Cyber / Ransomware

Ransomware Response Controls

CA Nikhil Gupta·June 2026·3 min readCyber / Ransomware

Restoring systems is only one part of ransomware response; stolen data, payment fraud and evidence loss can continue after recovery.

Quick View

Decision

Use a cross-functional playbook that separates containment, extortion decisions, notification and restoration.

First action

Disconnect affected systems.

Core evidence

Ransom note.

Main warning

Negotiating from personal email.

Why It Matters

Ransomware is a listed reportable cyber incident under the CERT-In directions, so the six-hour assessment begins when it is noticed or brought to notice.

Payment to an attacker does not guarantee decryption or deletion and can create legal, sanctions, accounting, insurance and repeat-extortion risks.

Backups should be tested for integrity before production restoration, and compromised credentials must be rotated.

Control Framework

AreaWhat to establishOperating rule
ContainIsolate systems and privileged accounts.Preserve images.
ExtortionDemand, actor and legal risk.Use board-approved protocol.
ReportCERT-In, police, insurer and sector regulator.Track separately.
RestoreClean environment and tested backups.Monitor recurrence.

Action Checklist

  1. Disconnect affected systems.
  2. Preserve ransom note and logs.
  3. Notify incident command.
  4. Assess data exfiltration.
  5. Review reporting and insurance.
  6. Restore and validate in stages.

Practical Example

A company restores encrypted servers from backup but does not rotate stolen VPN credentials, allowing the attacker to regain access.

Evidence to Keep

  • Ransom note.
  • Forensic images.
  • Network and identity logs.
  • Backup test records.
  • Reporting acknowledgements.
  • Payment and board decision records.

Warning Signs

  • Negotiating from personal email.
  • Destroying infected devices.
  • Assuming no data theft.
  • Paying without legal review.
  • Restoring untested backups.

Detailed Review

Privacy governance should connect the personal data, individual, purpose, collection point, system, owner, recipient, access role, retention trigger and incident dependency. A policy that cannot be traced to this chain is difficult to operate.

Create a dated legal matrix rather than one status label. Record the DPDP provision, commencement date, present readiness action, current IT or sectoral obligation and the evidence owner.

Design controls in the product and system. A written rule cannot stop an SDK from firing, a shared folder from exposing payroll, or a vendor from retaining deleted users unless technology and operations enforce it.

Evidence should be generated during normal work: versioned notices, event logs, access approvals, request tickets, deletion reports, vendor registers, incident chronologies and management decisions.

Use proportionate identity and security checks. Excess verification creates more personal data, while weak verification can expose another person’s records or permit account takeover.

Synchronised clocks and durable logs are essential because incident reporting, transaction tracing and forensic conclusions depend on exact chronology.

The incident team should distinguish containment, evidence preservation, reporting, customer communication and recovery. Each has a different owner and deadline.

Control Test

Test the control using a real user journey from collection to deletion. Capture the notice shown, data stored, vendors called, employees with access, retention period and response if the user withdraws or complains.

Run a negative scenario: the vendor is breached, the user is a child, the employee exits, the phone is stolen, the data was inaccurate or the regulator asks for proof. Record which control fails.

Check that system records and public wording agree. Product forms, privacy notice, CRM fields, SDK behaviour, vendor contracts and support scripts should describe the same processing.

Assign a named owner and internal deadline for every gap. A risk register without funded action and closure evidence becomes an archive of known failures.

Retain the rejected alternatives and decision basis. This is especially important where the law is in phased commencement or a proportionate technical method is selected.

Escalation Route

Start with the system owner, privacy or security owner and the documented data flow. Preserve records before making changes, and separate current statutory reporting from future DPDP readiness.

For a breach, financial fraud, rights dispute, children’s-data issue or regulated-sector event, involve qualified legal, cyber, forensic and sector specialists and use the applicable official reporting or grievance channel.

Management Review

Management should record the risk owner, affected data population, financial or operational impact, current legal duty, future DPDP milestone and funded remediation date. A privacy register without accountable closure is only a list of known gaps.

The control should be tested with evidence rather than self-certification. Use screen recordings, exported logs, access reports, deletion output, vendor responses, tabletop minutes or complaint acknowledgements to prove that the workflow operates as designed.

Where several laws apply, maintain one incident or request chronology but separate each legal trigger and deadline. CERT-In, RBI, UIDAI, IRDAI, police, contractual and DPDP processes should not be collapsed into one generic notification decision.

Frequently Asked Questions

Should ransom be paid?
There is no guaranteed outcome; legal, security and governance review is essential.
Is ransomware reportable?
It is included in CERT-In’s reportable incident list.
What is the role of finance?
Protect payment systems, assess fraud, insurance, business interruption and any extortion decision.
When is recovery complete?
After clean restoration, credential reset, monitoring and lessons remediation.