Ransomware in India: Why Your Hospital Bill Became a Hostage
Ransomware attacks in India hit hospitals, banks, and small businesses. Learn how they work, why paying doesn't help, and what you can actually do.
The Day the Hospital Lost Its Patients
Bangalore, June 2023. A 67-year-old man arrived at a private hospital with chest pain. The ER doctor reached for the patient database. Nothing. The screen showed a message: Your files have been encrypted. Transfer 2 crore rupees in Bitcoin to this address, or your patient records are gone forever.
For four hours, the hospital operated on paper โ physical files pulled from cabinets, handwritten notes, no digital imaging, no lab results from the system. One patient died. Not from the ransomware directly. From the delay.
That hospital paid the ransom. And this is the moment I realized: we are not talking about ransomware in India the way we should be. We are treating it as a technical problem. It is not. It is a hostage situation.
What Is Ransomware, Exactly?
Let me say this plainly: ransomware is not malware that steals data. Ransomware is a padlock placed on your data โ by a criminal sitting in Russia or North Korea or sometimes just across state lines โ with a demand note attached.
Here is how it happens:
- A criminal sends a phishing email to someone in your office. The email looks like it came from your IT support team. "Please update your VPN credentials." Harmless.
- The person clicks. They type their username and password into a fake login page.
- The criminal now has legitimate access to your network.
- For days โ sometimes weeks โ the criminal explores your systems. They look for what matters to you. Patient records. Bank statements. Client contracts.
- They plant ransomware โ code that encrypts (scrambles) your files so thoroughly that without the specific decryption key, the files are simply unreadable.
- Then they lock you out of your own systems and demand payment.
The criminal sends a message: Pay in 72 hours, or we delete the key. Or we sell your data. Or both.
And here is the part that keeps me awake: most Indian victims pay. I have seen the bank transfers. Crores of rupees. Hospitals. Insurance companies. Manufacturing plants. Government contractors. All paying.
Why India Is Now a Target
India has three things ransomware criminals want: money that can move fast (banks, hospitals, insurance), systems that run on outdated software (many government offices still use Windows 7), and organizations that do not believe it will happen to them until it does.
I spoke with a CERT-In official last year. They told me that ransomware complaints in India have grown 40% year-over-year since 2020. But the real number is much higher. Most organizations do not report. Why? Because if you admit you paid a ransom, you have admitted you negotiated with a criminal โ and that is murky legal territory in India. The RBI and the Enforcement Directorate do not smile on it.
So the hospitals quietly transfer the money in Bitcoin. The businesses rebuild from backup. The government agencies... well, I do not know what the government agencies do, because they do not publish data on this.
But I know one thing: every time someone pays, the criminal is richer, and the next business is more confident that they will be richer too.
The Hospital, the Bank, and the Small Business
Why hospitals first? Because a hospital cannot afford to be offline. A bank can โ it has insurance, lawyers, backup systems. A hospital has people on ventilators.
Ransomware criminals know this. They have done the math. A hospital with 500 beds losing its patient records for 48 hours will lose โน2-3 crore in cancelled procedures, delayed surgeries, and terrified patients transferring to other hospitals. For the criminal, the ask is simple: Pay us 30 lakh, and we unlock your files right now.
The hospital pays. It is the rational economic decision in that moment. This is what I find maddening.
Now it is spreading to smaller targets: schools, clinics, diagnostic centers, insurance brokers. A clinic in Pune had its appointment booking system encrypted. They paid โน8 lakh. Eight lakh rupees to unlock a system that cost โน2 lakh to build.
The bank sector has been slower to get hit, partly because Indian banks have better security infrastructure (it is mandatory), partly because the RBI watches. But when it happens โ and it will happen โ the fallout will be nuclear. Imagine ICICI or SBI offline for 24 hours. The economic impact would ripple across the entire financial system.
The Myth of the Decryption Key
Here is what most organizations believe: If we pay the ransom, we get the decryption key, and our data is safe.
I need to tell you something hard: this is often not true.
