Executive Summary
Ransomware attacks, where malicious actors encrypt data and demand ransom for decryption, implicate multiple legal frameworks in India:
- IT Act offenses: Sections 43, 66, 66B (unauthorized access, damage, extortion)
- IPC offenses: Sections 384, 385 (extortion), 420 (cheating)
- DPDP obligations: Data breach notification requirements
- CERT-In directions: Mandatory incident reporting within 6 hours
- Law enforcement: Cyber Crime Police, CBI, NIA jurisdiction
- Payment considerations: Legal and regulatory risks of paying ransom
- Prevention obligations: Reasonable security practices under IT Act
This guide examines the legal framework for ransomware incidents and compliance obligations.
1. Understanding Ransomware
Attack Methodology
| Stage |
Description |
| 1. Initial access |
Phishing, vulnerability exploitation, RDP compromise |
| 2. Lateral movement |
Spread through network |
| 3. Data exfiltration |
Steal sensitive data (double extortion) |
| 4. Encryption |
Lock files with strong encryption |
| 5. Ransom demand |
Payment in cryptocurrency |
| 6. Negotiation |
Extortion tactics |
Common Variants
| Type |
Characteristics |
| Crypto-ransomware |
Encrypts files, demands payment |
| Locker ransomware |
Locks system, demands payment |
| Double extortion |
Encryption + data leak threat |
| Triple extortion |
+ DDoS attack threat |
| Ransomware-as-a-Service |
Commercial ransomware platforms |
2. Applicable Criminal Laws
IT Act Offenses
| Section |
Offense |
Punishment |
| 43 |
Unauthorized access/damage |
Compensation up to Rs. 5 crores |
| 66 |
Computer-related offenses |
Up to 3 years + Rs. 5 lakh fine |
| 66B |
Receiving stolen data |
Up to 3 years + Rs. 1 lakh fine |
| 66F |
Cyber terrorism (if CII targeted) |
Life imprisonment |
Indian Penal Code Offenses
| Section |
Offense |
Punishment |
| 384 |
Extortion |
Up to 3 years + fine |
| 385 |
Putting person in fear to commit extortion |
Up to 2 years + fine |
| 420 |
Cheating |
Up to 7 years + fine |
| 120B |
Criminal conspiracy |
As per object offense |
Which Law Applies?
| Element |
IT Act |
IPC |
Both |
| Unauthorized access |
Section 43, 66 |
- |
Primary |
| Data encryption |
Section 43, 66 |
- |
Primary |
| Ransom demand |
- |
Section 384, 385 |
Primary |
| Payment fraud |
- |
Section 420 |
Primary |
| Complete attack |
- |
- |
Both applicable |
3. CERT-In Incident Reporting
Mandatory Reporting Obligation
Under CERT-In Directions (April 2022):
| Requirement |
Specification |
| Timeline |
Within 6 hours of noticing incident |
| Reporting entity |
Service providers, intermediaries, data centers, VPNs, govt bodies |
| Reporting portal |
CERT-In portal (https://nciipc.gov.in) |
| Information |
Incident details, impact, actions taken |
Reportable Ransomware Incidents
| Incident Type |
Examples |
| Malware attacks |
Ransomware, trojans |
| Unauthorized access |
Compromise of systems |
| Data breach |
Exfiltration of data |
| Data leak |
Threatened or actual publication |
| Denial of service |
DDoS accompanying ransomware |
| Data Point |
Details |
| Incident type |
Ransomware attack |
| Date/time |
When attack detected |
| Systems affected |
Servers, databases, endpoints |
| Data compromised |
Types and volume |
| Attack vector |
How attackers gained access |
| Ransom demand |
Amount and cryptocurrency |
| Actions taken |
Containment, investigation |
4. DPDP Act Breach Notification
Data Breach Obligations
If ransomware involves personal data:
| Obligation |
Timeline |
Recipient |
| DPB notification |
Immediately |
Data Protection Board |
| Individual notification |
Without undue delay |
Affected Data Principals |
| Content |
Nature, scope, consequences, mitigation |
- |
When DPDP Applies to Ransomware
| Scenario |
DPDP Notification Required |
| Data encrypted only |
Yes - data unavailable |
| Data exfiltrated |
Yes - unauthorized disclosure |
| System locked (no data) |
Possibly not (if no personal data) |
