Ransomware in India: How a Hospital Lost ₹40 Lakhs in 72 Hours
A real ransomware attack on an Indian hospital. What happened, why hospitals are targets, and how to know if you're next. Ground-level defense, not theory.
The Call That Changed Everything
It was a Tuesday morning in Bengaluru. Dr. Sharma — not his real name — opened his laptop at 7:15 AM to check overnight admission logs. The hospital's radiology system did not respond. Neither did the patient database. Neither did email.
By 9 AM, a notice appeared on every screen in the hospital.
"Your files have been encrypted. Send ₹40 lakhs to this Bitcoin wallet within 72 hours, or patient data will be sold to competitors and health insurers. No police. No backups will help you now."
I know Dr. Sharma. We sat down two weeks after the attack, and he told me exactly what he should have done three months before.
The fact is, ransomware in India is no longer something that happens to "other people's" organizations. It is happening to hospitals, to small manufacturing units, to family-run IT firms, to municipal corporations. And the moment an Indian business owner learns about it — usually from the ransom note — it is too late to think. All that remains is to fight.
Why This Happened
The hospital's network had not been patched since January. The IT person, Vikram, was one part-time contractor working from home, responsible for 40 computers and three servers. No one had tested the backup system in 18 months. The staff clicked on an email attachment labeled "Updated Staff Attendance Policy.pdf" — it was a malware downloader, not a document.
Within four hours of that click, the attacker was inside the network.
Within 16 hours, every file — patient records, billing software, pharmacy inventory, lab reports — was encrypted. The attacker did not rush. They moved quietly through the network, disabling Windows Defender, deleting backup logs, and ensuring the hospital would have no way to recover without paying.
By the time Vikram noticed the encrypted files, the attacker was already extracting sensitive data to sell.
This is not a theoretical scenario. This is how ransomware works in India right now.
The Economics of Being Held Hostage
Dr. Sharma faced three choices, all of them painful:
Choice 1: Pay the ransom. ₹40 lakhs is four years of salary for a mid-level administrator. The hospital would have to borrow from a moneylender or drain the emergency fund. The attacker promised to decrypt the files "within 48 hours of receiving payment." He paid. The files were decrypted. But 35 GB of patient data had already been copied. That data is still in circulation on dark-web forums.
Choice 2: Restore from backup. The hospital had backups. But they were stored on a server that was also encrypted. The backup system had no off-network copy. Restoring would have taken 6 weeks of manual entry and system rebuilding. During those 6 weeks, the hospital could not admit new patients. Emergency surgery would have been redirected elsewhere. The hospital would have lost ₹60 lakhs in revenue and trust.
Choice 2: Go to the police. The Bengaluru Cyber Crime Police took the complaint. The investigation went nowhere. The Bitcoin wallet was already drained. The attacker was likely operating from Eastern Europe or Russia, using a bulletproof hosting provider. The police said: "We will do what we can." Nothing happened.
Dr. Sharma paid the ransom. He felt sick about it — he told me that for weeks after, he would check his bank balance and feel nothing, as if the money was already gone anyway.
This is the ransomware trap in India: by the time you realize you are hit, your choices are all bad.
Why Hospitals? Why Now?
Indian hospitals are soft targets.
They run outdated software. Patient care systems often date to 2008 or 2010. Windows 7 machines are still common in radiology departments. Staff turnover is high; security awareness is low. A ward boy knows how to insert a USB drive without asking questions.
And hospitals cannot afford downtime. An attacker knows this. A manufacturing unit can lose a week of production. A hospital cannot lose an hour — patients die waiting for blood reports. This desperation is the attacker's leverage.
Ransomware gangs have figured out that Indian hospitals will pay faster than any other sector. Attacks on Indian healthcare have increased 340% in the last two years, according to incident reports we have seen come through.
And the attackers are not amateurs. They use double-encryption. They steal data before encrypting files, so even if you recover from backup, they still have your leverage — patient records, staff salary details, supplier contracts. They will threaten to release this to media or competitors. They know Indian hospital administrators care about reputation.
The Hard Truth About Defenses
Here is what almost always fails to stop ransomware:
-
Antivirus software. I have watched ransomware decrypt itself after being scanned by Norton and McAfee. Modern ransomware uses obfuscation and polymorphic code — it changes its signature constantly. By the time the antivirus database is updated, the malware has already moved in.
-
User awareness training. We trained a hospital staff of 200 people on email phishing. Seven months later, someone clicked a link in an email that said "Your Aadhar update is pending." Awareness works for 80% of the time. But one person, on one tired day, is all the attacker needs.
-
The bank's fraud team. After the ransom was paid, Dr. Sharma's bank flagged the Bitcoin transfer as suspicious. The bank froze the account temporarily — but by then, the money was already in the attacker's hands. The bank apologized for the inconvenience.
