Ransomware in India: How Attacks Are Evolving and What You Can Do
An in-depth look at the rising ransomware threat facing Indian organizations, how modern attacks work, real incidents, and practical prevention strategies.
The Problem Is Bigger Than Most People Realize
Here is a number that should keep every Indian business owner awake at night: India recorded over 18 million ransomware attempts in the first three quarters of 2025 alone, according to data from cybersecurity firms tracking the Indian threat landscape. That is roughly one attempt every two seconds. And these are just the ones that were detected.
Ransomware is not a new threat. It has been around since the late 1980s. But the scale, sophistication, and sheer destructive capability of modern ransomware attacks have evolved so dramatically that what happened five years ago barely resembles what organizations face today. Attackers are not just encrypting your files and demanding Bitcoin anymore. They are stealing your data first, threatening to publish it, and sometimes even calling your customers to tell them their personal information is compromised.
Indian organizations — from hospitals to manufacturing plants to IT services companies — have become prime targets. And the uncomfortable truth is that most of them are not prepared.
How Modern Ransomware Actually Works
To defend against ransomware, you need to understand how it operates. The simplistic image of "someone clicks a bad email attachment and all files get encrypted" is outdated. Modern ransomware operations are run like businesses, with dedicated teams handling different stages of the attack.
The Initial Access
Attackers get into your network through one of several common entry points:
-
Phishing emails remain the number one vector. A convincing email tricks an employee into clicking a link or opening an attachment that installs malware. These emails have gotten remarkably sophisticated — they reference real projects, use actual colleague names, and mimic corporate email formatting.
-
Exploiting vulnerabilities in internet-facing systems. Unpatched VPN appliances, outdated web servers, and misconfigured remote desktop services are favorite targets. The Log4j vulnerability from 2021 is still being exploited in Indian organizations that never patched it.
-
Stolen credentials purchased from initial access brokers on dark web marketplaces. An employee's password leaked from a data breach at an unrelated service, and they reused it for their corporate VPN. Attackers buy these credential dumps in bulk.
-
Supply chain attacks where malware is delivered through a trusted software update or a compromised vendor's system. These are particularly insidious because the malicious payload arrives through a legitimate channel.
The Dwell Time
This is the part most people do not know about. After gaining initial access, ransomware operators do not immediately encrypt everything. They spend days, sometimes weeks, quietly exploring your network. They are:
- Mapping the network to understand its structure, identify critical servers, and find backup locations
- Escalating privileges by exploiting internal vulnerabilities or harvesting credentials from memory
- Exfiltrating data — copying sensitive files to their own servers before encryption begins
- Disabling security tools and backup systems so that recovery becomes impossible
- Identifying the highest-value targets — databases, file servers, email systems, and domain controllers
The average dwell time before ransomware deployment is around 5-10 days. During this period, the attackers are essentially living inside your network, and most organizations have no idea.
The Double Extortion Model
Traditional ransomware encrypted your files and demanded payment for the decryption key. Modern ransomware uses what is called "double extortion":
- First extortion: Pay us to decrypt your files.
- Second extortion: Pay us or we publish your stolen data on our leak site for anyone to download.
Some groups have escalated to "triple extortion" — they also contact your customers, partners, or regulatory bodies to add pressure. Imagine your hospital's patient records being posted publicly. Or your clients receiving emails saying their contracts and financial data have been stolen.
Ransomware as a Service (RaaS)
The most alarming development is the professionalization of ransomware. Major groups like LockBit, BlackCat (ALPHV), and Cl0p operate as platforms. They develop the ransomware code, maintain the infrastructure, negotiate with victims, and process payments. Then they recruit "affiliates" — essentially freelance hackers — who carry out the actual attacks in exchange for a percentage of the ransom (typically 70-80%).
This lowers the barrier to entry dramatically. You no longer need to be a skilled malware developer to launch a ransomware attack. You need basic hacking skills and a willingness to partner with a RaaS platform.
