By Jim Walter, Senior Threat Researcher, SentinelOne
With its rapidly expanding digital infrastructure and increasing dependence on technology, India has become a prime target for ransomware attacks. As the world’s fifth-largest economy, India faces a unique ransomware threat that arises from the widespread adoption of technologies that lack proper security—and cybercriminals have taken notice.
The result? Organised ransomware groups have shifted their focus to include small businesses, government institutions, and even individuals. The country is experiencing mounting cybercrime expenses, costing billions annually to recover data and return business to normal. However, public trust erodes with each attack as cybersecurity teams struggle to hold back the avalanche of attacks that drain resources and slow digital progress.
A Growing impact
The scale of ransomware attacks in India is unprecedented. A recent study by CERT-In (Indian Computer Emergency Response Team) revealed that ransomware attacks surged by 51% in 2023 alone. This sharp rise reflects how lucrative and easy these attacks have become for cybercriminals, who exploit the vulnerabilities in India’s IT systems.
Small and medium-sized businesses (SMBs) are often the most vulnerable. This past July, a ransomware attack forced over 300 small Indian banks offline, cutting off access to essential financial services for millions of rural and urban customers. This disruption has severe consequences in a country where digital banking and online financial services are becoming lifelines for people’s day-to-day transactions. According to a report by Kaspersky, 53% of Indian SMBs experienced ransomware attacks in 2023, with 559 million attacks occurring between April and May of this year, making them the most targeted segment. This may be due to the larger volume of companies to pry open weaknesses or the reality that these companies are less likely to have robust cybersecurity teams monitoring their networks.
But it’s not just businesses. Ransomware has been weaponised against Indian citizens as well, locking personal devices and stealing sensitive information. In the first half of this year alone, ransomware in India has jumped 22%, and there are still more devices coming online.
Who’s behind India’s ransomware attacks
A combination of global and local criminal groups drives the ransomware ecosystem in India. Despite authorities’ vigilant efforts, organised cybercriminal groups like Kryptina, FIN7, and Mallox have made India a key target.
- Mallox (aka TargetCompany), notorious for targeting Microsoft SQL databases, has significantly burdened Indian enterprises. Many companies in India rely on Microsoft’s infrastructure for daily operations, making them particularly vulnerable to Mallox’s attacks. Mallox operations in India slowed somewhat between 2023 and 2024, but the targeting of the region persists.
- RansomHub – RansomHub emerged in early February 2024 with a simple data leak site (DLS).RansomHub operates as a ransomware-as-a-service (RaaS), partnering with affiliates that work with a variety of ransomware families, including former-ALPHV and LockBit. There are RansomHub-native ransomware payloads as well, targeting multiple platforms and environments. Direct RansomHub affiliates are provided access to build payloads for Windows and Linux along with targeted builds for ESXi and SFTP targeting. Notably, RansomHub works with other threat actors and groups to re-publish and re-broadcast the availability of victim data.
- LockBit (3.0) – LockBit operations have persisted, even following the various law-enforcement actions against the ‘higher-level’ actors associated with the operation. Throughout 2023 and 2024, targeting of the region by LockBit-wielding threat actors has continued. LockBit-centric ransomware attacks are amongst the most prolific in the region (compared to other ransomware families/operations)
- Kill Security – Emerging in early 2024, Kill Security-related operations (aka k1llsec) have been observed targeting entities within India. The group is known to have targeted, and leaked data, associated with multiple law-enforcement agencies within the region.
- Cloak (ARCrypter) – ARCrypter (aka Good Day) ransomware operators have been observed attacking entities in India with a notable uptick from 2023 onward. ARCrypter operators are known to leak to the ‘Cloak’ DLS (data leak site)
In 2023, ransomware attacks on Indian businesses led to significant financial losses, with the average ransom demand reaching $4.8 million (approximately ₹40 crore) per incident and recovery costs often exceeding $1.35 million (above ₹11 crore). Many of these attacks were attributed to sophisticated cybercriminal organisations.
These figures don’t account for the hidden costs, such as downtime, data loss, or damage to a company’s reputation. During an ongoing attack or crime-related outage, customers may turn to competitors to conduct transactions, or in the case of perishable or daily transactions, they may continue in the future but the lost sale can’t be recovered.
The Rising toll of ransomware in India
For SMBs, the cost of paying ransomware, retrieving proprietary data, returning to full operations, and recovering lost revenue can be too much to bear. For this reason, many businesses opt to pay the ransom, even when there is no guarantee that their data will be fully restored.
The Indian financial sector, in particular, has been a favourite target. This year the National Payment Corporation of India (NPCI), which runs the country’s digital payment systems, was forced to take systems offline temporarily due to an attack. Beyond the financial impact, these incidents erode trust in India’s push for a digital-first economy, impacting the country’s progress toward digital banking adoption.
India’s AI response to ransomware
The sheer volume and sophistication of ransomware attacks have made manual cybersecurity practices inefficient. Indian companies are turning to artificial intelligence (AI) to bolster their cybersecurity defences. AI-driven tools are essential in detecting and mitigating ransomware threats in real time.
Lenovo’s recent announcement of AI-enabled cybersecurity within their AI PCs is one example of how this technology is becoming more accessible to the Indian public. Similarly, Indian enterprises, particularly in sectors like finance and healthcare, are increasingly integrating AI into their security infrastructure. According to a recent survey, 71% of Indian retailers stated they had adopted or planned to adopt AI-driven cybersecurity solutions within the next year, while 59% of enterprises have already deployed.
This new technology’s ability to quickly analyse vast amounts of data and detect irregular patterns is crucial in a country of India’s size to continue to scale its cybersecurity efforts alongside growth. From small startups to large enterprises, AI is no longer a luxury but a necessity to stay ahead of ransomware groups.
Without these defences, the Indian economy remains vulnerable to the disruptive power of cyberattacks.
India at the crossroads of cybersecurity and ransomware
India’s rapid digital transformation has made it a hotspot for ransomware attacks. As criminal organisations become more sophisticated, securing Indian businesses and individuals becomes even more urgent. Integrating AI into cybersecurity offers a glimmer of hope, but security requires concerted action from both the government and the private sector. An example is India’s Cyber commando initiative, where top cybersecurity performers will be recruited to take a government-run centralised approach that will rely on data from both private and public centres.
However, with billions of rupees at stake, it’s not enough for individuals or organisations to wait for the country’s 5-year cyber-defence plan to come to fruition. Educating businesses and individuals on identifying and avoiding ransomware threats by utilising AI capabilities to understand the threats they face in real time allows for better decision-making and more secure digital spaces.
