Executive summary

Ransomware is no longer only a malware problem—it’s an identity + data + business continuity problem. Winning means designing for resilience, not perfection:

1. Prevent common entry points.

2. Detect abnormal behaviors early.

3. Contain fast to stop lateral spread.

4. Recover from immutable backups with tested playbooks.

This guide is a practical, India-first blueprint you can adopt today—whether you’re an MSME or an enterprise SOC.

Threat model (how modern ransomware wins)

Initial access: phishing, exposed RDP/VPN, vulnerable edge apps, malicious ads, supply chain.
Post-compromise: scriptable tools (PSExec/WMI), living-off-the-land, credential theft, GPO abuse.
Objectives: data theft → encryption → extortion (sometimes encryption-less extortion only).

Key MITRE ATT&CK: T1566 (Phishing), T1078 (Valid Accounts), T1021 (Remote Services), T1486 (Encrypt), T1047 (WMI), T1059 (Command & Scripting), T1110 (Brute Force), T1489 (Service Stop), T1490 (VSS deletion), T1071 (Exfil), T1484.001 (GPO).

Phase-by-phase defense (what to do)

1) Identity & Access

• FIDO2/WebAuthn MFA for admins and finance/HR. Disable legacy/basic auth.

• Just-in-Time privileged roles; vault and rotate break-glass accounts.

• Conditional Access (device health, location, risk).

• Service principal hygiene in cloud (expire secrets; least privilege).

2) Email & Web

• DMARC (p=reject), SPF, DKIM, MTA-STS, TLS-RPT.

• URL detonation / sandbox; block macros from the Internet; banner warn external senders.

• DNS layer security (block newly registered domains, malware C2s).

3) Endpoints (Windows/Linux/macOS)

• EDR everywhere (tamper protection on).

• Windows hardening:

  • ASR rules on (block credential theft, Office child-processes, script obfuscation).

  • Controlled Folder Access for business data paths.

  • LSA protection, Credential Guard, LSASS as PPL.

  • AppLocker/WDAC allow-listing for high-risk roles.

  • Disable SMBv1; restrict RDP (NLA + VPN/jump host only).

• Linux:

  • Mount shares with noexec,nodev,nosuid; auditd for chmod/chattr on backups;

  • restrict SSH (keys + MFA), fail2ban; EDR/AV for Linux enabled.

4) Network & Segmentation

• Tiered admin model; isolate domain controllers, backup servers, hypervisors.

• Block RDP/SMB from the Internet; default-deny east-west where possible; egress allow-lists.

• LAPS or equivalent for local admin password rotation.

5) Data Protection & Backup

• Follow 3-2-1-1-0: 3 copies, 2 media, 1 offsite, 1 immutable/air-gapped, 0 errors after restore test.

• Object-lock/immutability for cloud backups; separate credentials & IAM boundaries.

• Back up SaaS (M365/Google) and config (GPOs, device policies), not just files.

• Quarterly restore drills with measured RTO/RPO.

6) Cloud & SaaS

• Disable legacy auth; Conditional Access; session controls (sign-in risk, device compliance).

• Safe Links/Safe Attachments (or vendor equivalent); OneDrive/SharePoint versioning & retention.

• Protect service accounts; alert on mass download/sharing.

7) OT/ICS (if applicable)

• Strict segmentation (conduits/zones), vendor access via jump hosts + session recording.

• Controller backups and gold images; allow-listing on HMI/engineering workstations.

Early detection & hunting (practical)

High-signal events to alert on (Windows):

• Shadow copy deletion: vssadmin delete shadows, wmic shadowcopy delete, diskshadow /s.

• Backup tamper: wbadmin delete catalog, stopping backup/AV/EDR services.

• System sabotage: bcdedit safe-mode or recovery config changes; Event ID 1102 (audit log cleared).

• Mass file changes with unusual extensions; rapid spikes in failed file opens on shares.

• LOLBins for staging/exfil: rclone, 7z/WinRAR with passwords, bitsadmin, certutil.

Elastic KQL (examples):

• Process creates shadows deletion:

  arduino
  CopyEdit
  event.category:process and event.action:"start" and process.command_line:(
    "vssadmin*delete*shadows*" or "wmic*shadowcopy*delete*" or "diskshadow*"
  )
  

• Suspicious archiving to network share:

  arduino
  CopyEdit
  process.name:("7z.exe" or "rar.exe" or "winrar.exe") and process.command_line:("* -p*") and file.path:"\\\\*"
  

Microsoft Sentinel (KQL):

bash
CopyEdit
DeviceProcessEvents
| where ProcessCommandLine has_any ("vssadmin delete", "wmic shadowcopy delete", "diskshadow")

Splunk SPL:

arduino
CopyEdit
index=winsec (process="*vssadmin*" AND CommandLine="*delete*shadows*")
OR (process="*wmic*" AND CommandLine="*shadowcopy*delete*")

Rapid response playbook (when alarms fire)

0–15 min – Confirm & contain

• Open a case; snapshot volatile data; isolate endpoints (EDR network containment).

