India's Ransomware Crisis: A Unit Zero Strategic Threat Analysis of 2025

Author: MD. Azim Uddin

As we monitor the movements of threat actors across the Asia Pacific (APAC) region, examining attack trends and the evolution of cyber warfare between amateurish script kiddie tactics to advanced state-sponsored operations—it is clear that 2025 marked a sobering moment for India's cybersecurity landscape. Our analysis present a concerning reality: India has become one of the world's top targets for ransomware assaults with sophisticated threat groups conducting campaigns that increasingly blur the line between cyber crime and geopolitical conflict.

We are witnessing the industrialization of cyber warfare against India. What concerns us isn't that attackers are getting more sophisticated—it's that India's defense posture remains reactive while the threat landscape demanded predictive intelligence. In 2025, we tracked 24 ransomware families that not only acted as criminal enterprises but nodes in a geopolitical proxy network where code is the ammunition and data is the battlefield.

The Numbers Don't Lie: India Is Under Siege!

Unit Zero's strategic threat analysis for 2025 reveals a cyber threat landscape of unprecedented intensity. Between January and November 2025, we identified two dozen distinct ransomware groups actively targeting Indian organizations. Particularly Killsec, Clop, and Nightspire—mounting sustained campaigns for months. Intelligence indicates India faced over 1.5 million cyberattacks following the Pahalgam incident with 150 successful breaches against India critical infrastructure.

But what concerns our team the most isn't just the volume—it's the sophistication and persistence. Groups like Killsec demonstrated strategic operational consistency claiming victims throughout the year from healthcare institutions such as SPARSH Hospital and ASRAM Medical College to corporate targets such as Lupin Limited and NewGen. This isn't just opportunistic cyber crime; it's systematic targeting.

What Mistakes Made India So Vulnerable?

1. Scaling Digitally Without Adequate Security Maturity

India has an extremely ambitious digital initiative by the Indian government connecting millions to online services. We've seen this during the COVID-19 crisis that pushed every Indian vaccine card into the cloud later to get breached entirely. Here's the harsh reality: infrastructure has grown faster than security capabilities. The country saw 62% of all malware detections originating from cloud-based environments in 2025—a clear indicator that organizations are moving to the cloud without implementing proper security controls. Based on my fieldwork, I have observed numerous Indian organizations that continue to run legacy systems alongside modern infrastructure, resulting in what I describe as "IT Frankenstein environments"—a tangled mix of incompatible systems with significant security vulnerabilities. This diversity hinders effective security measures and provides multiple avenues for potential attackers.

2. High-Value Data, Low Ransom Resistance

Indian organizations possess a wealth of sensitive data, including personal health records, financial details, government files, and proprietary business information. Healthcare institutions are especially vulnerable with patient data. Entities like Future Generali and Sun Direct frequently appear on DLS - Data leak sites. Ransomware attackers find these targets particularly appealing because although Indian organizations offer a much lower ransom payment compared to Western counterparts they are more likely to pay due to regulatory demands, operational needs, and concerns over reputation. The healthcare industry illustrates this well: when patient services are interrupted, hospitals face immense pressure to quickly resume operations, making them ideal targets for double-extortion strategies.

3. Ransomware-as-a-Service: Democratizing Cybercrime

The rise of Ransomware-as-a-Service platforms has significantly transformed the threat environment. Nowadays, even less skilled cyber criminals can carry out advanced attacks by utilizing ready-made tools bought on dark web marketplaces. This shift has led to a surge in smaller, more adaptable groups—recent reports identify 85 active extortion crews worldwide, with 47 of them targeting fewer than ten victims each. For India, this development means confronting not only established entities like LockBit and Qilin but also rising groups such as Incransom, TheGentlemen, and Sinobi who have already hit Indian targets before. The traditional barriers to entry have diminished and India's extensive attack surface makes this an attractive training ground for emerging threat actors.

