While large-scale ransomware attacks have seen widespread scrutiny in India in the last 10 or so years, the concept behind such attacks is much older.
The very first known ransomware attack dates back to 1989 with the infamous AIDS Trojan (also called PC Cyborg). This trojan was distributed by floppy disk to nearly 20,000 scientists at a World Health Organization conference.
The disks worked normally at first, but after 90 computer restarts, the malware secretly hid filenames and demanded a $189 “license fee” to be sent to a Panama P.O. box.
While most victims didn’t pay, many of them lost access to vital research before a free decryption tool was released.
It was a warning of what ransomware would become.
What Is Ransomware?
Ransomware is a type of malware (malicious software) designed to block your access to files or entire systems until a ransom is paid. The word combines “ransom” and “software,” which accurately conveys what ransomware means.
The term first appeared around 2005, as cybercriminals started using malicious programs to encrypt user data and then demand payment for its release. The core idea behind any ransomware virus is always the same—to deny you access to your important files and force you to negotiate with the attacker.
Whether you’re an individual, a small business, or a large corporation, it helps to know what ransomware is and how it works because the threat is real, and it can affect anyone who relies on digital storage and networking.
How Does Ransomware Work?
To really grasp the risk, it helps to know exactly how ransomware attacks play out.
Most ransomware attacks happen via some form of social engineering, like a phishing email, a malicious link, or even a fake software update. As soon as you (or someone in your organization) interact with that trap, the ransomware virus enters your system.
Here’s what typically happens next.
- The malware searches for files such as documents, spreadsheets, photos, databases, and backups.
- It then encrypts these files using strong algorithms.
- Many modern ransomware strains go further—they delete any shadow copies or local backups of data.
- Finally, a ransom note appears on your screen, with instructions on how to pay and a warning about what will happen if you don’t.
Some ransomware can spread across networks and encrypt shared folders, mapped drives, and even cloud-synced data. This is why a single infected machine can quickly escalate into a crisis for an entire organization.
What makes ransomware attacks particularly dangerous is that, by the time you notice something is wrong, the damage is done.
Why Is Ransomware a Big Problem Today?
You might wonder why ransomware is such a hot topic in cybersecurity today. The answer lies in how rapidly ransomware has evolved.
First, the scale of the ransomware problem is enormous. In the last few years, ransomware attacks have surged globally, and they now affect individuals as well as large hospitals, banks, schools, and government agencies.
In India alone, there’s been a year-on-year spike in major incidents. For example, in 2022, AIIMS Delhi—one of the country’s largest hospitals—was crippled by a ransomware attack that disrupted patient care and hospital operations for weeks. You can read more about the AIIMS Delhi ransomware attack and its impact on health data privacy.
Similarly, in 2023, the Indian Council of Medical Research (ICMR) reportedly faced a data breach involving ransomware. For deeper insights, you can read the Indian Express editorial on the ICMR data breach.
Ransomware gangs have extorted billions worldwide, with average ransom demands growing every year. But it’s not just about money. The real problem is the ripple effect.
When a major hospital’s systems are locked by a ransomware virus, patient care is delayed. When a city’s public services get hit, daily life for thousands is disrupted. The costs include lost productivity, data loss, reputational damage, and even regulatory fines for not protecting sensitive information.
Three big drivers are behind this epidemic.
- Easy, Anonymous Payments: Attackers demand ransom in cryptocurrencies like Bitcoin, which are hard to trace, and which makes it easier for them to operate with little risk.
- Ransomware-as-a-Service (RaaS): These days, you don’t need to be a technical genius to launch an attack. Cybercriminals can buy ready-made ransomware kits or subscribe to services that provide the malware and even customer support.
- Sophisticated Extortion: Modern ransomware attacks don’t just lock files. Many now use “double extortion,” where they also steal your data and threaten to publish it online if you don’t pay.
All this makes ransomware one of the biggest cyberthreats of our time.
Did You Know? In India, agencies like CERT-In, which regularly publish detailed threat assessments (including the CERT-In Ransomware Report 2024), and the IT Ministry issue multiple alerts about rising ransomware threats and the need to protect digital systems.
Notable Ransomware Families
The landscape of ransomware is crowded with notorious “families.” Some of these names may sound familiar, especially if you follow cyber news or have seen warnings from security vendors.
- CryptoLocker: This family of ransomware marked the beginning of modern ransomware in 2013 by demanding payment in Bitcoin and making use of highly advanced file encryption.
- WannaCry: Perhaps the most infamous, this 2017 attack spread worldwide in hours. It exploited a Windows vulnerability and locked up computers in hospitals, companies, and government offices, demanding Bitcoin payments to decrypt files.
- NotPetya: Similar to WannaCry, but even more destructive. NotPetya hit global shipping, pharmaceuticals, and logistics firms. It used encryption techniques that made recovery almost impossible.
- Locky: It was one of the earliest ransomware viruses to use email attachments for mass infections. Locky could rapidly encrypt files and was notorious for changing file extensions to “.locky.”
- MAZE: Famous for starting the “double extortion” trend (steal data before encrypting it, then threaten public leaks).
- LockBit: Among the most active in recent years (both in India and globally), this ransomware targets both large enterprises and smaller firms.
- Cl0p, BlackCat/ALPHV, and RansomHub: These newer families specialize in big game hunting, where they target high-value organizations and use sophisticated extortion tactics.
