Ransomware in India: Evolving Threats and Defense
An in-depth look at the rising ransomware threat facing Indian organizations, how modern attacks work, real incidents, and practical prevention strategies.
Picture this happening at your office on a Monday morning
You walk in, coffee in hand, sit down at your desk, and your screen shows a red message you've never seen before. All your files have been renamed to something ending in .locked. The shared drive is gone. Your accounting system won't open. Within ten minutes, every single computer in the building has the same message: pay 5 Bitcoin or your data gets published online.
This isn't a movie plot. It happened at AIIMS Delhi. It happened at manufacturing companies in Pune. It's been happening to banks, logistics firms, and small IT shops across the country, over and over, and I'm genuinely frustrated by how little most Indian organizations are doing about it.
India recorded over 18 million ransomware attempts in just the first three quarters of 2025. That's roughly one attempt every two seconds. Those are just the ones that got caught.
And still — still — I talk to business owners who think their antivirus is enough. It isn't. Not even close.
What ransomware actually looks like now, because it's not what you think
I need to get something out of the way. The old picture of ransomware — somebody clicks a bad email, files get encrypted, you pay some Bitcoin and maybe get them back — that version's ancient history. What's happening now is a whole different animal, and honestly, the fact that it's gotten this bad while most people's understanding hasn't caught up is part of the problem.
Modern ransomware operations run like actual businesses. I'm not exaggerating. They've got dedicated teams handling different stages of an attack. They've got customer service for victims. They've got affiliate programs.
How they get in. The front door is usually one of four things. Phishing emails are still number one — but these aren't your old "Dear Sir, you have won a lottery" messages anymore. They reference real projects, use actual colleague names, mimic your company's email templates. Our guide on cybersecurity tips and best practices goes through training your team to catch these, but even trained people get fooled sometimes. That's how good the fakes have gotten. Then there's unpatched software — VPN appliances, web servers, remote desktop left open to the internet. The Log4j bug from 2021 is still being used against Indian organizations that never bothered to update. Stolen credentials are the third way in: an employee reuses their corporate VPN password on some random forum, that forum gets breached, and attackers buy the leaked password dump in bulk. Finally, supply chain attacks — malware delivered through a trusted software update or a compromised vendor's system. These are particularly nasty because everything looks legitimate.
What happens after they're in (and this is the part that should scare you). They don't encrypt anything right away. Not even close. They spend days, sometimes weeks, just quietly poking around your network. Mapping everything out. Finding your backup servers. Figuring out which systems matter most. Stealing your sensitive data and copying it to their own servers. Disabling your security tools one by one. The average dwell time before they pull the trigger is somewhere around 5-10 days. For up to ten days, someone's living inside your network, and you've got zero idea.
I talked to a security consultant in Bangalore who handled an incident at a mid-size IT services company. The attackers had been inside for 23 days before they triggered the encryption. In that time, they'd mapped out every server, identified the CEO's email, downloaded client contracts, and even read through Slack messages to figure out which clients would be most damaging to lose. When they finally launched the attack, they knew exactly how much to ask for because they'd read the company's financial statements.
Then comes the part that changed the game: double extortion. They don't just encrypt your files and demand money for the key anymore. They've already stolen your data. So now it's "pay us to decrypt your files AND pay us to not publish everything we stole on the internet." Some groups have pushed it to triple extortion — they'll directly contact your customers to tell them their personal information's been compromised. Imagine your hospital's patient records showing up on a public leak site. Or your clients getting emails about their stolen financial data.
And here's what really gets me worked up: you don't even need to be a skilled programmer to launch these attacks anymore. Groups like LockBit, BlackCat (ALPHV), and Cl0p run what's basically franchise operations. Ransomware as a Service, or RaaS. They build the malware, run the infrastructure, handle the negotiations and payments. Then they recruit "affiliates" — freelance hackers — who do the actual break-ins and take 70-80% of the ransom. It's basically turned hacking into a gig economy job. That's the world we're dealing with now.
