Ransomware in India 2026: From Data Leaks to Shutdowns

The story of ransomware in India in 2026 is no longer about a leak site and an awkward press statement. The dominant pattern over 2024-2026 has been a deliberate shift from “steal-and-leak” extortion toward operational disruption — attackers who do not just copy your data but encrypt the systems your business runs on, then wait for the downtime to do the negotiating for them. For an Indian CISO, that changes the maths entirely. The question is no longer only “what data did they take?” but “how long can we operate with our core systems dark, and what does each hour cost?”

What changed: from disclosure to downtime

For years the extortion playbook was data exfiltration: copy sensitive records, threaten publication, demand payment to keep them off a leak site. That threat still exists, but it has been overtaken by a blunter tactic — encrypt production, halt operations, and let the disruption apply the pressure. CERT-In’s own framing of the 2024-2026 trend points the same way: away from pure exfiltration and toward impact on operational continuity, with healthcare, manufacturing and energy infrastructure increasingly in the firing line. The reason is simple economics for the attacker. A hospital that cannot admit patients, or a plant that cannot ship, will often decide faster than a board weighing reputational risk over leaked files.

Who is being hit in India

The targeting is not random. India now sits among the Asia-Pacific hotspots for ransomware activity, and the sectors taking the heaviest blows are the ones where downtime is intolerable. Healthcare is squarely in the crosshairs — in June 2025, Indian hospitals including Sant Parmanand Hospital and NKS Super Speciality Hospital suffered server hacks that disrupted their IT systems, exactly the kind of operational hit that endangers patients before it endangers data. Manufacturing is the other prime target, where halted production lines translate directly into missed shipments and contractual penalties. BFSI remains a perennial focus given the value of financial data and the regulatory blast radius of any outage. And SMEs — often supplying the larger players — are hit because they are softer, under-resourced, and a convenient route into bigger networks. Against a national backdrop of more than 2.2 million cyber incidents logged between 2021 and mid-2025, roughly 3,000 a day, no Indian organisation can credibly call itself too small or too obscure.

How access is actually gained

Ransomware crews rarely need anything exotic to get in. The recurring initial-access routes are mundane and entirely preventable. Phishing remains the front door — a single credential harvested from a convincing email is often enough. Exposed remote access is the next: RDP and VPN endpoints left reachable from the internet, protected only by a password, are scanned and brute-forced continuously. Unpatched edge devices — firewalls, VPN concentrators and gateways with known, published vulnerabilities — are a favourite, because one missed patch on an internet-facing appliance hands over a foothold with no phishing required. And third parties are the quiet one: a compromised supplier, managed-service provider or contractor with network access becomes the attacker’s path in. If you have never mapped which vendors hold standing access to your environment, that is your blind spot. A VAPT engagement that scopes external attack surface explicitly is the fastest way to find these exposures before someone else does.

The defence playbook that actually works

There is no single control that stops ransomware; what works is a stack of unglamorous measures, each closing a door. The non-negotiables for an Indian organisation in 2026:

• Immutable or offline backups with tested restores. Backups are the difference between a bad week and an existential crisis — but only if they survive the attack and actually restore. Attackers hunt for and delete connected backups first. Keep copies that cannot be altered or reached from production, and rehearse a full restore on a clock. An untested backup is a hope, not a control.
• Network segmentation. Flat networks let one foothold become total compromise. Segment so that a breach in one zone — a clinical workstation, a single plant cell — cannot reach the entire estate.
• EDR on every endpoint and server. Endpoint detection and response catches the behaviours — credential dumping, mass file encryption, lateral movement — that signature antivirus misses, and buys time to respond before encryption completes.
• MFA everywhere. Multi-factor authentication on VPN, RDP, email and every administrative interface neutralises the stolen-password route that begins most intrusions. No exceptions for “convenience” accounts.
• Patch and exposure management. Prioritise internet-facing edge devices and known-exploited vulnerabilities. Knowing what you expose to the internet, and shrinking it, is half the battle.

For cloud-hosted workloads the same principles apply with cloud-native controls — least-privilege IAM, hardened storage, and segregated backup accounts. A focused cloud security review closes the misconfigurations that turn a cloud foothold into a full takeover.

Test like the attacker will: ransomware-scenario VAPT and red-teaming

Controls you have never tested are assumptions, not defences. The way to find out whether your segmentation holds, your EDR alerts and your backups restore is to simulate the attack end to end. A ransomware-scenario penetration test starts from realistic initial access — a phished credential, an exposed VPN — and works toward the objective the way a real crew would, surfacing the lateral-movement paths and privilege escalations that scanners never see. Red-teaming goes further, testing whether your people and processes detect and respond in time. This is exactly the gap that purpose-built VAPT services are designed to close: not a compliance tick-box scan, but an adversary-eye assessment of whether an attacker could actually shut you down. Manufacturing and healthcare estates in particular benefit from including operational technology and clinical systems in scope, since those are precisely where 2026’s attacks land.

An IR plan that satisfies CERT-In and DPDP

When — not if — an incident hits, the clock starts immediately, and in India it is a short clock. The CERT-In Directions of 28 April 2022 require specified cyber incidents, ransomware included, to be reported within six hours of noticing them, and mandate that logs be retained for 180 days. Separately, the DPDP regime obliges breach notification to the Data Protection Board. An incident-response plan that does not bake in these duties will fail you at the worst moment. Your runbook must name who declares an incident, who notifies CERT-In within the six-hour window, who assesses personal-data impact for DPDP, and how you preserve the logs you are required to keep. Build this before you need it — read our CERT-In Directions guide and work through the CERT-In readiness checklist so the reporting obligations are rehearsed, not discovered mid-crisis. The mechanics of meeting that deadline are covered in detail in our note on CERT-In’s six-hour incident reporting. Healthcare leaders should also see our sector-specific guidance on healthcare cybersecurity in India.

The takeaway

The defining feature of ransomware in India in 2026 is operational impact: attacks engineered to stop you working, not merely to embarrass you. The targets — healthcare, manufacturing, BFSI and the SMEs that supply them — are chosen precisely because downtime is unaffordable. The entry routes are boringly preventable: phishing, exposed RDP and VPN, unpatched edge devices and over-privileged third parties. The defence is equally unglamorous and entirely achievable: immutable backups with tested restores, segmentation, EDR, MFA everywhere, disciplined patch and exposure management, attack-realistic testing, and an IR plan that meets the CERT-In six-hour rule and DPDP breach duties. None of it is exotic; all of it requires doing the work before the attack, not after. If you want to know whether your organisation could actually be shut down — and how to close the gaps before someone proves it for you — talk to our team about a ransomware-scenario assessment.