Ransomware playbook: what Indian SMBs should do on day zero
If your screens are showing a ransom note right now, do these six things in this order — before anything else.
First, don't pay. Not yet.
Paying is sometimes rational, but it is never the first decision. The first decision is containment.
The day-zero checklist
- Disconnect — don't shut down. Pulling network cables freezes the encryption process without wiping volatile evidence.
- Photograph the ransom note. Full screen, including the timer and the wallet address. You will need this for CERT-In and for your insurer.
- Identify the strain. Upload the note to id-ransomware.malwarehunterteam.com. The strain dictates whether a free decryptor exists.
- Isolate backups — physically. If your backup server is on the same network, assume it is being encrypted as you read this.
- Report to CERT-In. The 6-hour window under the 2022 directive is real. Email
incident@cert-in.org.inwith what you have. - Call outside counsel and your cyber-insurance broker before calling the attackers. Coverage may be voided by premature engagement.
Whether to pay
There is no clean answer. But the considerations are:
- Is a decryptor publicly available? (If yes, never pay.)
- Are your backups actually restorable, or just present?
- Is data-exfiltration + leak the real threat, rather than encryption?
- What does your insurer require?
Most SMBs that pay are ones with no tested restore procedure. Test your backups this quarter.