The technical progression of a typical attack looks something like this. Initial access happens through one of the methods above. Then the attacker drops a small tool — often a legitimate system administration utility like PsExec or PowerShell scripts — to avoid triggering antivirus. They run network discovery commands to map out Active Directory, file shares, and database servers. They create additional user accounts or modify existing ones to maintain access even if their initial entry point gets discovered. They identify and disable backup solutions. They exfiltrate data to cloud storage or their own servers, often compressing it first and sending it in small chunks to avoid triggering data loss prevention rules. Only after all of that's done do they deploy the actual ransomware payload across every machine they can reach, usually at 2 or 3 AM on a Friday night or holiday weekend when nobody's watching.
Indian organizations keep getting hit and I keep seeing the same mistakes
AIIMS Delhi, November 2022. The attack took down patient registration, billing, lab reports, and appointment scheduling for nearly two weeks. Doctors went back to pen and paper while treating thousands of patients daily. Months of rebuilding afterward. The reputational damage alone was massive. And the scariest part wasn't the disruption — it was the amount of patient data that was potentially exposed. Medical records are some of the most valuable data on the dark web because they've got personal identifiers, financial info, and health data all in one place. You can get a new credit card. You can't get a new medical history.
But AIIMS at least made the news. What doesn't make headlines is far worse.
The vast majority of ransomware victims in India are small and medium businesses that nobody ever hears about. Manufacturing companies in Pune and Chennai. Logistics firms in Gujarat. Small IT services providers in Bangalore. Retail chains. They get hit constantly.
I know a CA firm in Noida — about 30 employees — that lost three years of client financial records to ransomware in early 2025. Their backup was an external hard drive that was plugged into the server 24/7. The ransomware encrypted it along with everything else. They ended up paying about Rs 8 lakh in ransom because it was cheaper than telling 200+ clients that their tax records were gone. They never reported it.
A textile manufacturer in Surat got hit through their payroll software vendor. The vendor's update mechanism had been compromised, and when the manufacturer installed a routine update, it came packaged with ransomware. Their entire ERP system went down for nine days. They estimated losses at Rs 40 lakh from missed orders and production shutdowns alone — on top of the ransom they paid.
These stories repeat across every sector, every city. And most of them never become public.
Why them? Because it's easy money for attackers. A company with 50 employees typically has one IT person who manages everything from email to the printer. No security team. No monitoring. No incident response plan. Many of them run pirated or unpatched software — Windows 7 machines on factory floors aren't unusual even now. They're sitting on thousands of customer records, financial data, and proprietary business information, all protected by a basic antivirus and crossed fingers. And when they get hit, they can't afford weeks of downtime. A manufacturing company locked out of its ERP system loses lakhs per day. So they pay. Quietly. And they never report it.
India's banking and financial sector gets targeted too — cooperative banks, NBFCs, fintech startups. Most of these incidents never become public because of regulatory and reputational concerns. RBI's issued multiple circulars about cybersecurity requirements, but compliance among smaller financial institutions is spotty at best.
Why India specifically? This is the part that frustrates me the most. We've digitized incredibly fast — Aadhaar, UPI, DigiLocker, e-governance portals everywhere — but the security hasn't kept pace. There's a gap between how much we've put online and how well we're protecting it. India needs roughly 1.5 million cybersecurity professionals. We've got fewer than 500,000. And the available talent's concentrated in big IT companies and MNCs, leaving SMBs, government agencies, and hospitals severely understaffed. Add fragmented infrastructure — a messy mix of cloud services, outdated on-premises servers, and legacy systems that can't be upgraded without breaking something — and you've created an environment that attackers love. CERT-In exists, the IT Act exists, but enforcement is inconsistent. The six-hour incident reporting mandate from 2022 was a good step, but plenty of organizations still don't comply, and nobody's really sure what happens to those that don't.
There's also a cultural factor that nobody talks about enough. In a lot of Indian organizations, cybersecurity is treated as an IT department problem, not a business problem. The CEO doesn't think about it. The board doesn't ask about it. Budget requests for security tools get cut because "we haven't been hacked so far, so why spend money on it." That mindset works perfectly — until it doesn't. And when it stops working, the cost is orders of magnitude higher than what proper prevention would've been.
