Why Indian Businesses Are Paying Ransoms They Cannot Afford

The Hospital That Could Not Say No

Bangalore, March 2023. A 40-bed private hospital received an email. It looked like it came from their IT vendor. The attachment was a firmware update. The administrator opened it because firmware updates happen all the time — they thought nothing of it.

Six hours later, every computer in the hospital was locked. Every patient record. Every billing system. Every way to prescribe medication or check lab results. A message appeared in white text on a black screen: "Your files have been encrypted. To restore them, transfer 8 Bitcoin to the wallet below. You have 72 hours."

The hospital director did not call the police first. He did not call CERT-In. He called the finance team and asked how much 8 Bitcoin cost that day. It was ₹27 lakhs. He authorized the payment within four hours.

Why? Because a patient was in the ICU. Because there was no backup system that worked. Because the ransom felt cheaper than the liability of losing patient data or delaying treatment. Because he was terrified.

That hospital was not an outlier. It was the shape of things to come in India.

What Ransomware Actually Is (And Why India Became a Target)

Ransomware is not a virus your uncle forwards via email anymore. It is industrial extortion wrapped in code. A criminal group deploys malware that locks your files — usually after they have already copied them — and then demands money to return access. The encryption is real. The threat to publish the data is real. The deadline is fake, but you do not know that.

India became a target around 2018-2019 for three reasons:

First: the hospitals, banks, and manufacturing plants here still ran old systems. Systems from 2010. Systems that nobody had patched in three years. Systems built by vendors who no longer existed. Easy to break into.

Second: ransom payments from India are harder to trace than payments from Europe or the US. A victim here might pay in cryptocurrency routed through three exchanges. The ransomware group does not care where you are — they care that they get paid and that you cannot follow the money.

Third: the ransom demand itself is lower. A US hospital might be asked for $400,000 USD. An Indian hospital might be asked for ₹30 lakhs. Still catastrophic for the business, but believable. Payable. That gap between "we cannot possibly pay this" and "we might be able to pay this if we sell some assets" is exactly where the criminals fish.

The Moment Before Everything Stops

I remember sitting across from a manufacturing unit owner in Gurugram — I will call him Anand — three days after his facility got hit. His factory made automotive components for a major Indian OEM. The ransomware had locked the CAD files for the next quarter's production run. The designs were worthless to the criminals, but they were everything to Anand. Without them, he could not deliver to his buyer. He would lose the contract worth ₹2.3 crore annually.

The ransom demand was ₹18 lakhs.

"I do not have insurance," he told me. "The bank will not lend me ₹18 lakhs because my factory is seized as collateral and I cannot show production for the next quarter." He paused. "I called the police. They told me to file an FIR and wait. I do not have time to wait."

He paid. He told me later that he felt numb while transferring the money — not afraid, not angry, just absent. Like he was watching someone else do it.

The criminals kept the files encrypted anyway. They did not have the decryption key readily available. They had to generate it, and it took three days. By then, Anand had already missed his delivery deadline. He lost the contract anyway. He paid ₹18 lakhs and lost ₹2.3 crore of annual revenue.

And the criminals were not done. Four months later, they tried to extort him again — threatening to publish the design files they had stolen during the initial breach. He paid ₹9 lakhs the second time because by then, he was already broken.

How the Scam Works: The Manual Behind the Malware

Most ransomware attacks in India follow a pattern:

Phase 1: The Breach — A phishing email reaches someone inside your company. "Your salary is on hold due to compliance check. Click here to verify your Aadhaar." Or: "Urgent: Update your VPN credentials." Someone with legitimate access — a junior staff member, an accountant, the IT support person — clicks it. Their credentials are stolen. The attacker now has a door.

Phase 2: The Reconnaissance — For weeks, sometimes months, the attacker moves slowly inside your network. They do not deploy ransomware yet. They map your systems. They find where the backups are stored. They find the admin passwords. They read emails to understand who makes decisions. They are patient. They are collecting leverage.

Phase 3: The Deployment — Usually on a Friday evening or before a holiday, when IT staff is thin or distracted, the ransomware is deployed. It spreads across the network. Every computer. Every server. Every networked device. Your backup systems go down at the same moment. This is not coincidence — the attackers have targeted them specifically.

Phase 4: The Extortion — A message appears. But before you see it, the criminals have already stolen your data. They contact you with a choice: pay to decrypt your files, or watch your customer list, financial records, and trade secrets appear on the dark web. Many businesses do not even know about the data theft until after they have paid the ransom.

