Introduction
Ransomware has emerged as the defining cybercrime challenge of the 2020s. Unlike earlier forms of cybercrime that targeted individual financial accounts or stole data for immediate monetisation, ransomware attacks operate as extortion enterprises at scale, encrypting the victim’s systems, demanding payment for decryption keys, and increasingly threatening to publish stolen data if the ransom is not paid. The operators of these enterprises, typically organised criminal groups operating from jurisdictions where extradition is unavailable and prosecution is unlikely, have demonstrated extraordinary sophistication and adaptability.
For Indian organisations, the threat is not theoretical. The All India Institute of Medical Sciences (AIIMS) Delhi attack in November 2022, which disrupted patient care systems for weeks and exposed sensitive medical data, illustrated how ransomware can threaten public health infrastructure. The Bharat Sanchar Nigam Limited (BSNL) breach in 2024, affecting telecom infrastructure and potentially exposing subscriber data, demonstrated the vulnerability of critical communication networks. SpiceJet’s ransomware incident in 2022 grounded flights and highlighted the exposure of transport infrastructure. These cases represent a fraction of the total attack volume; most private sector incidents are not publicly disclosed.
The legal questions generated by ransomware are multilayered and inadequately addressed by existing Indian law. They include the compliance obligations that attach to an attack even when the organisation is the victim, the legal and practical dimensions of the ransom payment decision, the enforceability and scope of cyber insurance coverage, and the challenges of cross-border attribution and enforcement. This article addresses each of these dimensions systematically.
Legal Framework
The primary statutory response to cybercrime in India remains the IT Act, 2000, supplemented by the Bharatiya Nyaya Sanhita (BNS), 2023, which replaced the Indian Penal Code. Section 43 of the IT Act provides civil remedies for unauthorised access, damage to computer systems, and introduction of computer contaminants. Section 66 criminalises dishonestly or fraudulently committing the acts described in Section 43. Section 66B provides for punishment for receiving stolen computer resources. These provisions, while broad enough to cover ransomware attacks in principle, are formulated around the act of intrusion rather than around the specific mechanics of ransomware, and contain no provisions addressing the victim’s obligations or the ransom payment question.
CERT-In’s Directions of April 2022 require reporting of ransomware attacks within six hours of detection. The category of reportable incidents expressly includes ransomware attacks. The Directions do not, however, address whether the act of paying a ransom is itself a separate reportable event, or whether payment obligations must be disclosed to CERT-In. This ambiguity leaves organisations in a difficult position when weighing the operational necessity of paying against the legal uncertainty about disclosure.
The Prevention of Money Laundering Act, 2002 (PMLA) has potential relevance to ransom payments when the recipient organisation is designated as a terrorist organisation or sanctions target. Section 3 of the PMLA defines money laundering to include any process or activity connected with the proceeds of crime. If ransom is paid to a group designated under the Unlawful Activities (Prevention) Act or the United Nations (Security Council) Act, the paying organisation could theoretically face PMLA liability, though no such prosecution has yet occurred in India.
The DPDP Act 2023 introduces data breach notification obligations that intersect with ransomware response. While the Act’s implementing rules remain pending, the Act itself requires data fiduciaries to notify the Data Protection Board and affected data principals of personal data breaches. A ransomware attack that involves exfiltration of personal data before encryption (the double extortion model, now the industry norm) clearly constitutes a personal data breach, triggering these notification obligations regardless of whether ransom is paid.
Judicial Developments
Indian courts have not yet produced definitive precedents on the core legal questions raised by ransomware, partly because most incidents are not litigated. The few judicial decisions touching on cybercrime in the context of organisational liability have generally addressed the standard of care owed by data holders to affected individuals.
