Ransomware attacks involve malware that encrypts the victim’s files or devices and demands a ransom payment for the decryption key. Ransomware targets individuals, hospitals, government agencies, and enterprises alike—and can paralyze operations for days or weeks. India has seen multiple high-profile ransomware incidents, including the AIIMS Delhi attack in 2022.
What Is Ransomware?
Ransomware is a category of malicious software that denies access to data or systems by encrypting them, then demands payment (typically in cryptocurrency) for restoration. Modern ransomware attacks often combine encryption with data exfiltration—a double extortion strategy where attackers threaten to publish stolen data publicly if the ransom is not paid. Ransomware is frequently delivered through phishing emails, drive-by downloads, or exploitation of unsecured remote access protocols.
How Does Ransomware Spread?
- Phishing emails with malicious attachments — Compressed files (ZIP, RAR) containing JavaScript or macro-enabled Office documents are the most common delivery mechanism.
- Drive-by downloads — Visiting a compromised or malicious website triggers an automatic download of ransomware without any user action.
- Remote Desktop Protocol (RDP) exploitation — Attackers scan for exposed RDP ports with weak passwords and use brute-force attacks to gain access, then manually deploy ransomware.
- Software supply chain attacks — Compromised legitimate software updates or third-party tools deliver ransomware to their entire customer base simultaneously.
- Malvertising and exploit kits — Malicious advertisements on legitimate websites redirect visitors to exploit kits that probe for browser and plugin vulnerabilities.
- MSP and RMM platform vulnerabilities — Flaws in managed service provider tools are exploited to deploy ransomware across all client networks simultaneously.
What Are the Main Types of Ransomware?
Crypto Ransomware
The most common type. It encrypts files—documents, images, databases—making them inaccessible without the decryption key. WannaCry, a notorious crypto ransomware, spread globally in 2017 using an NSA exploit leaked by the Shadow Brokers group.
Locker Ransomware
Locks the victim out of the entire device or operating system rather than encrypting individual files. The victim sees only a ransom demand screen and cannot access any system functions.
Double Extortion Ransomware
Attackers first exfiltrate data, then encrypt it. The ransom demand includes a threat to publish the stolen data on dark web leak sites if payment is not received. This removes the option of simply restoring from backups without paying.
Ransomware-as-a-Service (RaaS)
Criminal groups develop ransomware and lease it to affiliates who carry out attacks in exchange for a percentage of ransom payments. This has dramatically lowered the technical barrier for conducting ransomware attacks.
What Are the Warning Signs of a Ransomware Infection?
- Files suddenly have unfamiliar extensions or cannot be opened — This indicates active encryption by ransomware.
- A ransom note file appears in multiple folders — Typically named README.txt, DECRYPT_INSTRUCTIONS.txt, or similar.
- Antivirus alerts about suspicious activity or blocked processes — Some ransomware strains are caught before completing encryption.
- Systems running unusually slow with high CPU and disk usage — The encryption process is computationally intensive and creates noticeable performance degradation.
- Shadow copies or backups deleted from the system — Modern ransomware automatically deletes Windows Volume Shadow Copies to prevent recovery without paying.
How Can You Protect Against Ransomware Attacks?
- Maintain regular, air-gapped backups — Offline backups that are not network-connected cannot be encrypted by ransomware. Test restoration procedures regularly.
- Never click on suspicious email attachments or links — Verify the sender and scan all attachments before opening, especially those with compressed file formats.
- Keep all software and operating systems updated — Most ransomware exploits known vulnerabilities that patches already fix.
- Disable RDP when not needed, or restrict it behind a VPN — Exposed RDP is one of the most common ransomware entry points for enterprise attacks.
- Deploy endpoint detection and response (EDR) tools — EDR solutions detect ransomware behavior (mass file renaming, shadow copy deletion) and can terminate processes before encryption completes.
- Implement network segmentation — Segmented networks limit lateral movement, preventing ransomware from spreading from one compromised machine to all others.
- Train employees to recognize phishing attempts — Most ransomware infections begin with a human clicking a malicious link; security awareness training is the most cost-effective prevention.
How to Report a Ransomware Attack in India?
- Call the National Cyber Crime Helpline: 1930
- File an online complaint at cybercrime.gov.in
- Report to CERT-In (cert-in.org.in) within 6 hours of discovering the incident, as required under IT Amendment Rules 2022
- Do NOT pay the ransom—payment does not guarantee data recovery and funds further criminal activity
For expert assistance responding to a ransomware incident or implementing a ransomware prevention program, contact cyber expert Anuraag Singh.