Okay. Here's what actually stops ransomware.
I'm not going to pretend there's some magic product you can buy that makes this go away. There isn't. If someone's selling you "complete ransomware protection," they're lying to you. Defense works in layers, and it takes consistent effort. But these things genuinely reduce your risk by a huge margin.
Backups. Backups. Backups. The 3-2-1 rule: three copies of your data, two different storage types (like a local NAS plus cloud), one copy offsite and disconnected from any network. If your backups are solid, you can tell the attacker to go pound sand and just restore everything.
But — and I can't stress this enough — test your restores. Regularly. A backup you've never verified is a backup you can't count on. Schedule restore drills every quarter. Actually rebuild a server from backup and see if it works. Also protect the backup system itself. Modern ransomware actively hunts for backup solutions — Veeam, Acronis, Windows Backup — and targets them first. Use separate credentials for backup administration. Keep at least one copy somewhere ransomware physically can't reach: a disconnected external drive, a write-once cloud bucket, or good old tape storage.
Here's a practical backup setup that works for most SMBs: use an automated backup tool (Veeam Community Edition is free for up to 10 workloads) to back up to a local NAS daily. Replicate that NAS to a cloud provider (AWS S3, Azure Blob, or even Backblaze B2 for budget-friendly options) with versioning and immutability turned on. Once a week, run a manual backup to an external drive and physically disconnect it. Label it with the date. Keep three rotating drives. Yes, it sounds old-school. Yes, it works.
Lock down email since that's still how most attacks start. Get advanced email filtering that can detect phishing — Microsoft Defender for Office 365 or Google Workspace's built-in tools are decent starting points. Set up DMARC, DKIM, and SPF for your domain to prevent spoofing. Disable Office document macros by default (most real business processes don't need them). And run ongoing security awareness training — not a single PowerPoint session everyone sleeps through. Services like KnowBe4 and Cofense do simulated phishing exercises for the Indian market. Run them monthly.
The phishing simulations are worth highlighting. One of the companies I've advised set up monthly phishing tests through KnowBe4. In the first month, 35% of employees clicked the fake phishing link. After six months of training and testing, it was down to 4%. That's not zero, but it's a dramatic reduction. The key is consistency — one training session a year does almost nothing. Monthly exercises build a genuine reflex.
Get real endpoint protection. Traditional antivirus isn't cutting it. You need Endpoint Detection and Response — EDR — that watches for suspicious behavior, not just known malware signatures.
| Feature | Traditional Antivirus | EDR Solution |
|---|---|---|
| Detection Method | Signature matching | Behavioral analysis |
| Ransomware Detection | Known variants only | Detects encryption behavior |
| Response Capability | Quarantine file | Isolate endpoint, kill process |
| Visibility | Individual machine | Network-wide |
| Investigation | Minimal | Full forensic timeline |
| Cost | Low | Higher |
For Indian SMBs: CrowdStrike Falcon Go, SentinelOne, and Microsoft Defender for Business all offer EDR at reasonable prices. Even a basic EDR setup is worlds better than running nothing but an antivirus from 2019.
What EDR buys you that antivirus doesn't is visibility. When a machine starts behaving oddly — like a process suddenly reading every file on the disk in sequence, or PowerShell making network connections to unusual IP addresses — EDR flags it and can automatically isolate that machine from the network before the damage spreads. With traditional antivirus, you only know something's wrong when the ransom note appears.
Patch your stuff. I know it's boring. I know legacy software breaks when you update the OS. I know the one factory machine runs some ancient app that only works on Windows 7. But attackers love unpatched systems — that's their easiest way in. Automate patching on workstations. Schedule monthly patching windows for servers. VPN appliances, web servers, and email gateways need to be patched within days of a critical vulnerability announcement, not weeks. And that Windows 7 machine on the factory floor? Isolate it on its own network segment with strict firewall rules. Don't connect it to the internet. Don't let it talk to anything it doesn't absolutely need.