- In India, ransomware families like LockBit, Mallox, and Makop are particularly relevant.
These groups don’t just operate from one country. They are known to rent out their software, so local attackers anywhere in the world, including India, can deploy global-grade ransomware.
How to Recognize a Ransomware Infection: Signs and Symptoms
How do you know if you’ve been hit by a ransomware attack? Here are the most obvious signs.
- You suddenly cannot open files that worked perfectly well a day ago. The system starts throwing errors like “file is corrupted” or “invalid format.”
- File extensions change to something strange, such as .locked, .crypt, .djvu, or a long random string.
- Ransom notes appear everywhere (on your desktop, in every folder, or even as your new wallpaper). These messages have filenames like “HOW_TO_DECRYPT.txt” or “README.html” and contain payment instructions.
- A ransomware virus might display a big, alarming warning window or message that you can’t close. This message tells you how much you need to pay and threatens worse consequences if you delay.
- On a network, you may notice many users suddenly losing access to shared files or drives or getting locked out of their computers.
Ransomware can encrypt or delete your shadow copies or backups, which makes your regular recovery methods useless. If you notice any of these symptoms, disconnect from the network immediately and seek expert help.
What Ransomware Attackers Usually Want
At its core, a ransomware attack is about money. Attackers encrypt your data and demand payment for the decryption key.
Ransom demands might range from a few thousand or a few lakhs of rupees for individuals to tens of lakhs or even crores for organizations.
A worrying trend in ransomware attacks nowadays is that of double or triple extortion. Here’s how it works.
- Before it encrypts your files, the malware will download copies of sensitive data for the attackers.
- If you don’t pay, attackers will threaten to leak your information publicly or sell it on the dark web.
- Some groups launch simultaneous DDoS (Distributed Denial of Service) attacks on victim organizations and harass top executives to increase pressure.
What Happens If You Pay the Ransom: Pros/Cons, Legal/Ethical Issues, What Experts Say
Almost never is it a good idea to pay the ransom. Here are the three primary reasons.
- There’s never a true guarantee that you’ll get all your data back.
- Studies show that 80% of victims who pay are targeted again.
- In India, paying a ransom is discouraged by CERT-In and can land you in regulatory hot water (for example, if the attackers are linked to sanctioned groups).
Even cybersecurity authorities such as India’s CERT-In, the USA’s CISA, and security professionals worldwide recommend that you do not pay the ransom.
Instead, you should focus on data recovery, report the incident, and work with professionals to secure your systems.
Before we dive into prevention strategies, you can also explore our detailed guide on Data Security to understand essential practices that help reduce the risk and impact of ransomware attacks.
How to Stay Safe: Technical Best Practices to Protect Against Ransomware
Here’s what works, both for individuals and organizations.
- Create frequent backups of all your important data. You should store at least one backup offline, disconnected from your network.
- Install updates and security patches on schedule.
- Enforce strong, unique passwords and change them regularly.
- Turn on multi-factor authentication (MFA) wherever possible.
- Apply the principle of least privilege: give users the minimal access needed to do their tasks.
- Disable unused accounts, close open network shares, and restrict admin rights.
- Segment your network so ransomware can’t easily spread to all devices.
- Train everyone to spot suspicious emails, attachments, or links.
- Use security tools to monitor for unusual file changes or network activity.
- Have an incident response plan ready.
When Should You Seek Expert Ransomware Data Recovery Help?
Even with the best security practices, ransomware can still lock down your most critical business data. Sometimes it can hit complex systems like RAID arrays and virtual servers.
If you find yourself unable to recover files, or if internal attempts have failed, you need support from professional data recovery experts who have extensive experience recovering data from ransomware-infected systems.
At Stellar Data Recovery, we have successfully handled thousands of such ransomware-encrypted drives.
Our ransomware data recovery specialists use custom-built tools and manual reconstruction techniques to restore data even from highly encrypted or damaged storage.
We have the infrastructure, world-class R&D, and experienced engineers to deliver fast, confidential, and technically sound recovery.
So if ransomware has left your business in a tough spot, reach out to Stellar for a free assessment.
Real Case Studies of Stellar’s Successful Ransomware Recoveries
To understand how our engineers recover encrypted, deleted, or damaged data from complex ransomware attacks, explore these real-world case studies:
Frequently Asked Questions
Ransomware does this in many ways. It can exploit weak passwords or open network shares to spread to different computers on the network. When it is inside a network, it looks for other computers it can reach and copies itself across the mapped drives or shared folders. It can even use stolen login details to access more computers. This is why one infected user can cause a whole department or organization to be affected.
No, ransomware can target other platforms also. While most attacks have been on Windows-based systems, there are strains of ransomware that affect Mac, Linux, and even mobile devices.
Yes, ransomware is a type of malware. Basically, malware is any software that is made with a purpose to harm, disrupt, or take control of a computer system without the consent of the user. Ransomware is a special kind of malware that encrypts users’ files or devices and asks for a payment to be made in return for the decryption key.
About The Author
Somdatta is a professional content writer and analyst focused on the storage technology sector, with expertise in both magnetic and flash storage, as well as cloud computing and virtualization concepts. Somdatta translates technical concepts into clear, engaging content to sensitize readers toward a multitude of data loss scenarios and help them gain insights into the nuances of data recovery.