Consumer forums and the National Consumer Disputes Redressal Commission have increasingly engaged with data breach claims. In a series of decisions addressing unauthorised transactions, banking data breaches, and compromised customer accounts, consumer forums have held that financial institutions and e-commerce platforms owe a duty of reasonable care to protect customer data. The doctrinal basis is Section 2(11) of the Consumer Protection Act, 2019, which includes deficiency in service within its scope, and the courts have interpreted “reasonable care” in light of applicable regulatory standards.
The Telecom Disputes Settlement and Appellate Tribunal has addressed cybersecurity failures in the context of telecom service providers, holding that operators must maintain adequate technical safeguards against network intrusions. These decisions, while not directly addressing ransomware, establish that regulatory compliance with cybersecurity standards is a minimum, not a ceiling, of reasonable care.
In the corporate governance context, the Companies Act, 2013, requires the board of directors to maintain adequate internal financial controls, and the broad interpretation of this requirement by the National Financial Reporting Authority and the Ministry of Corporate Affairs has extended to include information security controls. Board-level responsibility for cybersecurity posture is thus increasingly a matter of company law as well as regulatory compliance.
Contemporary Issues and Analysis
The ransom payment decision is the most legally and ethically complex question facing an organisation in the immediate aftermath of a ransomware attack. The operational case for payment is often compelling: decryption keys may be the fastest path to restoring systems, and the cost of extended downtime in a hospital, a bank, or a logistics company may exceed the ransom demand by orders of magnitude. The case against payment is equally compelling: payment funds future attacks, rewards criminal behaviour, provides no guarantee of decryption (ransomware operators sometimes take payment and provide no key, or provide a faulty key), and in some jurisdictions creates legal liability.
In the United States, the Office of Foreign Assets Control (OFAC) of the Treasury Department has issued guidance on ransomware payments to sanctioned entities, specifically warning that payments to designated terrorist organisations or sanctioned ransomware groups (such as Evil Corp, which has been under US sanctions since 2019) may violate US sanctions law even if the paying organisation is not American. The extraterritorial implications of US sanctions are significant for Indian companies with US dollar transactions, US investors, or US business relationships. An Indian company that pays a sanctioned ransomware group may expose itself to OFAC civil liability if the payment is routed through the US financial system, which most US dollar transactions are.
India has not yet developed a specific legal position on ransom payments. The government’s stated policy is that organisations should not pay ransoms, a position consistent with international law enforcement guidance, but there is no statutory prohibition and no regulatory guidance on the legal consequences of payment. This silence creates uncertainty for organisations that must make real-time decisions under operational pressure.
The cyber insurance market in India has grown rapidly but unevenly. IRDAI’s framework for cyber insurance products permits insurers to offer standalone cyber risk policies covering business interruption losses, data restoration costs, regulatory fines, and crisis management expenses including forensic investigation and public relations. The ransomware coverage question, however, is entangled with the war exclusion clause.
The war exclusion clause dispute arose prominently in the aftermath of the NotPetya attack of 2017, which the United States, United Kingdom, and several allied governments attributed to the Russian military intelligence service GRU. Zurich Insurance declined to pay Mondelez International’s claim of approximately $100 million in losses from NotPetya, arguing that the attack constituted a “hostile or warlike action in time of peace or war” under the war exclusion clause. The dispute, litigated in Illinois, was settled out of court in 2023, leaving unresolved the question of whether state-sponsored cyberattacks trigger war exclusions.
For Indian insurers and policyholders, the war exclusion question is particularly significant given the documented activities of state-affiliated threat actors from multiple jurisdictions targeting Indian organisations. If a ransomware attack is attributed to a state-sponsored group, does the insurance policy respond? The answer turns on the specific policy language and the facts of attribution. Most Indian cyber insurance policies have not been updated to address this question with the precision it requires, and the absence of definitive litigation means that policyholders have uncertain expectations about coverage.
Comparative and International Perspective
The United States has moved towards a more structured regulatory response to ransomware. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), enacted in 2022, requires critical infrastructure entities to report ransomware payments to CISA within 24 hours, regardless of whether the attack is separately reported as a cybersecurity incident. This reporting requirement for payments specifically, distinct from the incident itself, represents a policy tool for mapping the ransomware economy. India has no equivalent.
