With its rapidly expanding digital infrastructure and increasing reliance on technology, India has become a prime target for ransomware attacks. As the world’s fifth-largest economy, India faces a unique ransomware threat stemming from the widespread adoption of technologies that lack adequate security — and cybercriminals have taken notice.

The result? Organized ransomware groups have shifted their focus to include small businesses, government institutions, and even individuals. The country faces rising costs from cybercrime, costing billions annually to recover data and restore business to normal. Yet public trust erodes with each attack as cybersecurity teams struggle to contain the onslaught of attacks that drain resources and slow digital progress.

A growing impact

The scale of ransomware attacks in India is unprecedented. A recent study by CERT-In (Indian Computer Emergency Response Team) showed that ransomware attacks have increased by 51% in 2023 alone. This sharp increase reflects how profitable and easy these attacks have become for cybercriminals, who exploit vulnerabilities in IT systems in India.

Small and medium-sized enterprises (SMEs) are often the most vulnerable. Last July, a ransomware attack forced more than 300 small Indian banks offline, cutting off access to critical financial services for millions of rural and urban customers. This disruption has serious consequences in a country where digital banking and online financial services are becoming lifelines for people’s day-to-day transactions. According to a report by Kaspersky, 53% of Indian SMBs experienced ransomware attacks in 2023, with 559 million attacks occurring between April and May this year, making them the most targeted segment. This may be due to the higher volume of companies disclosing vulnerabilities or the fact that these companies are less likely to have robust cybersecurity teams monitoring their networks.

But it’s not just business. Ransomware has also been used against Indian citizens, locking personal devices and stealing sensitive information. In the first half of this year alone, ransomware in India has increased by 22% and there are still more devices coming online.

Who is behind ransomware attacks in India

A combination of global and local criminal groups drive the ransomware ecosystem in India. Despite the vigilant efforts of the authorities, organized cybercriminal groups like Kryptina, FIN7 and Mallox have made India a key target.

Mallox (aka TargetCompany), notorious for targeting Microsoft SQL databases, has significantly burdened Indian businesses. Many companies in India rely on Microsoft infrastructure for day-to-day operations, making them particularly vulnerable to Mallox attacks. Mallox operations in India slowed down somewhat between 2023 and 2024, but targeting the region persists.

RansomHub: RansomHub appeared in early February 2024 with a simple data leakage site (DLS). RansomHub operates as a ransomware-as-a-service (RaaS), partnering with affiliates working with a variety of ransomware families, including the former ALPHV and LockBit. There are also native RansomHub ransomware payloads that target multiple platforms and environments. Direct RansomHub affiliates are given access to build payloads for Windows and Linux, along with targeted builds for ESXi and SFTP targeting. In particular, RansomHub works with other actors and threat groups to republish and redistribute the availability of victim data.

LockBit (3.0): LockBit’s operations have persisted, even in the wake of various law enforcement actions against “top level” actors associated with the operation. Throughout 2023 and 2024, the targeting of the region by threat actors using LockBit continued. Ransomware attacks centered on LockBit are among the most prolific in the region (compared to other ransomware families/operations)

Kill Security: Appearing in early 2024, operations related to Kill Security (aka k1llsec) were observed targeting entities in India. The group is known to have targeted and leaked data associated with several law enforcement agencies in the region.

Cloak (ARCrypter): ARCrypter (aka Good Day) ransomware operators have been observed attacking entities in India, with a notable increase since 2023. ARCrypter operators are known for leaking to DLS “Cloak” (data leak site)

In 2023, ransomware attacks on companies in India resulted in significant financial losses, with the average ransom demand reaching USD 4.8 million (approx. ₹40 million) per incident and recovery costs often exceeding $1.35 million (above ₹11 million). Many of these attacks have been attributed to sophisticated cyber criminal organizations.

These figures do not take into account hidden costs such as downtime, data loss or damage to a company’s reputation. During an ongoing attack or crime-related disruption, customers may turn to competitors to transact or, in the case of perishable or daily transactions, continue in the future, but the lost sale cannot be recovered.

Ransomware on the rise in India

For SMBs, the cost of paying off ransomware, recovering proprietary data, returning to full operations, and recovering lost revenue can be too much to bear. For this reason, many companies choose to pay the ransom, even when there is no guarantee that their data will be fully restored.

The Indian financial sector in particular has been a favorite target. This year, the National Payment Corporation of India (NPCI), which manages the country’s digital payment systems, was forced to temporarily take systems offline due to an attack. Beyond the financial impact, these incidents are eroding confidence in India’s strength for a digital economy, impacting the country’s progress towards adopting digital banking.

India’s AI answer to ransomware

The sheer volume and sophistication of ransomware attacks have rendered manual cybersecurity practices ineffective. Indian companies are turning to artificial intelligence (AI) to strengthen their cyber security defenses. AI-based tools are critical to detecting and mitigating ransomware threats in real time.

Lenovo’s recent announcement of AI-enabled cybersecurity in their AI PCs is an example of how this technology is becoming more accessible to the Indian public. Similarly, Indian enterprises, particularly in sectors such as finance and healthcare, are increasingly integrating AI into their security infrastructure. According to a recent survey, 71% of Indian retailers said they had adopted or planned to adopt AI-based cyber security solutions in the next year, while 59% of enterprises had already implemented.

The ability of this new technology to quickly analyze large amounts of data and detect irregular patterns is crucial for a country the size of India to continue expanding its cybersecurity efforts alongside growth. From small startups to large enterprises, AI is no longer a luxury, but a necessity to stay ahead of ransomware groups.

Without these defenses, the Indian economy remains vulnerable to the disruptive power of cyber attacks.

India at the Crossroads of Cyber ​​Security and Ransomware

India’s rapid digital transformation has made it a hotspot for ransomware attacks. As criminal organizations become more sophisticated, securing Indian businesses and individuals becomes even more urgent. Integrating artificial intelligence into cybersecurity offers a glimmer of hope, but security requires concerted action from both government and the private sector. An example is India’s Cyber ​​Commando initiative, where cyber security top performers will be recruited to adopt a centralized government-run approach that will draw on data from private and public centres.

However, with billions of rupees at stake, it is not enough for individuals or organizations to wait for the country’s 5-year cyber defense plan to materialize. Educating businesses and individuals to identify and avoid ransomware threats by using AI capabilities to understand the threats they face in real-time enables better decision-making and safer digital spaces.

Jim Walter is a senior threat researcher at SentinelOne