A ransomware attack is among the most disruptive events a Kerala small business can face. In a matter of hours — sometimes minutes — every file on every machine becomes unreadable, operations grind to a halt, and a countdown timer appears alongside a demand for cryptocurrency. For a textile shop in Thrissur, a logistics firm in Kochi, or a clinic in Kozhikode, this is not a theoretical IT problem. It is an immediate business crisis with real rupee consequences.
What makes ransomware particularly brutal for Kerala SMEs is that most do not have an in-house IT department. There is no dedicated person who has rehearsed an incident response plan, no SOC to call, and often no clear idea of what backups exist or how recent they are. This guide is written for that reality — practical, sequential steps for business owners and office managers who are dealing with ransomware right now, or who want to know exactly what they would do if it happened tomorrow.
The structure follows the natural timeline of an incident: immediate containment, variant identification, recovery option assessment, the ransom payment decision, legal reporting, clean rebuild, and long-term hardening. Skipping steps or working out of sequence is the single biggest reason Kerala SMEs end up taking three to six weeks to recover from an event that could have been resolved in a few days.
The First 30 Minutes — Contain the Spread
Ransomware encrypts files progressively. The infection may have been running silently for hours before the ransom note appeared, but from the moment you see it, every second the machine remains connected to your network is another opportunity for the malware to reach shared drives, mapped folders, and other machines.
Your first action is physical disconnection. Unplug the ethernet cable from every machine that shows signs of infection. Disable WiFi. If you cannot tell which machines are affected, disconnect everything from the network switch — you can reconnect clean machines individually once you have assessed the scope. Speed matters more than elegance here.
Do not restart infected machines. This is a counterintuitive instruction that many people ignore, and it causes significant harm. Certain ransomware variants store the decryption key in memory during the active session. A restart deletes that key permanently. Other variants execute a secondary payload on reboot that destroys shadow copies or overwrites the master boot record. Leave infected machines powered on but disconnected.
Before you touch anything else, photograph the ransom note screen with your phone. This photograph serves multiple purposes: it is required when filing a FIR with the cybercrime cell, needed for cyber insurance claims, and gives an incident response professional the variant name, attacker contact details, and wallet address immediately. An email address in the ransom note, a specific file extension on encrypted files (.locked, .dharma, .phobos), and any unique identifier the attacker assigned to your case are all critical details that must be preserved exactly as they appear.
Disconnect all USB drives, external hard drives, and any NAS (network attached storage) devices that were connected to infected machines. Some ransomware variants specifically target connected backup drives — a backup that was plugged in at the time of infection is not a clean backup.
Once physical isolation is complete, walk through the office and identify which machines show encrypted files and which appear clean. Note this on paper. Unaffected machines may be usable for communication and basic work while you work through recovery.
Identify the Ransomware Variant
Not all ransomware is equal. Some variants have publicly available free decryptors because law enforcement has seized the attacker's servers. Others have no decryptor and a perfect track record of providing working keys after payment. And some are operated by amateurs who take the money and disappear. Knowing what you are dealing with changes every subsequent decision.
Go to ID Ransomware (id-ransomware.malwarehunterteam.com) from a clean machine. Upload a sample encrypted file and paste the ransom note text. The tool identifies the variant in seconds from a database of thousands of known ransomware families. This is free and requires no registration.
Cross-reference the result with the No More Ransom project (nomoreransom.org), operated by Europol, the Dutch National Police, and cybersecurity companies. If a free decryptor exists for your variant, it will be listed here. Using a free decryptor means you recover your files without paying anything — this is the best possible outcome after a clean backup restore.
Variants commonly seen in Indian SME incidents include WannaCry (free decryptors available for older versions), STOP/Djvu (partial free decryptors for some variants, the most prevalent ransomware family globally), Dharma (no reliable free decryptor, attacker generally delivers keys after payment), and Phobos (no free decryptor, operated by an affiliate network with variable reliability). Knowing your variant answers three questions immediately: is free decryption possible, what is the typical ransom range for this family, and do victims generally receive working decryptors when they pay?
Assess Your Recovery Options
Before deciding anything about ransom payment, map out every recovery path available to you. There are four primary options, and most businesses have access to at least parts of more than one.
Option A: Clean Offline Backup
If you have backups that were stored offline or on a disconnected device and were not connected during the attack, this is your cleanest path. Wipe infected machines, reinstall operating systems, and restore from backup. Expected timeline: 2 to 5 business days. Data loss is limited to whatever was created between the last backup and the attack.
Option B: Partial or Outdated Backup
If the most recent backup is from several weeks ago, or only covers some systems, you can restore what exists and then manually re-enter or reconstruct more recent records from paper, email threads, WhatsApp conversations, or bank statements. This is time-consuming but cheaper and more reliable than paying ransom. Expected timeline: 3 to 7 days for restoration plus additional weeks for manual record reconstruction depending on the gap.