India has reported over 600 ransomware incidents in the last three years. Most are not reported because the victims pay quietly and want the incident forgotten.

Why Paying Almost Never Works

I need to be direct here: paying the ransom is treated as a solution by victims, but it is not. It is surrender with a false promise of recovery.

Here is what actually happens when you pay:

The Decryption Key Does Not Work — A software engineer in Mumbai paid ₹45 lakhs for the decryption key. It recovered 62% of the files. The remaining 38% were corrupted beyond use. The criminals did not care. They were already paid.

The Data Gets Published Anyway — Even after you pay, the criminal group publishes the stolen data to prove they are serious. This happens in roughly 1 of every 3 cases. You have paid ₹30 lakhs and your customer database still ends up on the dark web where your competitors download it.

You Become a Repeat Target — Once a business pays, it goes into a list that is bought and sold among criminal groups. "This company paid ₹20 lakhs fast — try again next year." Two months later, another criminal group breaches you and demands ₹25 lakhs. I have documented four cases in India where the same business was hit twice in 18 months by different groups.

The Law Steps In — The RBI has started warning banks about ransomware payments. If your business receives a large loan and uses it to pay ransom, you are committing a form of financial fraud. In 2022, an IT services company in Bengaluru paid ₹2.7 crore as ransom and later faced an investigation for financial misrepresentation. The money was never recovered. The business owner faced potential prosecution.

What Actually Works: Not Paying, Preparing, Persisting

A manufacturing unit in Pune got ransomware in January 2024. The demand was ₹22 lakhs. The owner did something unusual: he said no.

He had done the real work beforehand. His IT team had:

• Backed up all critical systems to an air-gapped server (a server with no network connection). That backup was clean and could not be encrypted remotely.
• Tested the backup restoration process every quarter.
• Segmented the network so that if ransomware hit one department, it did not automatically spread to all departments.
• Trained employees on phishing. The person who clicked the initial malicious link reported it immediately, which slowed the breach spread.

When the ransomware hit, he restored from backup. It took 18 hours. He lost half a day of work. The criminals never got paid. A week later, they disappeared and targeted someone easier.

This is the reality that never makes it into the news: defensive work is boring and expensive upfront, but it is the only thing that actually stops ransomware.

The Trap of "Just This Once"

Here is what I have come to believe after watching dozens of these cases: paying ransomware is not a business decision. It is a moral decision disguised as a practical one.

Because when you pay, you are telling the criminal that the threat works. You are funding the next attack on the next Indian business. You are saying that extortion is viable in India. You are part of the system that makes it profitable for them to stay here and build better tools.

But I also understand why businesses pay. I have sat across from owners facing bankruptcy. I have watched a hospital director choose a patient's life over a principle. Judgment is easy when it is not your business burning.

Still. The answer is not payment. The answer is preparation.

What You Can Do Starting Today

1. Audit your backups this week — Not next month. This week. Check if your backup is actually separate from your main network. Try restoring a test file from backup. If you cannot restore it in under one hour, your backup is not usable.

2. Identify your critical systems — Do you have five systems or 500? Which three would destroy your business if they were down for a day? List them. Secure them first. Do not try to secure everything at once.

3. Segment your network — If your accounts team uses one network and your production team uses another, ransomware that hits accounts cannot automatically spread to production. This takes IT time and money. Do it anyway.

4. Train your people — Not with a generic email that says "don't click suspicious links." Train them by sending test phishing emails and seeing who clicks them. Those people need real, specific training about why they were targeted and what to look for next time.

5. Document your incident response plan — Before you are attacked, write down: Who do we call first? Who decides whether to pay? How do we communicate with employees? Where is the backup restoration guide? Print it and lock it in a drawer. When you are under attack, you cannot think clearly enough to invent this.

6. Report incidents to CERT-In — Yes, it feels like a waste. Yes, the response is often slow. But CERT-In tracks these cases and shares intelligence with law enforcement. Your report helps the next victim.

7. Talk to your insurance broker — Cyber liability insurance in India is still new, but it exists. Some policies cover ransomware recovery without requiring you to pay the criminals. Get clarity on what is and is not covered before you need it.

Ransomware in India is not a technology problem. It is a preparation problem. And preparation is the one thing that costs less than payment.