Ransomware continues to impose a significant financial burden on Indian enterprises, with average recovery costs surpassing USD 1 million, according to Sophos’ “The State of Ransomware 2025” report. The findings for India were unveiled today in New Delhi by Sunil Sharma, Vice President – Sales, India & SAARC, Sophos. Now in its sixth edition, the annual report is based on a vendor-agnostic survey of 3,400 IT and cybersecurity leaders across 17 countries, including 378 organizations in India that were impacted by ransomware in the past year.
Also read: Record Surge in Automated Cyberattacks as Adversaries Weaponize AI
“Ransomware remains a harsh reality for many Indian businesses. Even as awareness improves, organisations continue to face challenges like unpatched vulnerabilities, limited cybersecurity resources, or lack of the right support during an attack. Often, paying the ransom seems like the only way to restore operations,” said Sharma.
However, there’s a silver lining. Sunil highlighted a positive shift in mindset among Indian organizations, noting an increased focus on cyber preparedness. “We’re seeing more organizations understand the value of resilience. At Sophos, we are driving this change through Managed Detection and Response (MDR), advanced endpoint protection, and real-time threat intelligence. The focus is gradually moving from reactive measures to proactive cybersecurity and that’s a shift worth encouraging,” he added.
Root Causes: Technical and Organizational
The report identifies exploited vulnerabilities (29%) as the leading technical root cause of ransomware attacks in India, followed by compromised credentials (22%), malicious emails (21%), phishing (17%), brute force attacks (6%), and downloads from untrusted sources (3%).
From an organizational standpoint, the top two root causes were a lack of capacity or skilled personnel and poor-quality protection, both cited by 41% of Indian respondents. Other contributing factors included human error, lack of expertise, and known or unknown security gaps.
Additional Important Findings
Additional key findings from the report highlight ongoing concerns for Indian organisations. Data theft remains a significant issue even as encryption rates show a slight decline. Among the attacks where data was encrypted, 31 percent of Indian organisations also experienced data theft, marking a modest improvement from 34 percent the previous year. While fewer high ransom demands are being made, the amounts remain substantial. Nearly 49 percent of ransom demands were for USD 1 million or more, although this is a decrease from 62 percent reported last year.
The impact of ransomware is also being felt beyond IT systems, with cybersecurity-related stress on the rise. Around 46 percent of Indian respondents reported increased anxiety or stress about future attacks, and 42 percent noted growing pressure from senior leadership. On the recovery front, companies are increasingly adopting a multi-layered approach. While 53 percent of organisations that experienced encryption paid the ransom to recover their data, 51 percent relied on backups indicating a growing emphasis on resilience and preparedness.
Recommendations from Sophos
The Sophos report emphasizes the need for a multi-layered approach to tackling ransomware in 2025 and beyond:
- Prevention: Minimize both technical and operational root causes. Blocking entry points can stop attacks before they begin.
- Protection: Fortify endpoint, particularly servers, with strong, dedicated anti-ransomware defenses.
- Detection and Response: Rapid threat detection and response are critical. Organizations lacking internal expertise are encouraged to engage trusted MDR (Managed Detection and Response) providers.
- Planning and Preparation: Develop and routinely test incident response plans. Maintain reliable backups and rehearse recovery protocols.