Australia’s Ransomware Action Plan (2021) declared a zero-tolerance policy for ransomware payments by government entities and introduced enhanced penalties for ransomware operators. The Cyber Security Act 2024, which Australia enacted following a major cyber incident at Optus in 2022, introduced mandatory reporting and expanded CISA’s equivalent’s powers. Australia also introduced a ransomware payment reporting scheme in the Cyber Security Act, requiring organisations with annual turnover above a threshold to report ransomware payments, without prohibiting them, as a data-gathering mechanism.
The United Kingdom’s National Cyber Security Centre guidance actively discourages ransomware payments and has issued sector-specific guidance for essential services. The UK’s approach relies more heavily on resilience (backup systems, tested recovery procedures) than on payment prohibition, recognising that prohibition without resilience simply destroys organisations that cannot recover without paying.
Internationally, the Counter Ransomware Initiative, a coalition of over 40 countries including India, has issued a joint statement discouraging ransomware payments to sanctioned entities and committing to share information on ransomware threat actors. India’s membership in this initiative creates a soft-law expectation of policy alignment even in the absence of domestic legislation.
Practical and Policy Implications
For organisations assessing their ransomware posture, the legal and insurance dimensions must be integrated with technical preparation. The most significant legal risk reduction measure is not a contractual provision or insurance policy but a tested incident response plan that includes pre-designated legal counsel, forensic investigators, regulatory notification procedures, and communication protocols. Organisations that can demonstrate they followed a documented incident response plan are better positioned in regulatory inquiries, insurance claims, and potential litigation.
Insurance purchasing decisions should be made with specific attention to policy language around war exclusions, sanctioned entity exclusions, and the definition of “cyber event” or “security failure.” Indian policyholders should seek explicit written confirmation from their insurer about coverage for state-sponsored attacks and for incidents involving groups that appear on OFAC or UN sanctions lists.
The board-level governance dimension of ransomware preparedness has been underappreciated. Board members of listed companies owe fiduciary duties that extend to material cybersecurity risks. A board that has not received and reviewed a credible ransomware preparedness report, approved an incident response budget, and tested its crisis communication plan may face directorial liability in the event of a major incident.
Suggestions and Reforms
India should develop a specific legal framework for ransomware responses. This framework should address the following elements. The reporting obligation should explicitly require organisations to report ransomware payments to CERT-In within 24 hours of payment, in addition to the existing incident reporting obligation. This creates data for policy without prohibiting payments that may be operationally necessary.
A safe harbour from PMLA liability should be created for bona fide ransom payments made without knowledge that the recipient was a designated entity, provided the organisation has complied with available sanctions screening mechanisms. Organisations that pay ransoms to entities that are on no applicable sanctions list at the time of payment should not face retroactive liability if the group is subsequently designated.
IRDAI should issue sector-specific guidance on cyber insurance policy wording, requiring clear disclosure about war exclusion clauses, state-sponsored attack coverage, and ransomware payment coverage. Mandatory standardised disclosures would allow purchasers to make informed comparisons.
Conclusion
Ransomware represents a category of cyberthreat that exposes the gaps in India’s current legal and regulatory framework. The victim organisation simultaneously faces operational crisis, regulatory obligations, insurance uncertainties, and legal exposure that may arise from the very act of seeking to recover from the attack. The law has not kept pace with the sophistication of the threat or the operational complexity of the response.
India’s membership in the Counter Ransomware Initiative, the enactment of the DPDP Act, and the CERT-In Directions together provide the building blocks of a more coherent framework. What is needed is legislative clarity on the ransom payment question, regulatory guidance on insurance requirements, and sustained investment in the organisational resilience that reduces the pressure to pay in the first place. The experience of AIIMS Delhi, BSNL, and SpiceJet provides both the urgency and the evidence base for that work.