Option C: No Backups
This is the hardest position to be in. Your three realistic paths are: wait for a free decryptor (which may take months or never arrive), pay the ransom (with all the risks that entails), or accept the data loss and rebuild from scratch using paper records, vendor invoices, client communication history, and whatever secondary sources exist. Many Kerala businesses have successfully reconstructed 80–90% of critical operational data from these sources — it takes longer but is often preferable to the alternatives.
Option D: Cloud-Synced Files
This is an option many Kerala SMEs overlook. If your machines used Google Drive for Desktop, Dropbox, or OneDrive, ransomware encrypts the local copies and the sync client then pushes those encrypted versions to the cloud. The files in your cloud account are indeed encrypted — but version history saves you. Google Drive retains 30 days of previous versions on all plans. Dropbox retains 180 days of version history on paid plans and 30 days on free. Log into the web interface of your cloud service from a clean device, navigate to your files, and restore previous versions from before the infection timestamp. This recovery path is completely free and takes hours rather than days.
Should You Pay the Ransom?
This question does not have a universal answer. Here is an honest analysis of the considerations so you can make an informed decision for your specific situation.
Every ransom paid funds criminal operations and signals that your business responds to extortion — which increases the probability of a follow-up attack, either from the same group or from affiliates who purchase victim lists. Some ransomware groups track paying organisations and return months later with a second attack. These are legitimate reasons to avoid payment when alternatives exist.
The practical calculation is different when alternatives do not exist. If critical business data genuinely cannot be recovered through any other means, and the business cannot operate or survive without it, payment becomes a business continuity decision rather than an ethical one. Many Indian SMEs have faced this situation and paid — acknowledging that it is not a good outcome but that the alternative was closure.
Before making the payment decision: consult a cybersecurity professional who has handled this specific ransomware family. They know the attacker's track record, whether negotiation is viable, and what percentage of victims received working decryptors. Check the attacker's Bitcoin wallet address on a blockchain explorer (blockchain.com or blockchair.com) — prior transactions reveal whether other victims have paid and whether the demand amount is consistent.
Typical ransom demands targeting Indian SMEs range from ₹1 lakh to ₹30 lakhs, with the amount often sized based on the attacker's estimate of the victim's revenue. Approximately 20% of victims who pay ransomware groups never receive a working decryptor. Professional negotiators — experienced incident response firms — routinely reduce initial demands by 30 to 60%, and their fee of ₹30,000 to ₹1,00,000 usually pays for itself in the reduced amount.
Reporting — CERT-In, Police, and Insurance
Regardless of your recovery path, you have legal and contractual reporting obligations that run in parallel with technical recovery. Missing these deadlines creates secondary problems.
Under CERT-In's 2022 directive, ransomware incidents must be reported within 6 hours of detection to incident@cert-in.org.in. The report should include the date and time of detection, the systems affected, the ransomware variant if identified, and what containment actions have been taken. CERT-In does not typically deploy on-site for SME incidents, but the report creates an official record and may connect you with threat intelligence relevant to your variant.
File a complaint on the National Cyber Crime Portal at cybercrime.gov.in, and follow up with your local cybercrime cell for a formal FIR. The FIR is required documentation for insurance claims and establishes the legal record of the incident. Bring the photograph of the ransom note, the date and time of detection, and a brief written account of the sequence of events.
If you carry cyber insurance, notify your insurer within 24 to 48 hours — most policies have strict incident notification windows, and missing the window can void coverage. Cyber insurance policies for Indian SMEs cost between ₹15,000 and ₹40,000 per year and typically cover ransom payments, incident response professional fees, business interruption losses, and notification costs for affected customers. If you do not currently carry cyber insurance, this incident is the evidence needed to justify that budget line for next year.
Clean Rebuild and Data Restoration
Once you have secured evidence, reported the incident, and confirmed your recovery path, the technical rebuild can begin. There are five phases, and each one matters.
Phase 1 — Wipe and reinstall. Every infected machine must be wiped and have its operating system reinstalled from scratch. There are no reliable shortcuts. Attempting to clean ransomware with an antivirus scan on an infected machine frequently leaves residual components. The operating system reinstall is the only path to a known-clean state.
Phase 2 — Patch and harden before restoring data. Before any backup data goes back on these machines, apply all outstanding Windows or macOS updates. Disable RDP (Remote Desktop Protocol) from the public internet — RDP exposed on port 3389 is the single most common entry point for ransomware in Indian SME incidents. If remote access is required, implement a VPN and require staff to connect through that before accessing internal systems. Change every password: local administrator accounts, domain accounts, email accounts, cloud services. Do not reuse any password from before the incident.
Phase 3 — Restore from clean backup. Restore data from your verified clean backup source. If using cloud version history, download the pre-infection versions to newly rebuilt machines. Verify the backup date and confirm files are readable before marking this step complete.
Phase 4 — Verify and test before reconnecting. Run a full security scan on restored machines before reconnecting them to the network or internet. Test critical applications. Confirm that business processes are functional. Only then reconnect to the network, and monitor network traffic for unusual activity in the first 48 hours post-reconnection.
