Macksofy's DFIR retainer book and threat-intelligence telemetry give us a privileged view of the ransomware landscape in India. This whitepaper shares what we see across 2025 and into 2026 — without naming victims — and what posture changes most reduce blast-radius when an incident does arrive.

1. Active threat actors against Indian organisations

LockBit variants — sustained presence; manufacturing and BFSI common targets.
Akira — fast-moving against mid-market across NCR and Maharashtra.
Black Basta affiliates — opportunistic, often via VPN credential reuse.
8Base — common against logistics and SaaS.
Nation-aligned wipers — rare but visible against government and CII targets.

2. Sector hit-rates from our DFIR book (2025)

31%

Manufacturing

24%

BFSI / NBFC

18%

SaaS / IT services

27%

Other (logistics, retail, healthcare)

3. Top five entry vectors we keep seeing

Vector	Share of cases	Why it keeps working
Internet-exposed RDP	29%	Legacy bastions never decommissioned
VPN credential reuse	23%	No MFA on the VPN; password spray succeeds
Phishing → MFA fatigue	21%	MFA push-spam against under-trained users
Vulnerable edge appliance	15%	Known CVEs on Citrix / Fortinet / SonicWall
Malicious vendor access	12%	Always-on third-party tunnels

MFA on email is not MFA on VPN.

Across 2025 IR cases the single most common preventable failure was a VPN with password-only authentication while corporate email had MFA. Attackers always go to the weaker control.

4. The 12-month outlook

Identity-attack tooling will continue to commoditise — Kerberoasting + AD CS abuse will appear in mid-market cases.
Cloud-native ransomware patterns (S3 + KMS-key-deletion blackmail) will move from niche to common.
Vendor / supply-chain entry will overtake direct phishing in BFSI as MFA enforcement tightens.
Regulators will lean harder on RTO/RPO drill evidence — paying ransom because backups failed will become a reputational liability.

5. The six-step preparedness checklist

MFA on every external surface
Email + VPN + admin portals + SaaS. No exceptions.
Decommission internet-exposed RDP
Replace with ZTNA or RDP-over-Gateway with MFA.
Patch the edge weekly
Citrix / Fortinet / SonicWall / Pulse — these CVEs are exploited within hours.
Tier-0 / tier-1 / tier-2 admin separation
No DA credentials caching on tier-2 hosts. PAW workstations for tier-0 admins.
Immutable + offline backups
3-2-1 with one offline copy. Restore drills monthly on tier-0 systems.
DFIR retainer with a 30-minute SLA
Pre-signed SOW + secure-channel comms + on-call bridge defined before an incident.

Pre-signed retainer beats best-of-breed-no-contract.

When you need DFIR you need it in 30 minutes — not after a 5-day procurement cycle. Sign the retainer SOW with a CERT-In empanelled provider while you're calm, not while file extensions are changing on your shares.

Engage Macksofy

Need this in production, not on paper?

Macksofy offers full-service engagements that map directly to this resource. Common starting points:

Or talk to a senior consultant — fixed-price proposal in 48 hours.