| Double extortion |
Yes - mandatory |
5. Law Enforcement Jurisdiction
Investigation Agencies
| Agency |
Jurisdiction |
| Cyber Crime Police Stations |
First responders, state-level |
| State Cyber Cells |
Coordination within state |
| CBI Cyber Crime Unit |
Inter-state, complex cases |
| National Investigation Agency (NIA) |
National security, terrorism (Section 66F) |
| CERT-In |
Technical coordination, advisory |
When to Involve Which Agency
| Situation |
Agency |
| Initial attack |
Local Cyber Crime Police |
| Multi-state attack |
CBI |
| Critical infrastructure |
NIA + CERT-In |
| International perpetrators |
CBI + Interpol coordination |
| Ongoing incident |
CERT-In (technical support) |
6. To Pay or Not to Pay Ransom
Legal Considerations
| Aspect |
Implication |
| No legal obligation |
Paying is voluntary |
| Funding crime |
May support criminal enterprises |
| Terrorist financing |
If attackers are designated entities |
| No guarantee |
Payment doesn't ensure decryption |
| Repeat targeting |
Marks organization as willing to pay |
Regulatory Guidance
| Authority |
Position |
| CERT-In |
Advises against payment |
| Law enforcement |
Recommends not paying |
| RBI |
No specific prohibition (cryptocurrency challenges) |
| FATF |
Caution on terrorist financing risks |
If Organization Decides to Pay
| Consideration |
Action |
| Legal advice |
Consult before payment |
| Law enforcement |
Inform authorities |
| Cryptocurrency |
Legal and tax implications |
| Documentation |
Maintain records |
| Reporting |
CERT-In, DPB, tax authorities |
| Sanctions check |
Ensure not paying designated entities |
7. Incident Response Framework
| Step |
Action |
| 1. Isolate |
Disconnect infected systems from network |
| 2. Preserve evidence |
Take forensic images |
| 3. Assess scope |
Identify affected systems and data |
| 4. Activate team |
Incident response team assembly |
| 5. Report to CERT-In |
Within 6 hours |
| 6. Law enforcement |
File FIR with Cyber Crime Police |
Short-Term Actions (6-72 Hours)
| Step |
Action |
| 7. Investigation |
Root cause analysis, forensics |
| 8. Containment |
Stop spread, patch vulnerabilities |
| 9. Backup restoration |
If clean backups available |
| 10. DPB notification |
If personal data breach |
| 11. Individual notification |
Inform affected Data Principals |
| 12. Communication |
Internal and external stakeholders |
Recovery Actions (72+ Hours)
| Step |
Action |
| 13. System restoration |
Rebuild or restore from backups |
| 14. Decryption |
If key obtained or available |
| 15. Monitoring |
Watch for re-infection |
| 16. Security upgrades |
Implement improvements |
| 17. Audit |
Post-incident review |
| 18. Policy updates |
Revise security policies |
8. Prevention Obligations
Reasonable Security Practices (IT Act Section 43A)
| Requirement |
Implementation |
| Technical safeguards |
Firewalls, encryption, access controls |
| Organizational measures |
Policies, training, audits |
| IS/ISO 27001 |
Information security standards |
| Regular updates |
Patch management |
| Backup strategy |
3-2-1 rule (3 copies, 2 media, 1 offsite) |
Prevention Best Practices
| Measure |
Purpose |
| Email filtering |
Block phishing attempts |
| Endpoint protection |
Anti-malware, EDR |
| Network segmentation |
Limit lateral movement |
| MFA |
Prevent unauthorized access |
| Privileged access management |
Control admin credentials |
| Regular backups |
Enable restoration |
| Offline backups |
Prevent encryption by ransomware |
| Security awareness |
Train employees |
| Vulnerability management |
Regular scanning and patching |
| Incident response plan |
Preparedness |
9. Evidence Preservation
Digital Forensics
| Evidence Type |
Preservation Method |
| System logs |
Secure export before wiping |
| Network traffic |
Packet captures |
| Ransomware note |
Screenshot and text copy |
| Encrypted files |
Sample files for analysis |
| Payment demands |
Communication records |
