India’s Cyber Defenses Under Siege: The Rising Threat of Ransomware; Jim Walter, Senior Threat Researcher, SentinelOne

With its rapidly expanding digital infrastructure and increasing dependence on technology,
India has become a prime target for ransomware attacks. As the world’s fifth-largest
economy, India faces a unique ransomware threat that arises from the widespread adoption
of technologies that lack proper security—and cybercriminals have taken notice.
The result? Organised ransomware groups have shifted their focus to include small
businesses, government institutions, and even individuals.

The country is experiencing mounting cybercrime expenses, costing billions annually to recover data and return business to normal. However, public trust erodes with each attack as cybersecurity teams struggle to hold back the avalanche of attacks that drain resources and slow digital progress.


A Growing Impact

The scale of ransomware attacks in India is unprecedented. A recent study by CERT-In
(Indian Computer Emergency Response Team) revealed that ransomware attacks surged by
51% in 2023 alone. This sharp rise reflects how lucrative and easy these attacks have
become for cybercriminals, who exploit the vulnerabilities in India’s IT systems.

Small and medium-sized businesses (SMBs) are often the most vulnerable. This past July, a
ransomware attack forced over 300 small Indian banks offline, cutting off access to essential
financial services for millions of rural and urban customers. This disruption has severe
consequences in a country where digital banking and online financial services are becoming
lifelines for people’s day-to-day transactions.

According to a report by Kaspersky, 53% of Indian SMBs experienced ransomware attacks in 2023, with 559 million attacks occurring between April and May of this year, making them the most targeted segment. This may be due to the larger volume of companies to pry open weaknesses orthe reality that these companies are less likely to have robust cybersecurity teams monitoring their networks.

But it’s not just businesses. Ransomware has been weaponized against Indian citizens as
well, locking personal devices and stealing sensitive information. In the first half of this year
alone, ransomware in India has jumped 22%, and there are still more devices coming online.


Who’s Behind India’s Ransomware Attacks

A combination of global and local criminal groups drives the ransomware ecosystem in India.
Despite authorities vigilant efforts, organised cybercriminal groups like Kryptina, FIN7, and
Mallox have made India a key target.

  • Mallox (aka TargetCompany), notorious for targeting Microsoft SQL databases, has
    significantly burdened Indian enterprises. Many companies in India rely on
    Microsoft’s infrastructure for daily operations, making them particularly vulnerable to
    Mallox’s attacks. Mallox operations in India slowed somewhat between 2023 and
    2024, but the targeting of the region persists.
  • RansomHub – RansomHub emerged in early February 2024 with a simple data leak
    site (DLS).RansomHub operates as a ransomware-as-a-service (RaaS), partnering
    with affiliates that work with a variety of ransomware families, including former-
    ALPHV and LockBit. There are RansomHub-native ransomware payloads as well,
    targeting multiple platforms and environments.

Direct RansomHub affiliates areprovided access to build payloads for Windows and Linux along with targeted builds for ESXi and SFTP targeting. Notably, RansomHub works with other threat actors
and groups to re-publish and re-broadcast the availability of victim data.

  • LockBit (3.0) – LockBit operations have persisted, even following the various law-
    enforcement actions against the ‘higher-level’ actors associated with the operation.
    Throughout 2023 and 2024, targeting of the region by LockBit-wielding threat actors
    has continued. LockBit-centric ransomware attacks are amongst the most prolific in
    the region (compared to other ransomware families/operations)
    ● Kill Security – Emerging in early 2024, Kill Security-related operations (aka k1llsec)
    have been observed targeting entities within India. The group is known to have
    targeted, and leaked data, associated with multiple law-enforcement agencies within
    the region.
    ● Cloak (ARCrypter) – ARCrypter (aka Good Day) ransomware operators have been
    observed attacking entities in India with a notable uptick from 2023 onward.
    ARCrypter operators are known to leak to the ‘Cloak’ DLS (data leak site)
    In 2023, ransomware attacks on Indian businesses led to significant financial losses, with the
    average ransom demand reaching $4.8 million (approximately ₹40 crore) per incident and
    recovery costs often exceeding $1.35 million (above ₹11 crore). Many of these attacks were
    attributed to sophisticated cybercriminal organisations.
    These figures don’t account for the hidden costs, such as downtime, data loss, or damage to
    a company's reputation. During an ongoing attack or crime-related outage, customers may
    turn to competitors to conduct transactions, or in the case of perishable or daily transactions,
    they may continue in the future but the lost sale can’t be recovered.

The Rising Toll of Ransomware in India
For SMBs, the cost of paying ransomware, retrieving proprietary data, returning to full
operations, and recovering lost revenue can be too much to bear. For this reason, many
businesses opt to pay the ransom, even when there is no guarantee that their data will be
fully restored.

The Indian financial sector, in particular, has been a favourite target. This year the National
Payment Corporation of India (NPCI), which runs the country's digital payment systems, was
forced to take systems offline temporarily due to an attack. Beyond the financial impact,
these incidents erode trust in India’s push for a digital-first economy, impacting the country’s
progress toward digital banking adoption.

India’s AI Response to Ransomware

The sheer volume and sophistication of ransomware attacks have made manual
cybersecurity practices inefficient. Indian companies are turning to artificial intelligence (AI) to bolster their cybersecurity defences. AI-driven tools are essential in detecting and mitigating ransomware threats in real time.

Lenovo’s recent announcement of AI-enabled cybersecurity within their AI PCs is one
example of how this technology is becoming more accessible to the Indian public. Similarly,
Indian enterprises, particularly in sectors like finance and healthcare, are increasingly
integrating AI into their security infrastructure.

According to a recent survey, 71% of Indian retailers stated they had adopted or planned to adopt AI-driven cybersecurity solutions within the next year, while 59% of enterprises have already deployed.

This new technology’s ability to quickly analyse vast amounts of data and detect irregular patterns is crucial in a country of India’s size to continue to scale its cybersecurity efforts alongside growth. From small startups to large enterprises, AI is no longer a luxury but a necessity to stay ahead of ransomware groups.

Without these defenses, the Indian economy remains vulnerable to the disruptive power of cyberattacks.

India at the Crossroads of Cybersecurity and Ransomware

CIO Leadership evolving in 2025 amid rising cost and enable AI capabilities in their primary workflow systems, which often requires investments their top business priorities.
India’s rapid digital transformation has made it a hotspot for ransomware attacks. As criminal organisations become more sophisticated, securing Indian businesses and individuals becomes even more urgent. Integrating AI into cybersecurity offers a glimmer of hope, but security requires concerted action from both the government and the private sector. An example is India’s Cyber commando initiative, where top cybersecurity performers will be recruited to take a government-run centralised approach that will rely on data from both private and public centres.

However, with billions of rupees at stake, it’s not enough for individuals or organisations to wait for the country’s 5-year cyber-defence plan to come to fruition. Educating businesses and individuals on identifying and avoiding ransomware threats by utilising AI capabilities to understand the threats they face in real time allows for better decision-making and more secure digital spaces.

 

Leave a Reply

Your email address will not be published. Required fields are marked *