How to Protect Your Business from Ransomware in India

Most ransomware attacks in India succeed because of embarrassingly simple failures. Not sophisticated zero-day exploits. Not state-sponsored hacking teams running custom malware. A weak RDP password. An unpatched Exchange server. An accountant who clicked a link in a fake GST notice email. That's it. That's the entry point for the majority of ransomware incidents affecting Indian businesses, and it's been true for years.

I say this not to shame anyone but because the framing around ransomware in the media — all that talk about "advanced persistent threats" and "nation-state actors" — gives small business owners the impression that they're facing an enemy they can't possibly defend against. So they throw up their hands and figure it'll never happen to them, or that if it does, there's nothing they could've done. Both assumptions are wrong. You can defend against most ransomware attacks with basic security hygiene that costs surprisingly little money and requires no dedicated cybersecurity team. You just have to actually do it.

India has become one of the top targets for ransomware globally. CERT-In's data from 2025 showed a continued rise in reported incidents, with healthcare, manufacturing, logistics, and small IT services firms getting hit disproportionately. But the real number is much higher than what CERT-In sees, because plenty of businesses — especially smaller ones — don't report attacks at all. They pay the ransom quietly, clean up what they can, and try to move on without anyone finding out. I've talked to business owners who've done exactly that, and they almost always describe the same experience: total shock, followed by scrambling, followed by a wire transfer in cryptocurrency, followed by praying the decryption key works. Sometimes it does. Sometimes it doesn't.

Let's talk about how this actually happens, because understanding the attack chain is the first step toward breaking it.

How They Get In

Ransomware doesn't teleport onto your systems. Somebody or something opens a door for it. The most common doors in India right now are phishing emails, exposed remote access protocols, unpatched software, and supply chain compromises.

Phishing is still number one, and the Indian-specific variants are getting better. Attackers send emails that look like they're from the Income Tax Department, a GST portal notification, a courier delivery update, or an invoice from a vendor you actually work with. The email has an attachment — usually a PDF or Excel file — or a link to a website that looks convincing. Click it, and you've just downloaded malware that sits quietly on the system for days or weeks, mapping your network, identifying your backup locations, and preparing to encrypt everything at once.

Remote Desktop Protocol is the second big one. A lot of Indian businesses, especially since the work-from-home shift during and after COVID, have RDP exposed to the internet so employees can connect to office systems from home. If that RDP connection has a weak password — or worse, no multi-factor authentication — attackers can brute-force their way in. Automated tools scan the internet constantly for open RDP ports. Your office in Noida with port 3389 open and the password "company123" is already in someone's target list. I'm barely exaggerating.

Unpatched software is the third. When Microsoft, or Adobe, or whoever releases a security patch for a known vulnerability, that patch announcement also tells attackers exactly what the vulnerability is. They build exploits for it. If your systems aren't patched, you're running software with known, documented weaknesses that attackers have ready-made tools to exploit. A manufacturing firm in Gujarat running Windows Server 2012 R2 with patches three years out of date — that's not a question of "if," it's "when."

Supply chain attacks are the newest and trickiest vector. Your IT vendor, your managed service provider, the software you use for billing or HR — if any of them get compromised, the malware can flow downstream to you through a trusted update channel. You didn't click anything suspicious. You didn't have a weak password. But your vendor did, and their compromise became yours. These are harder to prevent but not impossible.

What Actually Protects You

Alright, here's the part you're here for. I'm going to walk through the measures that make the biggest difference, in roughly the order of impact-to-effort ratio. These aren't theoretical recommendations from a conference slide deck. They're the things that, in my experience, separate the businesses that recover from ransomware from the ones that don't.

Backups that actually work. This is the single most important defense against ransomware, and it's the one most businesses get wrong. Having backups isn't enough. You need backups that the ransomware can't reach. That means following the 3-2-1 rule: three copies of your data, on two different types of storage, with one copy offline or air-gapped (physically disconnected from your network). A backup on a network drive that's mapped to your file server will get encrypted right alongside everything else. A backup on an external hard drive sitting in a locked drawer, updated weekly and then disconnected — that one survives. Cloud backups work too, but only if the backup account uses separate credentials from your main systems and has its own MFA. Ransomware operators actively look for backup systems and try to delete them before triggering the encryption. If they succeed, you've got nothing.