Major Ransomware Incidents in India
AIIMS Delhi (2022 and Aftermath)
The All India Institute of Medical Sciences in Delhi suffered a devastating ransomware attack in November 2022 that crippled its systems for nearly two weeks. Patient registration, billing, lab reports, and appointment scheduling all went offline. Doctors reverted to pen-and-paper processes while treating thousands of patients daily.
The aftermath extended well beyond the initial incident. AIIMS spent months rebuilding systems, implementing new security controls, and dealing with the reputational damage. The attack exposed how vulnerable India's healthcare infrastructure is — many government hospitals still run on outdated operating systems with minimal cybersecurity budgets.
What made the AIIMS attack particularly concerning was the scale of patient data potentially compromised. Medical records are among the most valuable data on the dark web — they contain personal identifiers, financial information, and health data that cannot be changed like a credit card number.
Indian Manufacturing and SMBs Under Siege
The attacks on well-known institutions make headlines, but the vast majority of ransomware victims in India are small and medium businesses that never make the news. Manufacturing companies, logistics firms, small IT services providers, and retail chains are hit constantly.
Why are SMBs targeted disproportionately? Several factors:
-
Limited cybersecurity budgets. A company with 50 employees typically has one IT person who manages everything from email to the website. There is no dedicated security team, no SIEM, no 24/7 monitoring.
-
Outdated infrastructure. Many Indian SMBs run pirated or unpatched software. Windows 7 machines are still common in factory floors and small offices. Legacy systems running end-of-life operating systems are sitting ducks.
-
Valuable data, poor protection. An SMB may handle thousands of customer records, financial transactions, and proprietary business data, all protected by nothing more than a basic antivirus and a hopeful prayer.
-
More likely to pay. SMBs cannot afford weeks of downtime. A manufacturing company that cannot access its ERP system loses lakhs per day. Many quietly pay the ransom and never report the incident.
Banking and Financial Services
India's financial sector has been targeted repeatedly, though many incidents go unreported due to regulatory and reputational concerns. Cooperative banks, NBFCs, and fintech startups have all been victims. The Reserve Bank of India (RBI) has issued multiple circulars emphasizing cybersecurity requirements, but compliance among smaller financial institutions remains patchy.
Why India Is Particularly Vulnerable
Several structural factors make India an attractive target for ransomware operators:
Rapid Digitization Without Security
India has digitized rapidly — Aadhaar, UPI, DigiLocker, e-governance portals — but the cybersecurity maturity of many organizations has not kept pace. There is a gap between the attack surface (which has expanded enormously) and the defensive capabilities (which often lag behind).
Cybersecurity Talent Shortage
India needs an estimated 1.5 million cybersecurity professionals but has fewer than 500,000. This shortage means many organizations simply cannot hire qualified security staff, even if they have the budget. The available talent is concentrated in large IT companies and multinational corporations, leaving SMBs, government agencies, and healthcare institutions severely understaffed.
Fragmented IT Infrastructure
Many Indian organizations run a patchwork of modern cloud services, on-premises servers running outdated software, and legacy systems that cannot be upgraded without disrupting operations. This fragmented infrastructure creates security gaps that attackers exploit.
Regulatory Enforcement Gaps
While India has CERT-In (Computer Emergency Response Team) and the IT Act, enforcement is inconsistent. The six-hour incident reporting mandate introduced by CERT-In in 2022 was a positive step, but many organizations still do not comply, and the consequences for non-compliance are unclear.
Prevention: What Actually Works
I am not going to sugarcoat this — there is no single product or configuration that makes you "ransomware-proof." Defense is layered, and it requires consistent effort. That said, these strategies dramatically reduce your risk.
The 3-2-1 Backup Strategy
This is the single most important defense against ransomware. If your backups are solid, you can recover without paying a cent.
- 3 copies of your data
- 2 different storage media (e.g., local NAS + cloud storage)
- 1 copy offsite and offline (air-gapped, meaning not connected to any network)
The critical detail most people miss: test your restores regularly. A backup you have never tested is a backup you cannot trust. Schedule quarterly restore drills. Verify that you can actually rebuild a server from backup in a reasonable timeframe.