• Disable suspected accounts; revoke tokens/sessions; block C2 domains/IPs.

• Stop propagation: temporarily block RDP/SMB between segments if needed.

15–60 min – Scope & kill

• Hunt for GPO changes, new scheduled tasks, Run keys, WMI subscriptions.

• Remove web shells / persistence; rotate creds (admins first), reset service principals.

• If encryption started: keep encrypted hosts isolated; do not wipe yet—collect artifacts.

1–24 h – Eradicate & recover

• Patch/close the entry vector (phish user, VPN, edge CVE).

• Restore only from clean, immutable backups; re-introduce in rings; monitor for re-infection.

• Report per Indian regulations: CERT-In (time-bound notification) and DPDP obligations; coordinate legal/PR.

After – Lessons & hardening

• Root-cause report; new detections; tabletop the same scenario next week.

Hardening snippets (copy-paste starters)

Windows PowerShell – Attack Surface Reduction (common high-value rules):

powershell
CopyEdit
# Enable ASR rules (sample set)
$rules = @(
"56a863a9-875e-4185-98a7-b882c64b5ce5", # Block credential stealing from LSASS
"d4f940ab-401b-4efc-aadc-ad5f3c50688a", # Block Office child processes
"3b576869-a4ec-4529-8536-b80a7769e899", # Block PS exec on Win32 API
"5beb7efe-fd9a-4556-801d-275e5ffc04cc"  # Block executable content from email
)
foreach ($r in $rules) { Add-MpPreference -AttackSurfaceReductionRules_Ids $r -AttackSurfaceReductionRules_Actions Enabled }
# Controlled Folder Access
Set-MpPreference -EnableControlledFolderAccess Enabled
Add-MpPreference -ControlledFolderAccessProtectedFolders "C:\Finance","C:\Projects","\\Fileserver\Shares\Critical"

Block macros from the Internet (GPO):
User Config → Admin Templates → Microsoft Office → Block macros from running in Office files from the Internet = Enabled

Linux – protect backup indexes from tamper:

bash
CopyEdit
# Make backup manifest immutable (root can remove attribute after maintenance)
chattr +i /backups/manifests/index.json
# Audit rule: alert on chmod/chattr in backup paths
echo "-w /backups -p wa -k backup_tamper" >> /etc/audit/rules.d/backup.rules && augenrules --load

Samba share – reduce blast radius:

ini
CopyEdit
[critical]
   path = /srv/critical
   read only = no
   valid users = @finance
   write list = @finance
   veto files = /*.exe/*.js/*.bat/*.scr/
   create mask = 0640
   directory mask = 0750

Governance for India (pragmatic notes)

• CERT-In: prepare contact list and reporting template; keep logs for 180 days by default.

• DPDP Act: limit data collection; document lawful purpose; have breach notification playbooks.

• Maintain vendor SLAs for IR support and forensics (time-to-engage ≤2h).

MSME “starter stack” (cost-conscious)

• EDR (business-grade) + DNS filter + email security + backup with immutability (object lock / WORM).

• Cloud SSO with MFA; disable legacy auth; device compliance before access.

• Monthly restore test, quarterly tabletop exercise.

• Run autopatching with rings (pilot → IT → all).

Metrics that matter

• MTTD/MTTR for ransomware behaviors (VSS delete, mass encryption).

• Patch latency for internet-facing CVEs.

• % endpoints with ASR enabled & EDR healthy.

• Backup success rate and restore success time.

• Phishing click-through and report rate.

0–7 / 30 / 60 / 90-day roadmap

0–7 days: Enforce MFA, block macros-from-Internet, disable legacy auth, close exposed RDP, EDR everywhere, snapshot/validate backups, add VSS-deletion alerts.
30 days: Segment critical servers; LAPS; ringed patching; centralize logs; tune detection rules.
60 days: AppLocker/WDAC for finance/ops; immutable backup & offsite copy; SaaS backup; privileged access workstation for admins.
90 days: IR tabletop with executives; purple-team tests of encryption & exfil; automate restore runbooks.

Final word

Ransomware defense is a race against time. If you can detect early, contain within minutes, and restore with confidence, you win—no matter how the payload looks.

Need this as a one-page checklist for your team? It’s included below.

One-page Checklist (print & stick on the wall)

• MFA (FIDO2) for admins & finance/HR

• Legacy/basic auth off

• EDR on 100% endpoints (tamper protection on)

• ASR rules + Controlled Folder Access

• RDP/SMB not exposed to Internet; VPN/jump hosts only

• Segmented DC/backup/hypervisor networks

• 3-2-1-1-0 backups; immutability + monthly restore test

• Alerts: VSS delete, backup tamper, log clear, mass encryption, archiver to shares

• Cloud: Safe Links/Attachments, versioning & retention, OAuth app review

• Incident kit: isolation steps, contacts, CERT-In template, PR/legal counsel

• Quarterly tabletop; update runbooks after every exercise/incident