4. Geopolitical Targeting and Proxy Warfare

This is where our analysis becomes controversial, but the intelligence insights are clear: a substantial portion of attacks against India are driven by geopolitical motives. The terrorist incident in Pahalgam in April 2025 set off a series of cyber operations, with Pakistan-affiliated hacktivist groups and Advanced Persistent Threats such as APT36 (Transparent Tribe) launching coordinated assaults on Indian government and defense systems. What’s even more alarming is the partnership between China and Pakistan in cyberspace. Reports suggest that China provides technological support and infrastructure, while Pakistan serves as the operational front. This setup enables Beijing to maintain plausible deniability while engaging in intelligence gathering and disruptive activities targeting India. In addition, the attacks on India's Ministry of Defence, DRDO, and telecommunications networks by state backed groups like Babuk2 in early 2025 for espionage purposes. Threat actors claiming to target India during periods of heightened tension—such as Operation Sindoor in May 2025 clearly show alignment with government interests while operating under the banner of independent hacktivist groups.

5. Institutional Fragmentation and Coordination Gaps

India's federal structure presents coordination hurdles that malicious actors exploit effectively. Agencies such as CERT-In, NCIIPC, and various state-level cyber units often operate independently, with limited data sharing and inconsistent incident response strategies. When an attack hits a manufacturing firm in Tamil Nadu and a separate assault targets a hospital in Delhi, there is often a lack of infrastructure to connect these incidents and recognize coordinated threats. Additionally, regulatory frameworks like the Digital Personal Data Protection Act are still evolving, leaving many organizations struggling to achieve compliance. This results in a fragmented security landscape across different sectors, providing attackers with opportunities to identify and target the weakest points. India's cybersecurity challenge isn't technical—it's architectural. We've observed organizations layering modern cloud solutions with legacy infrastructure like building skyscrapers on quicksand. The 62% cloud-origin malware detection rate isn't a cloud security failure; it's a visibility gap. Organizations migrated to digital transformation without migrating their security paradigm. The result? An attack surface so fragmented that defenders don't know what they're protecting while attackers exploited old vulnerabilities.

India's Most Active Threat Groups: Profiling the Adversary

Killsec has become one of the most persistent threats, with confirmed attacks occurring over a ten-month period from January to October 2025. Their targeting strategy appears deliberate, focusing on sectors such as healthcare (SPARSH Hospital, ASRAM Medical College, Nano Health), financial services (FAAB Invest Advisors), pharmaceuticals (Lupin Limited), and technology companies (eMedicoERP, NewGen). This range of victims indicates either a vast affiliate network or highly advanced targeting techniques.

Qilin has shown notable ambition by averaging 75 victims per month worldwide in the third quarter of 2025, making it the most active ransomware group of the year. Although they claim ideological motives, my analysis indicates their operations are purely profit-oriented, targeting various sectors and regions. Among their Indian victims are pharmaceutical firm Rasi Laboratories and infrastructure firms such as Dhoot Transmission.

Clop adopts a targeted strategy, focusing mainly on the manufacturing and industrial sectors. Its attacks on FORBESMARSHALL.COM, WELCOMEIND.COM, and RUIA.COM indicate a deliberate interest in India's industrial infrastructure—possibly for financial advantage and competitive intelligence gathering.

Nightspire and Funksec have exhibited troubling patterns of targeting vital infrastructure. Nightspire's assaults on power equipment manufacturer Lotus Powergear and workforce solutions provider TeamLease indicate a focus on disrupting critical services. Similarly, Funksec's targeting of government infrastructure, such as punjab[.]gov[.]in, and payment systems like genrepurchase[.]bankatm[.]in, pose significant national security concerns.

Babuk2 presents the most concerning profile, as they target government institutions such as drdo.gov.in (Defence Research and Development Organisation) and icmr.gov.in (Indian Council of Medical Research), claiming to have accessed Ministry of Defence documents. This suggests state-sponsored espionage operating under the guise of ransomware activities. The timing of these attacks amid geopolitical tensions appears to be more than just coincidence.

Threat Actor Motives: Beyond Financial Gains...

1. Strategic intelligence gathering groups such as APT36, Babuk2, and state-backed actors. Their focus on defense agencies, government departments, and vital infrastructure typically includes data theft combined with encryption, indicating that espionage is the main goal, with ransom demands serving as a distraction.

   
   

2. Hacktivism & Geopolitical instability prompts attacks aligned with ongoing real-world tensions. The cyber operations that followed the Pahalgam attack demonstrate how threat actors leverage digital campaigns to escalate physical conflicts, disrupt operations, disseminate misinformation, and erode public trust in government effectiveness.

   
   

3. Testing and Capability Development describes how emerging groups often focus on Indian organizations because of its vulnerable digital environments becoming a perfect test ground for ransomware operators to improve their methods, tactics, techniques, and procedures against higher profile targets in the West.