Segment your network. Don't run a flat network where every device can talk to every other device. For home users and small offices, our complete guide to home network security covers segmentation and other basics. In a business environment: office workstations shouldn't be able to directly access database servers. IoT devices — printers, cameras, sensors — belong on their own VLAN. Server infrastructure goes behind internal firewalls with tight rules. Backup systems get their own isolated segment. If ransomware compromises one area, it can't easily jump to others. That buys you time to spot it and contain the damage.
Think of segmentation like fire doors in a building. If one room catches fire, fire doors stop the flames from spreading to the whole floor. A flat network is a building with no doors — one fire and the whole thing goes up. Most small businesses I've looked at have everything on one flat subnet: employee laptops, the accounting server, the NAS, the security cameras, and the CEO's personal iPad. Ransomware on any one of those devices can reach everything else. Segmentation fixes that.
MFA on everything. VPN, email, cloud apps, admin panels — every last one. Multi-factor authentication stops stolen credentials from being useful. Even if an attacker's got someone's password, they can't get in without the second factor. Use push-notification-based MFA (like Microsoft Authenticator) rather than SMS codes — SIM swap attacks make SMS-based OTPs unreliable.
Restrict admin privileges aggressively. Most employees don't need local admin rights on their computers. Remove them. Use a separate admin account for IT staff — one they only log into when they need to do actual admin work, not for browsing the web and checking email. The principle of least privilege sounds like textbook stuff, but in practice, most Indian businesses give everyone admin access because it's easier than dealing with help desk tickets. That convenience is exactly what attackers count on.
When prevention fails — because sometimes it will
You need an incident response plan, and it needs to be written down, practiced, and stored somewhere you can access even when all your systems are encrypted. Like printed out in a binder. Seriously.
Detection: how will you know you've been hit? Watch for unusual file encryption patterns, mass file renaming, ransom notes popping up on screens, or EDR alerts. Containment: immediately isolate affected machines from the network — disconnect WiFi and ethernet. Don't shut them down though — forensic evidence in memory matters. Communication: who gets called? Leadership, IT team, legal, CERT-In (you've got six hours, mandatory), potentially law enforcement, affected customers. Recovery: restore from backups, rebuild compromised systems from clean images, change every password, revoke and reissue certificates.
Write this down as a simple checklist that anyone can follow under pressure. During an actual incident, nobody thinks clearly. Adrenaline's pumping, phones are ringing, the CEO's demanding answers, and your IT person is trying to figure out how bad it is. A laminated card with "Step 1: Unplug affected machines from network. Step 2: Call [name] at [number]. Step 3: Do NOT shut down machines." is worth more than a 50-page policy document that nobody can find.
And then there's the question nobody wants to think about: do you pay? The FBI recommends against it — it funds criminals and there's no guarantee you get your data back. But when patient lives hang in the balance, or when your business literally won't survive weeks of downtime, some organizations decide paying costs less than not paying. If you go that route, bring in legal counsel and a professional ransomware negotiation firm. Don't try to negotiate directly. These firms know the going rates, they know which groups actually provide working decryption keys, and they know how to avoid making things worse. Negotiators have told me that initial ransom demands are almost always inflated — groups expect negotiation and typically settle for 20-40% of the initial ask.
CERT-In requirements you should know about: six-hour mandatory incident reporting to CERT-In, maintaining ICT system logs for 180 days within Indian jurisdiction, VPN providers must keep customer data for five years, and data centers/cloud providers must report incidents and maintain records. Their ransomware advisories recommend regular offline backups, keeping everything updated, strong unique passwords with MFA, disabling unnecessary remote access, restricting admin privileges, and monitoring network traffic. Following these isn't just about avoiding penalties — it's about building actual resilience.
Cyber insurance — yeah, it's probably worth looking into
Cyber insurance has become a real market in India. ICICI Lombard, HDFC Ergo, Bajaj Allianz, and others offer policies covering ransom payments (in some cases), business interruption during recovery, data recovery costs, legal and regulatory expenses, notification costs for affected individuals, and forensic investigation fees. An SMB might pay Rs 50,000-2,00,000 per year for Rs 50 lakh-1 crore in coverage.