Also, ensure your backup system itself is protected. Sophisticated ransomware actively searches for backup solutions (Veeam, Acronis, Windows Backup) and targets them first. Use separate credentials for backup administration, and keep at least one backup copy that ransomware cannot reach — a disconnected external drive, a write-once cloud storage bucket, or tape storage.
Email Security
Since phishing is the top attack vector, invest in email security:
- Advanced email filtering that uses AI/ML to detect phishing. Microsoft Defender for Office 365 or Google Workspace's built-in protection are reasonable starting points.
- DMARC, DKIM, and SPF configured for your domain to prevent spoofing.
- Disable macros in Office documents by default. Most legitimate business processes do not need them.
- Security awareness training for all employees. Not a one-time slideshow — ongoing training with simulated phishing exercises. Services like KnowBe4 and Cofense provide these for the Indian market.
Endpoint Protection
Traditional antivirus is not enough. You need an Endpoint Detection and Response (EDR) solution that can detect suspicious behavior, not just known malware signatures.
| Feature | Traditional Antivirus | EDR Solution |
|---|---|---|
| Detection Method | Signature matching | Behavioral analysis |
| Ransomware Detection | Known variants only | Detects encryption behavior |
| Response Capability | Quarantine file | Isolate endpoint, kill process |
| Visibility | Individual machine | Network-wide |
| Investigation | Minimal | Full forensic timeline |
| Cost | Low | Higher |
For Indian SMBs, CrowdStrike Falcon Go, SentinelOne, and Microsoft Defender for Business offer EDR capabilities at reasonable price points. Even a basic EDR is dramatically better than no EDR.
Patch Management
Keeping systems updated is boring but essential. Automate patching wherever possible:
- Operating systems: Enable automatic updates on all workstations. Schedule monthly patching windows for servers.
- Internet-facing applications: VPN appliances, web servers, email gateways — these must be patched within days of a critical vulnerability disclosure, not weeks.
- Third-party software: Browsers, PDF readers, Java, .NET — all are common exploitation targets.
The challenge in Indian organizations is legacy software that breaks when the underlying OS is updated. If you have a critical application that only runs on Windows 7, isolate it on a separate network segment with strict firewall rules. Do not connect it to the internet. Do not allow it to communicate with anything except the specific systems it needs.
Network Segmentation
Do not run a flat network where every device can communicate with every other device. Segment your network so that:
- Office workstations cannot directly access database servers
- IoT devices (printers, cameras, sensors) are on their own VLAN
- Server infrastructure is behind internal firewalls with strict access rules
- Backup systems are on an isolated network segment
If ransomware compromises one segment, it cannot easily spread to others. This buys you time to detect and contain the attack.
Multi-Factor Authentication (MFA)
Enable MFA on everything. VPN access, email, cloud applications, administrative interfaces — all of it. MFA prevents stolen credentials from being useful. Even if an attacker has an employee's password, they cannot log in without the second factor.
Push-notification-based MFA (like Microsoft Authenticator) is more secure than SMS-based OTPs, which can be intercepted through SIM swapping.
Building an Incident Response Plan
Prevention is critical, but you also need a plan for when prevention fails. An incident response plan should be documented, practiced, and accessible offline (because your digital documents might be encrypted).
Key Components
-
Detection procedures. How will you know you have been hit? Monitor for unusual file encryption activity, mass file renaming, ransom notes appearing on systems, or alerts from your EDR solution.
-
Containment steps. Immediately isolate affected systems from the network. Disconnect them from WiFi and Ethernet. Do not shut them down — forensic evidence in memory is valuable.
-
Communication plan. Who gets notified? Internal leadership, IT team, legal counsel, CERT-In (mandatory within six hours), potentially law enforcement, and affected customers.
-
Recovery procedures. Restore from backups. Rebuild compromised systems from clean images. Change all passwords. Revoke and reissue certificates.
-
To pay or not to pay. This is a business decision with no universally right answer. The FBI recommends against paying because it funds criminal operations and does not guarantee recovery. However, when patient lives or business survival are at stake, some organizations decide the cost of not paying is higher. If you choose to pay, involve legal counsel and a professional ransomware negotiation firm.