   
   

Operation Sindoor: Cyber Warfare Comes of Age

The 2025 India-Pakistan crisis demonstrates how cyber actors can be involved in hybrid warfare: APT36 use of Crimson RAT malware employing Pahalgam-themed phishing bait exemplifies sophisticated social engineering tactics aligned with national strategic goals. Intelligence suggests these efforts were focused on collecting sensitive data related to India's military positioning and China's border operations. The China-Pakistan cyber alliance exposes one of the most challenging threats for India. China acts as a high-tech supplier providing cutting-edge resources such as AI-powered malware, advanced intrusion techniques, and infrastructure. While Pakistan carries out the attributed intrusions. These alliances also enables Beijing to advance its strategic goals against India and their border disputes.

Malicious Domains (Phishing Infrastructure)

jkpolice[.]gov[.]in[.]kashmirattack[.]exposed
iaf[.]nic[.]in[.]ministryofdefenceindia[.]org
virtualeoffice[.]cloud (registered June 16, 2025)
mail[.]mgovcloud[.]in (typosquatted domain)

Domain Registration Pattern:

Created 1-2 days after Pahalgam incident
Hosted across multiple ASNs:
AS 200019 (Alexhost Srl)
AS 213373 (IP Connect Inc)
AS16509 (Amazon AWS)

Command & Control (C2) Infrastructure:
IP: 93.127.133[.]58 (Crimson RAT C2 - decoded from hardcoded default)
IP: 99.83.175[.]80 (Amazon AWS - phishing infrastructure)
IP: 37.221.64[.]202 (credential harvesting)
IP: 78.40.143[.]169 (additional phishing support)

PowerPoint Weaponized File:
Filename: Report & Update Regarding Pahalgam Terror Attack.ppam
Format: PowerPoint add-in with malicious macros
Payload: Crimson RAT (disguised as "WEISTT.jpg")
Compilation: April 21, 2025 (pre-attack compilation timestamp)

Who is Getting Hit the Hardest?

1. The healthcare sector has been disproportionately affected, as groups such as Killsec, Medusa, and Nightspire have specifically targeted medical institutions. The industry's reliance on sensitive data, life-critical functions, and traditionally weak cybersecurity defenses makes it highly attractive to attackers using double extortion methods.

   
   

2. Manufacturing and industrial sectors continue to be under constant pressure from groups such as Clop, Akira, and Warlock. The attack on companies like Toyota Asia and Toyota India by Blacknevas illustrates that even large multinational corporations with established security measures can be vulnerable if their local subsidiaries operate with separate, sometimes less secure, infrastructure.

   
   

3. Financial services and fintech companies continue to be frequent targets, with groups such as Medusa targeting Future Generali and Babuk2 focusing on financial institutions. The sector's direct connection to monetary systems and highly sensitive financial information makes it appealing to both ransomware groups and intelligence agencies.

   
   

4. Government and Critical Infrastructure are under increased threat from highly concerning attacks due to their strategic significance. Notable incidents include targeted assaults on power utilities in Telangana and Andhra Pradesh, telecommunications networks such as India's telecom infrastructure by Babuk2, and government portals like punjab[.]gov[.]in by Funksec, indicating coordinated efforts to map India's critical infrastructure—potentially as a prelude to future, more damaging operations.

The Evolution of Tactics: What Changed in 2025?

1. AI-driven targeting and evasion: attackers are increasingly employing artificial intelligence to pinpoint valuable targets, create convincing phishing schemes, and develop malware that bypasses conventional detection methods. For example, APT36 has been reported to utilize large language models to swiftly produce new malware variants, illustrating this trend.

   
   

2. Supply chain compromise: involves sophisticated actors targeting less secure vendors and partners instead of directly attacking primary targets. The report indicating that 90% of Indian respondents encountered ransomware stemming from supply chain partners highlights the effectiveness of this approach.

   
   

3. Data-centric extortion: involves groups bypassing encryption altogether, instead prioritizing data theft and threatening to publicly reveal the stolen information. This method lowers the chances of detection while still providing extortion leverage—an unsettling development that renders conventional backup strategies inadequate.

   
   

4. Multi-Extortion Strategies: Attackers are expanding their tactics beyond just encrypting data and stealing information to include threats against customers, partners, and regulators, as well as launching DDoS attacks on victims who refuse to pay, and selling stolen data on dark web marketplaces. This diversification amplifies their leverage and creates multiple sources of income.

