Ransomware is no longer the “lone wolf locks your files” story. It is a mature criminal economy with affiliate networks, leak-site marketing, negotiation specialists, and infrastructure-as-a-service. Tracking the economic structure clarifies which defensive investments matter and which are theatre.
The numbers — what the public data shows
Payment rates: Coveware’s quarterly reports show consistent decline — 76% paid in 2019, dropping to ~28% in Q3 2024. Drivers: better backups, regulatory pressure (US OFAC sanctioning specific groups, EU NIS2 enforcement, India’s CERT-In 6-hour reporting), insurance refusal to cover ransom payments without preconditions.
Average payment size: rose from ~$110K (2020) to ~$200K (2024). Operators pivoted to fewer-but-bigger victims; SMBs paying $50K replaced by mid-market paying $250K-$500K.
Attack volume: roughly stable. Public leak-site postings on the major RaaS sites averaged 400-500/month through 2024-2025. Volume is steady; payments down; fall-off in revenue compensated by better targeting.
Top operators 2025: LockBit (degraded by Operation Cronos in Feb 2024 but active rebranded), BlackCat/ALPHV (exit-scammed Mar 2024 but operators surfaced as RansomHub), Akira, Play, Black Basta, Qilin, Hunters International (Hive successor). Constant rebranding driven by law-enforcement pressure.
The double-extortion model — and why it broke down
2019-2022 evolution: ransomware operators added data exfiltration before encryption. Even if victim restored from backup, they faced public leak. Double pressure → higher payment rate.
2023-2024 evolution: triple extortion (DDoS + ransom + leak), quadruple (DDoS + ransom + leak + harassment of customers). Diminishing returns: organizations adapted, paid less. Worse for operators.
2025 evolution: data-exfil-only (no encryption). Operators pivot to “we won’t lock your systems, we’ll just leak your data unless you pay.” Examples: Cl0p’s MOVEit campaign, BianLian by 2024, Hunters International’s “RansomHub” rebrand. Faster intrusions (no encryption phase = less dwell time = lower detection); pure pressure economics.
The affiliate economy
RaaS structure: core operators write the encryption tool, run the leak site, manage negotiations. Affiliates execute intrusions and earn 70-85% of the ransom. The split has tightened from 70/30 in 2020 to 80/20 by 2024 — operators competing for skilled affiliates.
Affiliate sourcing: Telegram and Russian-language forums (XSS, Exploit). Recruitment posts seek “pentesters” with specific skills (Active Directory privilege escalation, EDR-evasion engineering, Cobalt Strike). Affiliate skill bands:
- Tier 1 — independent operators capable of full-chain intrusion. Earn $1-5M/year. Maybe 100-200 globally.
- Tier 2 — affiliated with a single RaaS, execute supplied playbooks. Earn $200K-$1M/year.
- Tier 3 — initial-access brokers. Sell access ($1K-$50K) to affiliates. Don’t operate ransomware themselves.
Indian organisations as victims
Coveware Q3 2024: India ranked #5 globally by victim count; #2 if normalised by GDP. Drivers:
- SMB exposure. Mid-size Indian companies (manufacturing, education, healthcare) often run unsupported Windows Server, unpatched VMware, no EDR. Easy targets.
- Edge-gear lag. Cisco, Fortinet, SonicWall edge devices in Indian deployments often run firmware 12-24 months old. Mass-exploit campaigns (e.g., Fortinet CVE-2024-21762) hit Indian operators particularly hard.
- MSP target concentration. Indian managed-service providers serving SMB customers became amplifying targets — one MSP breach → dozens of customers affected.
- Insurance penetration low. Indian cyber insurance market is small; many SMB victims have no coverage and fewer professional negotiators. Higher payment rate when they do pay; sometimes higher amounts due to inexperience.
Notable 2024 Indian cases (publicly reported): AIIMS Delhi 2022 (still recovering operationally); ICICI Direct 2024 (limited disclosure); Tata Power 2022 (Hive); various pharma manufacturers (Cipla, Glenmark — limited public disclosure). Likely 10x more unreported cases.
