BharatNotes What is Ransomware?
Ransomware is malicious software that blocks access to a computer system or encrypts its data, after which the attacker demands a ransom — usually paid in cryptocurrency to evade tracing — to restore access. It typically spreads through phishing emails, malicious attachments, compromised websites, or by exploiting unpatched software vulnerabilities. Unlike data theft alone, ransomware directly disrupts operations, which makes it especially dangerous for hospitals, banks and government services.
How Ransomware Has Evolved
Early ransomware simply encrypted files. Attackers now use layered extortion tactics:
| Stage | Tactic | What happens |
|---|---|---|
| Single extortion | Encryption | Data locked; ransom for decryption key |
| Double extortion | Encryption + data theft | Stolen data leaked online if ransom unpaid |
| Triple extortion | Add pressure on third parties | Customers/partners harassed; DDoS attacks added |
A second major shift is Ransomware-as-a-Service (RaaS) — criminal groups lease ready-made ransomware kits to "affiliates," lowering the technical barrier to entry. After the disruption of the LockBit group by law-enforcement (Operation Cronos, early 2024), groups such as RansomHub absorbed displaced operators, showing the ecosystem's resilience.
Major Incidents
- WannaCry (May 2017): A self-spreading worm using the leaked "EternalBlue" exploit infected 200,000+ computers in 150+ countries, crippling the UK's National Health Service (Cloudflare; Al Jazeera, May 2017).
- AIIMS Delhi (Nov 2022): A ransomware attack reportedly breached five of the institute's servers and disrupted registration, billing and patient services for roughly two weeks, investigated by CERT-In, Delhi Police and the NIA (multiple media reports, Nov–Dec 2022).
India's Institutional Response
The nodal agency is CERT-In, operating under Section 70B of the Information Technology Act, 2000. Its directions of 28 April 2022 (under Section 70B(6)) mandate that specified cyber-security incidents — including ransomware — be reported to CERT-In within six hours of being noticed (CERT-In official directions, 28-Apr-2022). Critical sectors are additionally protected by the National Critical Information Infrastructure Protection Centre (NCIIPC).
CERT-In's India Ransomware Report 2024 (published 25-Mar-2025) found that the manufacturing sector was the most targeted, followed by finance and IT/ITeS, and noted rising abuse of legitimate system tools ("Living off the Land") by attackers.
Global Status (Latest Verified Data)
Globally, ransom payments traced on-chain fell to about US$813 million in 2024, a roughly 35% drop from the record US$1.25 billion in 2023, partly due to law-enforcement takedowns of major groups (Chainalysis, Feb-2025). Despite falling total payments, the number of attacks and median ransom demands continued to rise, confirming ransomware as a persistent, adaptive threat.
UPSC Angle
For Mains GS3, link ransomware to Critical Information Infrastructure protection, the CERT-In six-hour reporting rule, and the trade-off between security and privacy. For Prelims, remember CERT-In's legal basis (IT Act, 2000, Section 70B) and the distinction between malware, ransomware and a worm.