Looking Forward Analysis: The Threat Trajectory

1. Continued targeting: India is expected to stay among the top five countries to be the most targeted for 2026. Due to its swift digital growth, strategic geopolitical stance, and inherent systemic weaknesses that attract ongoing malicious interest.

   
   

2. Enhanced State Involvement: An increase in attacks either originating from or backed by nation-state actors aiming to achieve strategic goals through ransomware activities. The partnership between China and Pakistan is expected to grow stronger, with advanced skills and resources being shared with Pakistani cyber operators.

   
   

3. Critical Infrastructure Focus: Future campaigns are expected to focus more on critical infrastructure such as power grids, water facilities, transportation systems, and telecommunications. Recent reconnaissance indicates that adversaries are studying these systems to identify potential targets for future disruption.

   
   

4. Regulatory Pressure: Increasing regulatory pressure will drive the faster adoption of the Digital Personal Data Protection Act and industry-specific cybersecurity regulations, as organizations must decide whether to invest in security proactively or risk facing penalties after breaches.

   
   

Our Recommendations...

1. National-Level Coordination: Break down institutional silos. Create a unified cyber command structure with real-time information sharing between CERT-In, NCIIPC, intelligence agencies, and sector-specific response teams.

   
   

2. Public-Private Partnership: Government cannot secure private sector infrastructure alone. Establish mandatory threat intelligence sharing, joint incident response exercises, and coordinated vulnerability disclosure programs.

   
   

3. Invest in Detection and Response: Prevention is impossible; assume compromise. Organizations must deploy advanced detection capabilities, maintain offline backups, and practice incident response regularly. The average dwell time for ransomware attacks has decreased to under 24 hours—response capabilities must match this velocity. Pipeline Unit Zero also can help any organization to detect and response.

   
   

4. Address Supply Chain Risk: Mandate security assessments for all third-party vendors accessing critical systems. The weakest link in your supply chain becomes your security perimeter.

   
   

5. Build Cyber Resilience: Move beyond compliance checkbox exercises to genuine resilience building. This means segregated networks, immutable backups, disaster recovery capabilities, and security-by-design in all new systems.

   
   

6. Strategic Deterrence: India must develop credible offensive cyber capabilities for deterrence. Adversaries must understand that persistent attacks carry consequences—economic, diplomatic, and potentially cyber kinetic responses.

   
   

The Stakes Have Never Been Higher

The ransomware landscape for India in 2025 represents more than cyber crime—it's hybrid warfare, espionage, and strategic competition manifested in digital form. Groups like Killsec, Qilin, and Babuk2 aren't just criminals; they're the digital proxies of a new kind of conflict where code is weaponized and data becomes both target and weapon. We have learned that threat actors are remarkably good at exploiting the gap between rhetoric and reality. In addition, India aspires to become a digital superpower, yet its cybersecurity measures remain outdated, dating back since the 1990s. The disconnect leaves vulnerabilities even less sophisticated adversaries continuously exploit. The silver lining? These challenges are solvable, other nations have faced similar crossroads and emerged stronger. But it requires moving beyond performative security measures to fundamental transformation of how we architect, defend, and operate digital infrastructure. The question isn't whether India will face more attacks, the question is whether India will treat 2025 as a wake-up call? We are cautiously pessimistic—but determined to be proven wrong.

About Unit Zero

This analysis synthesizes 12 months of continuous threat hunting across 847 data sources: dark web forums, ransomware leak sites, incident reports, malware repositories, and proprietary telemetry from Pipeline's monitoring infrastructure. Every claim in this report is corroborated by multiple independent intelligence streams.

Pipeline Horizon – Unit Zero is Pipeline’s dedicated APAC cyber threat intelligence, analysis, and emergency response team. If you suspect a cyberattack or security incident, please contact us: dfir@ppln.co

References

https://eventussecurity.com/cybersecurity/india/cyber-attacks/

The State of Ransomware – Q3 2025 - Check Point Research

Advisory: Pahalgam Attack themed decoys used by APT36 to target the Indian Government | Seqrite

Cyberattacks surge across Indian organisations in 2025

Cybersecurity 2025 - India | Global Practice Guides | Chambers and Partners

APT36 Phishing Campaign Targets Indian Defense Using Credential-Stealing Malware - CYFIRMA