Ransomware in India: When Your Files Vanish and the Threat Is Real

The Call That Changes Everything

Bangalore, 2:47 PM on a Thursday. A small accounting firm — twelve people, one server they share files on — noticed something odd. Their printer wouldn't respond. Then their email stopped working. Then, on every screen in the office, a message appeared:

"Your files are encrypted. Pay 2 lakhs in Bitcoin within 48 hours or they are deleted forever."

The owner's first instinct was to laugh. This was ransomware — something that happened to American hospitals, not to a ten-person firm in Whitefield. He unplugged the server. He called his cousin who worked in IT. The cousin arrived, opened the server closet, and said four words that still haunt him: "It's already too late."

I want to tell you that this is an edge case. I cannot. Because in the last three years, I have fielded calls from forty-three similar victims in India. Forty-three. And that is only the ones who call us. The ones who do not pay in silence outnumber these by a factor I do not have permission to publish.

What Ransomware Actually Is (And Why It Works)

Ransomware is malicious software that locks your files using encryption so strong that without the decryption key, they become useless. It is not stealing. It is not deletion. It is hostage-taking. Your data is still there. You simply cannot touch it.

The attack usually begins with an email. Not a sophisticated spear-phishing attack — though some are. Often, just a normal-looking email with an attachment: an invoice, a delivery update, a WhatsApp Business message asking you to download something. You open it. You click "enable macros." Or you click a link to a "urgent banking notification."

Something downloads. Something runs. And then, twelve hours or twelve days later, the encryption starts.

By the time you notice — usually when file-sharing stops working, or backups fail, or someone cannot access the quarterly report — the damage is already done.

Why does this work? Because most Indian businesses do not back up their data properly. They do not have it. Or they have it, but it is connected to the same network the ransomware infected. So when the encryption starts, it eats the backups too.

The Indian Ransomware Reality

I want to give you a statistic. I do not want to invent one.

What I can tell you is this: ransomware in India is no longer rare. It is not headline-grabbing because most victims pay quietly — no publicity, no law enforcement, no shame. But CERT-In has warned of increasing ransomware campaigns targeting Indian financial institutions, healthcare facilities, and manufacturing firms. The attacks are not coming from one source. They are coming from multiple ransomware-as-a-service (RaaS) operations — criminal enterprises that sell the tools and infrastructure to carry out attacks.

These groups work like franchises. They have affiliates in India who scout targets, launch the initial compromise, and then hand off to the encryption team. Everyone gets a cut. Everyone has incentive to keep the machine running.

Who are the targets? Not just big corporations. A hospital chain in Delhi. A pharmaceutical supply company in Hyderabad. A publishing house in Mumbai. A textile mill in Tiruppur. An engineering consultancy in Pune. A school in Gurgaon.

And one twelve-person accounting firm in Bangalore.

The Choice That Breaks People

Once the ransom demand arrives, the victim faces a choice that is not really a choice.

Option A: Pay. The attackers send a decryption key. Sometimes it works. Sometimes it does not. Sometimes it works partially — a few files remain corrupted. Sometimes the attackers disappear with the money and send nothing. You have now funded organized crime and you have no guarantee.

Option B: Do not pay. Report to the police. Work with a forensics firm (if you can afford one). Rebuild from scratch. Lose weeks or months of work. Watch clients leave. Watch your reputation fracture.

Most people choose Option A.

The accounting firm I mentioned? They paid. In Bitcoin, through an exchange in Singapore, facilitated by a cryptocurrency trader they found on a forum. They got the key. Most of their files decrypted. Some did not. Two weeks later, they paid a forensics firm ₹3.5 lakhs to patch the remaining damage. Total loss: ₹5.5 lakhs and three weeks of work they will never recover.

Was it the right decision? I do not know. But I know they made it at gunpoint.

The Hard Part: After It Happens

Police response in India to ransomware is inconsistent. Some states have cyber crime cells that understand the threat. Many do not. Reporting often triggers a FIR that goes nowhere. Insurance — cyber liability insurance — exists but is expensive and claims are contested. The victim is told: why did you not have backups? Why was your network not segmented? Why did your employee click that link?

The victim is blamed for being unprepared for a professional criminal operation.

Banks will not help you recover cryptocurrency sent to the attacker. RBI has issued alerts, but once the money is gone, it is gone. CERT-In can be helpful if you have a technical team that can provide evidence, but most small firms do not.

What does help? Time. Distance. Eventually, the wound scabs over. The firm rebuilds its systems. Backups are finally implemented (after the fact). The employees who were blamed for the initial click move on. Life continues.

But the uncertainty does not leave. Every time a file fails to load, there is a moment of panic. Every backup completion triggers relief that borders on superstition.

What You Must Do Right Now

I am going to give you actions, not reassurance. Reassurance is useless.

1. Audit your backups today. Not tomorrow. Today. Call your IT person. Ask: where are our backups? Are they connected to our main network? Can we restore a file from them right now? Do it. If the answer is "I am not sure," then you do not have backups. You have a wish.

2. Segment your network. If you have a server, it should not have the same access level as your employee machines. If you have a database, it should be on a separate system. A breach on one machine should not cascade to everything. This is basic. Most firms do not do this.

3. Enforce multi-factor authentication on everything that matters. Email. Banking portals. File-sharing systems. Cloud accounts. One password is not enough. If someone clicks the wrong link and their password leaks, MFA is the only thing standing between you and a compromised account.

4. Patch your systems every month, minimum. Software updates are not optional. They are security fixes. I know they are annoying. So are ransomware attacks. Pick your annoyance.

5. Train your employees to not click attachments from unknown senders. Do a test. Send a fake phishing email internally. See how many people click. That number is the number of ways your firm can be compromised. Once you know the number, you can address it. Until then, you are hoping.

6. Get cyber liability insurance. I do not love insurance companies, but if the worst happens, it is the difference between recovery and collapse. Talk to your broker. Get a quote. Budget for it.

7. Have an incident response plan written down. When it happens, do not make decisions in panic. Know who to call (IT, legal, insurance, police — in that order). Know what to do first (isolate the infected machine, preserve evidence, notify stakeholders). Know what not to do (do not restart systems, do not wipe drives). Write this down. Keep it accessible.

These are not optional. They are the price of operating a business in an environment where organized crime has industrialized the attack process.

The Uncomfortable Truth

Ransomware will reach you or someone you know. Not maybe. Probably. The question is not whether it happens. The question is whether you will be ready when it does.

The Bangalore accounting firm was not ready. They survived, but barely. They are now obsessive about backups. They now understand that their files are more valuable than any single employee's time. They now know that the email that looks normal might not be.

They learned the hard way. I am giving you the chance to learn cheaply.

Take it.