CERT-In Guidelines and Compliance
The Indian Computer Emergency Response Team (CERT-In) has issued several directives relevant to ransomware preparedness:
- Six-hour mandatory reporting of cybersecurity incidents to CERT-In
- Maintaining logs of ICT systems for 180 days within Indian jurisdiction
- VPN service providers must maintain customer data for five years
- Data centers and cloud providers must report incidents and maintain records
For practical guidance, CERT-In's advisories on ransomware mitigation recommend:
- Regular data backups with offline copies
- Updating operating systems and applications
- Using strong, unique passwords with MFA
- Disabling unnecessary remote access services
- Restricting administrative privileges to only those who need them
- Monitoring network traffic for anomalies
Compliance with these guidelines is not just about avoiding penalties — it is about building genuine resilience.
Cyber Insurance: Worth It?
Cyber insurance has become a growing market in India, with policies available from ICICI Lombard, HDFC Ergo, Bajaj Allianz, and others. A basic cyber insurance policy covers:
- Ransom payments (in some policies)
- Business interruption costs during recovery
- Data recovery expenses
- Legal and regulatory costs
- Notification expenses for informing affected individuals
- Forensic investigation costs
Premiums depend on your organization's size, industry, security posture, and coverage amount. An SMB might pay Rs 50,000-2,00,000 annually for Rs 50 lakh-1 crore coverage.
Important caveats: insurers are increasingly requiring evidence of basic cybersecurity hygiene before issuing policies. If you do not have MFA, endpoint protection, and backup procedures, you may be denied coverage or face higher premiums. And policies have exclusions — read the fine print carefully.
My take: cyber insurance is a useful layer in your overall risk management strategy, but it is not a substitute for actual security controls. Think of it like health insurance — you still need to exercise and eat well.
Practical Steps You Can Take Today
If you have read this far and feel overwhelmed, here is a prioritized action list:
Immediate (This Week)
- Enable MFA on all email accounts, VPN, and cloud services
- Verify that your backups are current and test a restore
- Ensure your operating systems are updated
- Brief your team on phishing recognition basics
Short-Term (This Month)
- Evaluate and deploy an EDR solution
- Implement email filtering with anti-phishing capabilities
- Review and restrict administrative access across your systems
- Create a basic incident response document
Medium-Term (This Quarter)
- Conduct a security assessment or penetration test
- Implement network segmentation
- Establish a security awareness training program
- Evaluate cyber insurance options
- Set up log monitoring and alerting
Ongoing
- Monthly patching cycles
- Quarterly backup restore tests
- Annual incident response drills
- Continuous security awareness training
The Uncomfortable Reality
Ransomware is not going away. If anything, it is getting worse. The profitability of ransomware ensures that criminal groups will continue to invest in developing more sophisticated attacks. AI is now being used by attackers to write more convincing phishing emails, discover vulnerabilities faster, and automate attack workflows.
The good news is that the fundamentals of defense remain the same: keep systems updated, maintain reliable backups, train your people, and have a plan for when things go wrong. Organizations that consistently execute these basics are far less likely to become victims, and far more resilient when they do.
If you are responsible for IT security at an Indian organization — whether a ten-person startup or a thousand-employee enterprise — take this threat seriously. The cost of prevention is always less than the cost of recovery. And for the organizations that cannot recover, the cost is everything.
Advertisement
Advertisement
Ad Space
Anurag Sharma
Founder & Editor
Tech enthusiast and founder of Tech Tips India. Passionate about making technology accessible to everyone across India.
Comments (0)
Leave a Comment
Related Articles
WhatsApp Tips and Hidden Features Most Indians Don't Know About
A deep dive into WhatsApp's lesser-known features including chat lock, formatting tricks, storage management, privacy settings, business tools, and keyboard shortcuts for power users.
Privacy-Focused Alternatives to Every App You Use Daily
A practical guide to replacing common apps with privacy-respecting alternatives, covering messaging, email, search, storage, photos, and more with Indian user considerations.
Best Projectors for Home Use in India: Movie Nights Done Right
A complete guide to the best home projectors in India across budget, mid-range, and premium segments, with tips on throw distance, lumens, and room setup.