Test your backup restoration quarterly. Actually do this. Pull a backup, restore it to a test environment, and verify that the data is intact and usable. I've seen businesses confidently point to their backup system and then discover, during an actual attack, that the backups had been failing silently for months. The backup was configured but the actual data was corrupt or incomplete. Testing is the only way to know.

Multi-factor authentication on everything that matters. If I could only recommend one security measure to every Indian business, it'd be MFA. Enable it on email accounts, VPN connections, RDP access, cloud services, administrative panels, and any system where a compromised password could do damage. An authenticator app like Google Authenticator or Microsoft Authenticator is better than SMS-based OTP (because SIM swap attacks can intercept SMS), but even SMS-based MFA is vastly better than nothing. This single measure blocks the majority of credential-based attacks. Not some. Most.

Patching within 48 hours for critical vulnerabilities. You need someone — whether that's an in-house sysadmin, a part-time IT person, or a managed service provider — whose job includes monitoring for security patches and applying them promptly. Microsoft Patch Tuesday lands every month. When a critical patch drops for Exchange Server, or Windows, or your VPN appliance, it needs to be applied within 48 hours. Not "next maintenance window." Not "when we get around to it." Forty-eight hours, because exploit code for known vulnerabilities often appears within days of the patch announcement.

Employee training that includes phishing simulations. Send your employees fake phishing emails quarterly. Seriously. There are services — KnowBe4, Cofense, and Indian providers too — that let you run simulated phishing campaigns and see who clicks. The employees who click get additional training. Over time, click rates drop dramatically. An employee who's been trained to recognize a fake GST notice email is worth more than a firewall in many scenarios, because they're the last line of defense when the email gets past your spam filter.

In India specifically, train your team on the local flavors of phishing. Fake income tax refund emails. Fake EPFO notifications. Fake courier delivery alerts from Delhivery or BlueDart. Fake RBI advisories. Attackers tailor their lures to the Indian context, and your training should reflect that.

Network segmentation. If your office network is flat — meaning every computer can talk to every other computer and every server — then ransomware that enters through one machine can spread to everything. Segmenting your network means dividing it into isolated zones: one for workstations, one for servers, one for IoT devices, one for guest Wi-Fi. Traffic between segments is restricted and monitored. If ransomware compromises a workstation in the sales department, it can't automatically jump to the finance server or the backup system. Segmentation doesn't prevent the initial infection, but it limits the blast radius.

Restricting admin privileges. Not every employee needs to be a local administrator on their workstation. Not every IT person needs domain admin credentials. The principle of least privilege says people should have only the access they need to do their job, and nothing more. If a regular employee's account gets compromised, the attacker inherits that employee's permissions. If those permissions are limited, the damage is limited. If that employee happens to have admin access to the file server, the attacker has hit the jackpot.

The India-Specific Risk Factors

A few things make Indian businesses particularly vulnerable to ransomware compared to their counterparts in, say, North America or Western Europe. First, the cybersecurity talent gap. India produces plenty of IT professionals, but cybersecurity specialists are in short supply, and the ones who exist tend to be absorbed by large corporations and consulting firms. A 20-person manufacturing company in Ludhiana isn't competing for cybersecurity talent with Infosys. They probably don't have anyone on staff whose primary job is security. Their "IT guy" manages everything from email setup to printer troubleshooting to antivirus updates, and security is one of fifteen responsibilities, not the top priority.

Second, the legacy software problem. A lot of Indian businesses, especially in manufacturing, logistics, and healthcare, run on software stacks that are years or decades behind current versions. Windows 7 machines that can't be upgraded because they run specialized industrial software. Accounting packages that only work on older database versions. Medical devices with embedded operating systems that stopped receiving security updates in 2019. Each of these is an entry point. Attackers know about legacy systems — they actively scan for them — and India's slow upgrade cycles create a rich target environment.