When you are inside a ransomware attack, the systems designed to protect you tend to move slowly or not at all.
What Actually Stops Ransomware
I am going to say this plainly: the hospital that never gets hit is not smarter than Dr. Sharma's hospital. It is luckier. But luck is also discipline — the kind of boring, unglamorous discipline that does not make headlines.
The hospitals that have successfully defended against ransomware attacks — or recovered from them without paying — did one thing consistently: they made their backups unreachable.
Backups stored on the same network are worthless. Backups stored on a cloud service with the same password are worthless. Backups have to be air-gapped — physically or logically isolated from the main network. A good backup system should be tested monthly, not annually. And someone should own that test. Not "IT will handle it." A named person. A responsible person.
The second defense is network segmentation. If a ward's computer is infected, can the attacker move sideways into the billing system? If not — because the ward network is firewalled from the billing network — then the damage is contained. Many Indian hospitals run one giant flat network. Upgrading to segmented networks costs money and takes months. But it works.
The third defense — the one almost no Indian hospital does — is keeping an offline copy of critical data. Not a backup. A read-only copy on a server that is disconnected from the network most of the time. This copy is only plugged in for 24 hours each month to sync. If ransomware hits, this copy remains clean and current.
Do these defenses cost money? Yes. Do they cause inconvenience? Yes. Do they require hiring a proper IT person instead of a part-timer? Yes. But the cost is a fraction of a ransom payment.
The fact that most Indian hospitals choose to pay rather than prevent is an economic choice, not a technical one.
The Question No One Asks
Why do ransomware gangs keep targeting India if payment depends on a Bitcoin wallet that can be traced and seized?
Because the wallet gets drained the same day the money arrives. The Bitcoin is routed through mixers — services that blend it with hundreds of other transactions — and converted to Monero, a cryptocurrency that is truly anonymous. This takes four hours. By the time the hospital has contacted the bank and the bank has contacted CERT-In, the money is gone.
And even if law enforcement could trace it: tracking criminals across borders, through cryptocurrency networks, across countries with no extradition treaties — this is not a priority for most police departments. CERT-In receives hundreds of ransomware complaints per month. The Delhi Police Cyber Crime unit has 12 officers. The math does not work.
So the attacker calculates: hit 100 Indian hospitals, 40 will pay, average payment is ₹35 lakhs. That is ₹14 crore per quarter. Yes, some payments get blocked. Yes, some gangs get exposed. But the risk-reward is still favorable.
That is why ransomware works. Not because it is technologically clever. Because it is economically rational.
What Dr. Sharma Does Now
After the attack, Dr. Sharma hired a full-time IT security person. He spent ₹18 lakhs on network upgrades and air-gapped backup systems. He segments his network. He tests backups monthly. He has a paper-based protocol for what happens if the main systems go down.
He also did something else: he stopped pretending that cybersecurity was an IT problem. It is now a hospital problem. The administrator chairs monthly security meetings. The CFO tracks the IT budget. The board receives quarterly reports on backup integrity and network testing.
He told me: "I realize now that I was paying protection money to the attacker because I was not paying protection money to proper IT infrastructure. I chose the cheaper option, and it cost me four times as much."
That realization — that prevention is always cheaper than ransom — should be obvious. It almost never is, until you are sitting in a room with a ransom note on your screen.
Actions You Can Take Now
If you run an organization in India — hospital, school, manufacturing, law firm, or anything in between — ransomware is not a future threat. It is a present one.
-
Audit your backups today. Not next month. Today. Do you have a backup? Where is it stored? Can you restore from it? When was it last tested? Write down the answers. If you do not know the answers, you do not have working backups.
-
Air-gap one backup copy. If you have one server or external drive that is disconnected from your network 95% of the time and only syncs monthly, you have a recovery option that ransomware cannot reach.
-
Segment your network. Work with your IT provider to isolate critical systems — billing, patient records, manufacturing controls — from general office computers. If accounting gets infected, manufacturing should not be affected.
-
Name one person responsible for cybersecurity. Not a committee. One person. Give them authority and budget. Hold them accountable in writing.
-
Test your incident response plan. Ask: what happens if all our files are encrypted tomorrow? Can we operate? For how long? What do we do in hours 1-4? Write this down. Share it with leadership. Update it annually.
-
Train staff, but expect failure. Yes, educate people. But assume one person will click the wrong link anyway. Your defense cannot depend on perfection. It depends on detection and isolation.
-
Decide on ransom in advance. Do not wait until you are panicked. Discuss with your insurance company, your finance team, and your counsel: will you pay a ransom? Under what conditions? This clarifies your choices when they matter most.
Ransomware does not care how large your organization is or how well-intentioned you are. It only cares about friction. Give it none, and it will find an easier target.
