost.

Frequently Asked Questions

What is the CERT-In reporting deadline for ransomware in India?

CERT-In mandates that ransomware incidents be reported within 6 hours of detection, not 6 hours of containment. Report to incident@cert-in.org.in as soon as you identify the event, even if it is still ongoing. The 2022 CERT-In Directions make this mandatory for all Indian entities regardless of size.

What is the 3-2-1 backup rule for ransomware protection?

The 3-2-1 rule means maintaining 3 copies of your data, on 2 different types of media, with 1 copy stored offsite. For ransomware specifically, at least one copy must be immutable — write-once storage that cannot be deleted even by an attacker with administrator access. Cloud object storage with Object Lock (AWS S3, Azure Blob) provides this at low cost.

Should an Indian SMB pay a ransomware demand?

Paying a ransom is generally not recommended. Approximately one-third of organisations that pay do not receive a working decryption key. Total incident costs including downtime, legal fees, and forensic investigation far exceed the ransom itself. Payments to groups in sanctioned jurisdictions may also create legal exposure under Indian regulations. Engage your cyber insurer first, then CERT-In.

How long does ransomware recovery typically take?

Sophos State of Ransomware 2023 found median recovery time is 21 days even for organisations that pay the ransom. Organisations with tested, immutable backups and documented incident response plans recover significantly faster — sometimes within 24–72 hours for critical systems. The investment in backup and IR planning directly determines recovery time.

Which Indian sectors are most targeted by ransomware?

CERT-In annual reports consistently identify manufacturing, healthcare, banking and financial services, and information technology/ITES as the most frequently targeted sectors in India. Ransomware groups target these sectors because they hold valuable data, operate on tight uptime requirements, and historically have had weaker security controls than enterprises.

What is the difference between EDR and traditional antivirus for ransomware?

Traditional antivirus relies on signature matching — it only blocks known malware it has seen before. EDR (Endpoint Detection and Response) monitors behaviour: suspicious process trees, mass file modifications, shadow copy deletion, lateral movement patterns. Because ransomware groups constantly modify their tools to evade signatures, EDR's behavioural detection is meaningfully more effective. Many modern EDR tools also offer automated rollback, reversing encryption within minutes of detection.