Third, the MSP dependency. Many Indian SMEs outsource their IT management to Managed Service Providers. When an MSP uses remote management tools to access multiple clients' systems — often through a single set of credentials or a shared management platform — compromising the MSP means compromising all their clients simultaneously. Several ransomware incidents in India in 2024 and 2025 were traced back to compromised MSPs. If your IT is managed by a third party, you need to understand their security practices: do they use MFA on their management tools? Do they segment access between clients? Do they have their own incident response plan? Many SME owners don't know the answers to these questions, and that ignorance is itself a risk.

Fourth, the lack of cyber insurance penetration. While the cyber insurance market is growing in India, the vast majority of SMEs don't have it. When ransomware hits, the costs of forensic investigation, recovery, legal counsel, and potential regulatory penalties come entirely out of pocket. A mid-size business might survive a Rs 20 lakh ransom plus Rs 10 lakh in recovery costs. A small business might not. The absence of an insurance safety net makes the financial impact of an attack existentially threatening for businesses that are already running on thin margins.

Fifth, the reporting stigma. Indian businesses — especially family-owned ones — are reluctant to admit they've been attacked. There's a perception that disclosing a ransomware incident signals weakness or incompetence to customers and competitors. So attacks go unreported, lessons go unshared, and the broader business community doesn't benefit from knowing that a particular attack vector is being actively exploited in their sector. CERT-In's six-hour reporting mandate was partly designed to address this, but cultural resistance to disclosure runs deep.

When It Happens Anyway

Even with good defenses, it might happen. Some attacks get through. If they do, the speed and quality of your response determines whether this is a bad week or a business-ending catastrophe.

The first thing you do when you suspect a ransomware attack is isolate the affected systems. Disconnect them from the network immediately. Pull the Ethernet cable. Disable the Wi-Fi adapter. The goal is to stop the ransomware from spreading to other machines and servers. Speed matters — ransomware can encrypt thousands of files per minute once it starts, and lateral movement across a network happens fast.

Second, you need to report to CERT-In within six hours. This isn't optional. CERT-In's April 2022 directive requires organizations to report cyber security incidents within six hours of becoming aware of them. That includes ransomware. The reporting mechanism is through CERT-In's portal, and while the actual enforcement of this timeline has been inconsistent, you don't want to be the test case. Report promptly.

Third, don't pay the ransom. I know, easy for me to say when it's not my business on the line. But paying has real problems beyond the moral argument. There's no guarantee you'll get a working decryption key. Paying marks you as a willing payer, which means you're likely to be targeted again. The money funds criminal operations. And depending on who the attackers are, payment might violate sanctions laws — several ransomware gangs have ties to sanctioned entities, and making a payment to them carries legal risk even if it's under duress.

If you've got good backups (see above), you can rebuild from those. It'll take days to a week for most small businesses, longer for larger ones, but you'll recover without paying and without trusting criminals to give you your data back.

Fourth, file an FIR with the local Cyber Crime police station. The police cybercrime infrastructure in India is uneven — some states have capable cyber cells, others are still figuring it out — but having an FIR on record is important for insurance claims, legal proceedings, and any future investigation.

Fifth, consider engaging a professional incident response firm. India has a growing ecosystem of cybersecurity firms that offer incident response services: forensic analysis of how the attack happened, help with containment and recovery, and guidance on communication (to employees, customers, and regulators). If you have cyber insurance, your insurer probably has a panel of approved IR firms and will connect you with one.

The One Thing to Do Today

If you've read this far and you're thinking "okay, but where do I start," here it is: enable MFA on your email and VPN today. Not this week. Not next quarter. Today. It takes an hour at most, it costs nothing if you're using Microsoft 365 or Google Workspace (both include MFA for free), and it eliminates the most common attack path ransomware operators use to get into Indian businesses. Everything else on this list matters too. But if you do only one thing, make it this one, and then schedule the rest for the coming weeks. The businesses that get hit hardest are invariably the ones that knew what they should've done and just hadn't gotten around to it yet. Don't be that business. The ten minutes it takes to set up MFA today could save you six months of recovery tomorrow.