Phase 5 — Forensics on the original entry point. This step is skipped by most Kerala SMEs and causes repeat attacks. Without knowing how the ransomware entered — phishing email, exposed RDP, compromised vendor account, malicious USB — you have not addressed the vulnerability. The same entry point is often exploited again within weeks by the same group or by affiliates. Engage an incident response professional to trace the initial access vector and confirm it is closed.
Building Ransomware Resistance After Recovery
Recovery from a ransomware attack is expensive in time, money, and stress. The goal now is to ensure the next attack — and there will be attempts — either does not succeed or causes minimal damage when it does.
The 3-2-1 backup rule is the standard starting point: three copies of data, on two different types of media, with one copy offsite. For a Kerala SME in practical terms, this means a local NAS (network attached storage device) for fast restoration, plus cloud backup to a service like Backblaze B2 at approximately ₹500 per terabyte per month, or AWS S3 with versioning enabled. The critical discipline is that one backup destination must be write-protected or air-gapped — ransomware cannot encrypt a backup it cannot reach.
Test your restores quarterly. This sounds obvious, but a 2024 survey of Indian SME ransomware victims found that a significant percentage discovered their backups were corrupted or incomplete only when they tried to use them during the incident. A quarterly restore test takes two hours and eliminates the worst-case scenario where your backup proves useless at the moment of need.
Remove local administrator rights from standard user accounts. Most ransomware requires elevated privileges to encrypt system files and spread across the network. A user account that can only read and write to its own files causes far less damage if compromised than a user account with full administrative access. This single change limits the blast radius of a successful phishing attack dramatically.
For endpoint protection, Windows Defender in 2026 provides genuinely effective ransomware protection at zero cost for Windows 10 and 11 machines. Controlled Folder Access, a Defender feature, prevents unauthorised applications from modifying files in protected folders — enable it in Windows Security settings. For businesses that want managed endpoint protection, Malwarebytes Business costs approximately ₹2,500 per device per year and adds behavioural detection that catches novel variants Defender may miss.
Finally, if any personal data of customers was accessed during the breach — purchase histories, contact details, booking records — review your obligations under DPDPA 2023. The Digital Personal Data Protection Act requires notification of affected individuals and the Data Protection Board for significant breaches. Penalties for non-disclosure can be severe, and enforcement is escalating through 2026. Transparent customer communication, even when uncomfortable, consistently produces better business outcomes than silence.
Frequently Asked Questions
The attacker wants Bitcoin. How does a Kerala business buy cryptocurrency?
Purchasing Bitcoin for ransom involves three steps: register on WazirX, CoinDCX, or Binance with KYC verification using Aadhaar and PAN — this process takes 24 to 48 hours; purchase the required amount in rupees via UPI or bank transfer once verified; then send the Bitcoin to the attacker's wallet address, which is an irreversible transaction with no recourse if anything goes wrong.
Before proceeding, strongly consider involving a cybersecurity professional who handles these incidents regularly. They have established negotiation channels with known ransomware groups, understand which families routinely deliver working decryptors and which do not, and can often reduce the initial demand by 30 to 60%. A professional engagement fee of ₹30,000 to ₹1,00,000 typically pays for itself in the reduced ransom amount. Large cryptocurrency purchases may attract scrutiny from Indian income tax authorities — maintain thorough documentation of the business reason for the transaction from the start.
We lost customer data. Do we legally need to notify customers?
Under DPDPA 2023, if personal data of Indian residents was accessed or exfiltrated — names, contact numbers, addresses, order history, payment references — you are required to notify the affected individuals and the Data Protection Board of India promptly. Penalties for non-disclosure of significant breaches can reach ₹250 crore under the Act's penalty framework.
The Data Protection Board had not yet levied a penalty specifically against an Indian SME as of early 2026, but regulatory enforcement is clearly escalating, and grace period expectations should not be relied upon. Beyond legal obligation, direct and honest customer communication consistently produces better outcomes than silence. Customers who discover a breach from news reports or third parties are far harder to retain than those who received a clear, factual notification directly from you explaining what happened, which data was involved, what you are doing about it, and what steps they should take to protect themselves.
How long does full recovery take for a Kerala SME with no IT department?
With clean backups from the past 24 to 48 hours and a methodical rebuild process, most Kerala SMEs are operational again within 2 to 5 business days. With backups that are 1 to 2 weeks old, expect 3 to 7 days of system restoration plus additional time for manually re-entering recent transactions from paper records and communication history. With no usable backups, the realistic range is 2 to 6 weeks — covering negotiation or waiting for a free decryptor, rebuilding systems from scratch, and reconstructing data from every secondary source available.
The technical timeline understates the full business impact. Research on Indian SME ransomware incidents from 2024 found that staff productivity drops 30 to 60% during the incident period, customer attrition from service disruption is significant, and the time required for new security documentation and compliance work adds further operational overhead. The total business cost — IT recovery plus lost revenue plus reputational damage — averaged 3 to 5 times the ransom demand in studied cases, even for businesses that chose not to pay.