Fair warning: insurers are getting pickier. If you don't have MFA, endpoint protection, and backup procedures, you might get denied coverage or face sky-high premiums. And policies have exclusions — read every line of the fine print.
Some things to ask before signing a policy: Does it cover ransomware payments directly, or only the recovery costs? What's the waiting period before business interruption coverage kicks in? Does it require you to use specific incident response vendors? What's the reporting timeline — some policies void coverage if you don't notify the insurer within 24-48 hours of discovering an incident. Is social engineering fraud covered (it often isn't by default)?
My honest take: it's a useful safety net, but it's not a replacement for actually securing your systems. Same logic as health insurance — having a policy doesn't mean you can skip exercising.
Start now, not after you've been hit
Here's a prioritized list if this whole thing feels like too much.
This week: turn on MFA for all email, VPN, and cloud services. Check that your backups are current and actually test restoring something. Make sure your operating systems are up to date. Give your team a five-minute briefing on phishing basics.
This month: evaluate and set up an EDR solution. Get proper email filtering with anti-phishing features. Review who has administrative access and cut it down to only people who truly need it. Write a basic incident response document — even a one-pager is better than nothing.
This quarter: run a security assessment or pen test. Implement network segmentation. Start a recurring security awareness training program. Look into cyber insurance. Set up log monitoring and alerting.
Ongoing, forever: monthly patching. Quarterly backup restore tests. Yearly incident response drills. Continuous training.
The cost of doing all of this for a 50-person company? Roughly Rs 5-10 lakh per year for EDR, email security, backup tools, and periodic assessments. The cost of a ransomware incident for the same company? Anywhere from Rs 20 lakh to Rs 2 crore when you add up ransom, downtime, data loss, legal fees, and reputation damage. The math is obvious. The challenge is getting people to do it before they learn the hard way.
So where does this leave us?
Ransomware isn't slowing down. The money's too good for attackers to quit. AI is making phishing emails harder to spot, helping attackers find vulnerabilities faster, and automating parts of the attack chain. RaaS platforms keep lowering the barrier to entry. Every month, the attacker side of this equation gets a little bit stronger.
The defender's playbook hasn't changed though: update your systems, maintain backups you've actually tested, train the humans in the loop, and have a plan for the worst case. Organizations that consistently do these basics are far less likely to become victims. And when they do get hit, they bounce back instead of going under.
But here's what I keep coming back to: if the average Indian SMB can't afford a single dedicated security person, if hospitals are running critical systems on decade-old software, if we've got a 1-million-person cybersecurity talent gap — are we actually going to close that gap before attackers exploit it? Or are we just going to keep reading about the next big breach and hoping it doesn't happen to us?
I don't have a clean answer. I'm not sure anyone does. But I do know this — the organizations that treat ransomware as a "when" problem instead of an "if" problem are the ones that survive it. The ones that assume it won't happen to them are the ones that end up in a conference room at midnight, staring at a ransom note, wishing they'd done the boring work six months ago.
Don't be that organization. Start with MFA and backups. Do it this week. Everything else can follow.
Anurag Sharma
Founder & Editor
Software engineer with 8+ years of experience in full-stack development and cloud architecture. Founder of Tech Tips India, where he breaks down complex tech concepts into practical, actionable guides for Indian developers and enthusiasts.
Stay Ahead in Tech
Get the latest tech news, tutorials, and reviews delivered straight to your inbox every week.
No spam ever. Unsubscribe anytime.
Comments (0)
Leave a Comment
All comments are moderated before appearing. Please be respectful and follow our community guidelines.
Related Articles
WhatsApp Tips and Hidden Features for Indians
WhatsApp hidden features: chat lock, formatting tricks, storage tips, privacy settings, and power user shortcuts.
Privacy-Focused Alternatives to Every App You Use Daily
Replace everyday apps with privacy-focused alternatives: messaging, email, search, storage, and more for Indian users.
Best Home Projectors in India: Complete Guide
A complete guide to the best home projectors in India across budget, mid-range, and premium segments, with tips on throw distance, lumens, and room setup.