| Decryption attempts |
Document all actions |
Chain of Custody
| Requirement |
Purpose |
| Timestamped logs |
Prove evidence integrity |
| Write-blocked copies |
Prevent alteration |
| Hash values |
Verify authenticity |
| Documentation |
Who handled what when |
| Storage |
Secure evidence retention |
10. Insurance Considerations
Cyber Insurance Coverage
| Coverage |
Application to Ransomware |
| Ransom payment |
May cover (policy-dependent) |
| Forensic investigation |
Usually covered |
| Business interruption |
Covered if in policy |
| Data recovery |
Covered |
| Legal expenses |
Covered |
| Regulatory fines |
May be excluded |
| Third-party claims |
Covered if liability policy |
Policy Exclusions
| Exclusion |
Reason |
| Acts of war |
Cyber warfare may be excluded |
| Known vulnerabilities |
Failure to patch |
| Intentional acts |
Insider threats |
| Prior incidents |
Pre-existing conditions |
Claims Process
| Step |
Action |
| Immediate notice |
Notify insurer ASAP |
| Incident documentation |
Detailed records |
| Follow panel vendors |
Use approved forensic firms |
| Ransom negotiation |
Involve insurer |
| Proof of loss |
Document all costs |
11. International Cooperation
Cross-Border Challenges
| Challenge |
Issue |
| Attribution |
Attackers in foreign jurisdictions |
| Cryptocurrency |
Anonymous payment channels |
| Jurisdiction |
Legal complexities |
| Evidence |
MLAT procedures slow |
Mutual Legal Assistance
| Mechanism |
Purpose |
| MLAT treaties |
Formal evidence exchange |
| Interpol |
Police cooperation |
| Budapest Convention |
Cyber crime cooperation (India not party) |
| Bilateral agreements |
Country-specific cooperation |
12. Penalties for Non-Compliance
For Organizations
| Non-Compliance |
Penalty |
| CERT-In reporting failure |
Under consideration (guidelines) |
| DPDP breach notification failure |
Up to Rs. 250 crores |
| Reasonable security failure |
Compensation under Section 43A |
| Negligence |
Civil liability to affected parties |
For Attackers
| Offense |
Maximum Penalty |
| IT Act Section 66 |
3 years + Rs. 5 lakh fine |
| IPC Section 384 |
3 years + fine |
| IPC Section 420 |
7 years + fine |
| Cyber terrorism (66F) |
Life imprisonment |
13. Sector-Specific Considerations
| Sector |
Additional Requirements |
| Banking/Finance |
RBI cyber security framework |
| Power/Energy |
CEA/CERC guidelines |
| Telecom |
DoT security requirements |
| Healthcare |
Patient data protection |
| Government |
NCIIPC guidelines |
14. Compliance Checklist
Pre-Incident Preparation
During Incident
Post-Incident
15. Key Takeaways for Practitioners
Multiple Laws Apply: Ransomware implicates IT Act, IPC, DPDP Act, and CERT-In directions.
6-Hour Reporting: CERT-In notification mandatory within 6 hours of detection.
Data Breach Notification: If personal data compromised, notify DPB immediately and individuals without delay.
Law Enforcement Essential: File FIR with Cyber Crime Police immediately.
Payment Risks: Paying ransom has legal, regulatory, and practical risks - consult legal advice first.
Prevention Obligations: Reasonable security practices mandatory under IT Act Section 43A.
Evidence Preservation: Maintain chain of custody for forensic evidence.
Cyber Insurance: Review policy coverage for ransomware, including ransom payment.
Conclusion
Ransomware attacks trigger multiple legal obligations under Indian law, including immediate CERT-In reporting, data breach notification under DPDP Act, and criminal complaints under IT Act and IPC. Organizations must prioritize prevention through reasonable security practices, maintain robust backup strategies, and develop comprehensive incident response plans. The decision to pay ransom involves significant legal and regulatory considerations and should only be made after legal consultation and law enforcement notification. Effective response requires coordination between legal, technical, and law enforcement stakeholders.
