Ransomware

Ransomware is a category of malicious software that denies a victim access to data or computing systems—typically through cryptographic encryption—and conditions restoration on the payment of a ransom, most commonly demanded in cryptocurrency such as Bitcoin or Monero. The concept predates the modern epidemic: the first documented instance was the 1989 "AIDS Trojan" (PC Cyborg), distributed on floppy disks by Joseph Popp, which encrypted file names and demanded USD 189 sent to a Panama post office box. The technique acquired strategic significance only after the convergence of strong asymmetric cryptography, pseudonymous digital currency, and the Tor anonymity network, which together solved the historical weakness of ransomware—collecting payment without exposing the perpetrator. In India, the principal legal authorities engaged are the Information Technology Act, 2000 (notably Sections 43, 66, and 70 on protected systems), the Indian Computer Emergency Response Team (CERT-In) established under Section 70B, and the directions issued by CERT-In on 28 April 2022 mandating six-hour incident reporting.

Procedurally, a ransomware attack unfolds in identifiable stages. Initial access is gained through phishing emails carrying weaponised attachments, exploitation of unpatched internet-facing services (notably Remote Desktop Protocol and VPN appliances), or credentials purchased from initial access brokers. Once inside, the malware establishes persistence and performs lateral movement across the network, frequently using tools such as Mimikatz to harvest credentials and Cobalt Strike to control compromised hosts. The operators then identify and frequently exfiltrate sensitive data before detonating the encryption payload, which uses a hybrid scheme: a symmetric key (AES) encrypts each file, and that symmetric key is itself encrypted with the attacker's public RSA key, so that only the attacker's private key can decrypt it. A ransom note then specifies the amount, the cryptocurrency wallet, and a deadline, often with a countdown timer escalating the demand.

A decisive evolution is double extortion, pioneered by the Maze group in late 2019, in which attackers exfiltrate data before encrypting it and threaten public release on a "leak site" unless paid—defeating the traditional defence of restoring from backups. Triple extortion adds further pressure through distributed denial-of-service attacks or direct harassment of the victim's customers. The dominant commercial structure is Ransomware-as-a-Service (RaaS), in which a core developer team licenses the malware to "affiliates" who conduct intrusions, splitting proceeds roughly 70–30. This division of labour, exemplified by REvil, Conti, LockBit, and BlackCat (ALPHV), has industrialised the threat and complicated attribution, since the same strain may be deployed by unrelated actors.

Contemporary incidents illustrate the scope. The WannaCry worm of 12 May 2017 exploited the EternalBlue SMB vulnerability and crippled over 200,000 systems across 150 countries, including the United Kingdom's National Health Service. NotPetya in June 2017, attributed to Russian military intelligence, masqueraded as ransomware while functioning as a destructive wiper. The Colonial Pipeline attack of May 2021, carried out by a DarkSide affiliate, halted fuel distribution across the US East Coast and prompted a USD 4.4 million payment, a portion of which the US Department of Justice later recovered. In India, the AIIMS Delhi attack of November 2022 disrupted the hospital's servers for nearly two weeks and was investigated by CERT-In and the Delhi Police, while the SpiceJet incident of May 2022 stranded passengers nationwide.

Ransomware must be distinguished from adjacent threats. Unlike a generic computer virus or worm, ransomware's defining feature is monetisation through extortion rather than mere propagation or sabotage. It differs from a wiper, such as NotPetya or Shamoon, whose purpose is irreversible destruction with no genuine recovery path despite a ransom pretext. It is narrower than cyber-espionage, where the objective is covert data theft rather than disruptive denial of access. And it is distinct from a data breach in isolation, though modern double-extortion campaigns fuse the two by combining encryption with exfiltration.

The central controversy concerns whether victims should pay. Payment funds further criminality, offers no guarantee of decryption, and may violate sanctions law—the US Treasury's Office of Foreign Assets Control warned in advisories of 2020 and 2021 that paying entities linked to sanctioned actors can incur liability. The 68-member Counter Ransomware Initiative, in which India participates, committed in 2023 to a policy that member governments would not pay ransoms. State complicity is a recurring issue: several prolific groups operate from jurisdictions, notably Russia, that decline extradition, and some malware checks system language settings to avoid encrypting machines in Commonwealth of Independent States countries. Law-enforcement disruptions—such as the international takedown of LockBit infrastructure (Operation Cronos, February 2024) and Hive (2023)—have shown that coordinated action can degrade these networks, though affiliates frequently rebrand.

For the working practitioner, ransomware is now treated as a national-security and critical-infrastructure concern rather than a mere IT nuisance, a framing reflected in India's classification of digital threats under General Studies Paper III internal-security syllabi and in the mandate of the National Critical Information Infrastructure Protection Centre (NCIIPC). Effective response requires offline, immutable backups; rapid patching; network segmentation; multi-factor authentication; and tested incident-response and CERT-In reporting procedures within the six-hour window. Desk officers and policy analysts should understand that ransomware sits at the intersection of criminal law, cryptocurrency regulation, international cooperation, and deterrence—making it a persistent agenda item in bilateral cyber dialogues, the Quad, and multilateral forums where attribution, capacity-building, and the regulation of virtual assets are negotiated.