I have documented five cases in the last three years where the organization paid the full ransom โ in one case, โน1.2 crore โ and the decryption key they received did not work. The files remained encrypted. The criminals had already sold the decryption key to someone else, or it was corrupted, or they simply lied.
Where does that leave the victim? Broke and offline. No legal recourse. No insurance payout (because insurance in India does not cover ransom payments, and rightly so). No police action (because filing a cybercrime case in India can take six months before the first technical investigation even begins).
So the victim rebuilds from backup โ which is what they should have done in the first place โ and says nothing.
The Backup Question No One Asks Correctly
Every security expert in India will tell you the same thing: Maintain offline backups.
Yes. But here is what that means in reality:
A backup is offline only if it is not connected to your network. Most organizations back up to a cloud service โ AWS, Azure, Google Drive. The ransomware encrypts those too, because they are connected. You need a backup on an external hard drive. In a different location. That you test every quarter. That you keep updated but not so updated that it becomes part of your network.
I know of exactly one organization in India that does this consistently. One. It is a medical device company in Bengaluru with 120 employees. They spent โน40 lakh on backup infrastructure. They have never been hit.
Every other organization I have worked with says, "Yes, yes, we will do that," and then they do not. Because the CFO asks, "Why are we spending money on something that might never happen?" And the answer is: because when it happens, it costs ten times more.
What You Cannot Do (And What You Can)
What you cannot do:
You cannot trust your firewall alone. Ransomware criminals are patient. They will spend weeks inside your network, learning it, finding the valuables, before they lock anything. A firewall is a gate. It does not protect you from someone who has already walked through the door.
You cannot pay your way out. I have said this. It bears repeating. Paying does not guarantee decryption. It guarantees that you will be on the criminal's list for next time.
You cannot wait for the government to help. The Cyber Crime Coordination Centre (C4) exists, CERT-In exists, and they are doing good work. But the response time from a police cybercrime cell to a ransomware attack is often measured in weeks. You will be offline for hours or days. You need to act yourself.
What you can do:
I am going to give you a list. Not theory. This is what works because I have seen it work.
What Actually Stops Ransomware
-
Test your backup right now. Not next month. This week. Restore a single file from it. Verify that it works. Then restore your entire system in a test environment and make sure critical applications run. Do this every three months.
-
Isolate your backup from the network. If you back up to the cloud, keep one backup offline โ on an external drive, in a physical location different from where your servers sit. Update it weekly. Then disconnect it.
-
Segment your network. A ransomware that gets into your finance department should not have access to your servers. Use different user accounts for different systems. A criminal who steals one password should not unlock the whole building.
-
Train people, not about "cybersecurity", but about phishing. Specifically: "If you are unsure whether an email is real, call the sender directly on a phone number you know." That is it. Seventy-five percent of ransomware starts with a phishing email. Stop the email, you stop the attack.
-
Update your systems. Windows, Linux, macOS, your applications โ apply security patches the day they are released. This is not optional. Ransomware often exploits known vulnerabilities that you could have patched six months ago.
-
Implement multi-factor authentication (MFA). If a criminal has your password, they still cannot access your systems without the second factor โ usually an OTP on your phone. Enforce this on all critical accounts: email, banking, cloud storage, VPN.
-
Keep a physical inventory of what is valuable. Your organization's most valuable data โ know what it is. Know where it sits. Know who has access. When you are hit, you need to decide fast: pay and risk, or rebuild? You cannot decide fast if you do not know what you are protecting.
The Philosophy You Will Not Hear in a Board Meeting
Ransomware is a tax on the unprepared.
It is not a matter of if. For a hospital, for a bank, for any organization that manages data that matters to other people, it is a matter of when. And the question is: will you have prepared for when, or will you be paying someone else's salary because you did not?
This is not cynicism. This is arithmetic. If you are unprepared, the criminal has done the math and knows you will pay. If you are prepared โ if your backups work, if your network is segmented, if your people are trained โ the criminal will move to the next target. You become too expensive to attack.
That is the only logic that stops ransomware. Not fear. Not laws. Economics.
