Ransomware attacks on Indian firms tripled in 2021; Maharashtra most-targeted state

Indian firms are facing an onslaught of ransomware attacks amid growing digital transformation brought on by the pandemic. According to a report by American cybersecurity firm Palo Alto Networks, ransomware attacks on organizations in India increased by 218% year-on-year (YoY) in 2021.

According to Palo Alto Networks' report, Maharashtra was the most targeted state, accounting for 42% of all attacks in India, while software and services (26%), capital goods (14%), and public sector (9%) were among the most targeted sectors. India is now the tenth most targeted country globally and second in the APAC (Asia-Pacific) region and Japan.

Ransomware is a type of malware that encrypts data in a system and holds it hostage. The attackers asked companies and individuals to pay a ransom, usually using cryptocurrencies, in order to regain access to the data.

Vicky Ray, principal researcher at Palo Alto Networks, said while India has always been in the Top 10 in terms of ransomware attacks, the number of attacks increased by three times in 2021, as compared to the previous year.

Another report from French tech firm, Thales, published on March 24, said that one in four Indian organizations suffered a ransomware attack in 2021, which was higher than the global average of 21%. Out of the targeted organizations, 30% saw a significant business disruption after the attack. 

Ransomware groups have upped the ante in recent years using double extortion tactics, in which they also steal critical data, like IP (intellectual property) and source codes, before locking the company out of their systems. They then threaten to make the stolen data public if the ransom is not paid. To worsen matters, many ransomware groups are also asking the partners and customers of targeted companies for a ransom, which is known as the triple extortion tactic. 

The increase in attacks can also be attributed to the widening nexus of threats. Many hacker groups offer ransomware-as-a-service (RaaS) so anyone can rent this type of threat including infrastructure, negotiating with victims, or extortion websites where stolen information can be posted. The ransom is then split between the affiliate partners.

The increase in attacks is not the only concern that organizations have to deal with though. According to Palo Alto Networks, the average ransom demand climbed by 144% to $2.2 million in 2021 from $900,000 a year ago, while the average payment rose 78% to $541,000 globally in 2021. 

Ray explained the amount demanded from organizations in India is not going to be any lower than global firms as India is amongst the economically profitable regions for hacker groups. “The fact that attacks are growing in India is a sign that organizations are paying,” he added.

However, experts pointed out that only in rare cases does the company get all its data back even after paying the ransom.
Vishak Raman, director, security business, Cisco, India and SAARC, said, "paying the ransom to recover the lost information might look like the easiest alternative, but it doesn’t guarantee that all data will be restored."

According to October 2021 report by Gartner, on average, only 65% of the data is recovered and only 8% of organizations manage to recover all of their data. While 32% organizations paid additional ransom to get access to data, two of every 10 companies surveyed never got back their entire data even after repeated payments.

The fact that organizations are paying more now, has also emboldened the ransomware groups. 

“The number of ransomware attacks is growing for a simple reason – hackers are getting paid. The willingness to pay creates a dangerous loop and increases the motivation of attackers,” warns Sundar Balasubramanian, managing director, India, and SAARC at Check Point Software Technologies.

Law enforcement agencies, too, recommend not paying because doing so encourages continued criminal activity. In some cases, paying the ransom could even be illegal, because it provides funding for criminal activity.

Akshat Jain, chief technology officer and co-founder, Cyware, noted, “While in the US, federal agencies have declared it illegal to pay a ransom in many cases as it can fund criminal activity, as per the IT Act, Indian companies are also advised by the government to report ransomware or other cyber threats to relevant bodies, including the CERT-In, National Critical Information Infrastructure Protection Centre (NCIIPC), and police cyber cells, so as to proceed with the appropriate response measures.”