What’s working defensively
- Immutable backups. Object-lock S3 / Wasabi / Azure Blob immutability makes encrypt-and-extort variants ineffective. The 28% who pay are largely those without recoverable backups.
- EDR + 24/7 SOC monitoring. Mean-dwell-time for ransomware operators is 5-7 days. EDR with active SOC catches the precursor activity (Mimikatz, BloodHound, Cobalt Strike beacons).
- Patching cadence on edge gear. Most ransomware intrusions in 2024-2025 entered via known-CVE on edge devices. Fast patching ends most affiliate-tier operators’ workflow.
- Network segmentation. Active Directory tier separation, micro-segmentation prevent lateral movement. Affiliates pivot to easier targets when segmentation is real.
- Tabletop exercises with leadership. The decision to pay/not-pay should not be made under crisis. Rehearse with legal, comms, finance pre-incident.
What’s not working
- Cyber insurance as the primary defence. Insurers have tightened underwriting; many policies now exclude ransomware payments without prior notification and approval; renewals require documented controls (MFA, EDR, backups). Insurance is a recovery aid, not a substitute for security.
- “Don’t pay” pledges as policy. The 2023 international counter-ransomware initiative encouraged member states’ organisations not to pay. Operationally, decision-making is more nuanced — pay-or-not depends on data sensitivity, business continuity, regulatory exposure. Blanket “never pay” is rarely workable.
- One-time security audits. Annual pentest is necessary but insufficient. Continuous monitoring catches the actual intrusion timeline.
Strategic implications for Indian CISOs
- Treat ransomware-readiness as a continuous program, not a one-time project. Quarterly tabletop, monthly backup-restore tests, weekly EDR-detection-rate review, daily threat-hunt.
- Budget realistically. A ransomware-mature posture for a 1000-employee Indian company is roughly ₹2-4 crore/year (EDR + 24/7 SOC + immutable backup + tabletop). Cheaper than one paid ransom; cheaper than CERT-In disclosure obligations + DPDP penalty exposure.
- Pre-arrange incident-response retainer. Standby with a forensics + IR firm. Deploying one on day-of-incident costs 5-10x and delays response.
- Pre-arrange legal counsel for breach-notification (CERT-In, DPB), customer communications, and ransom-payment-decision support. The first 72 hours determine the regulatory outcome.
- Pre-decide your ransom philosophy. Document board-approved policy. “We don’t pay” or “we pay only if X criteria met.” Decision should not be improvised under pressure.
FAQ
Are ransomware operators getting smarter or are defences getting better?
Both. Operators added exfil-only, faster intrusions, better targeting. Defences added immutable backups, kernel-level EDR, fast patching. The gap is narrower than 2020, still favours operators against unprepared organisations.
Should we have a Bitcoin reserve “just in case”?
No. Buying Bitcoin pre-incident creates accounting and regulatory complications. If you need to pay, your IR firm will arrange a ransom-broker. Bitcoin reserves are not standard practice; they suggest naivety to attackers if disclosed.
What’s the role of CERT-In’s 6-hour reporting in this?
The April 2022 directive requires reporting within 6 hours of awareness. Reportable incidents include ransomware. CERT-In coordination is helpful for attribution and pattern matching across industry. Pre-build the reporting workflow; don’t try to figure it out during incident.
Are India-specific ransomware variants emerging?
Some — local-language ransom notes, India-targeted lure documents (GST notices, CBI summons). The encryption / exfil tooling itself is mostly the same global toolkits. India-specific operations remain a small fraction of overall traffic.
Should we share IOCs with peer organisations?
Yes. India’s NIXI-ISAC, sectoral ISACs (BFSI-ISAC, Auto-ISAC), and informal CISO networks are useful intel-sharing channels. Anonymisation is acceptable; the value of shared IOCs significantly exceeds the privacy cost.
⚖️ Legal: Ransom payment in India is not explicitly criminal but may trigger Prevention of Money Laundering Act (PMLA) issues if proceeds traced to sanctioned entities. CERT-In reporting required within 6 hours of incident awareness. DPDP §8(6) breach notification within 72 hours. Engage Indian counsel before payment decisions.
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.