Sophos has released the India-specific findings of its seventh annual State of Ransomware report, and the numbers point to a clear shift in how attackers are getting in.
More than four in five ransomware attacks in the country, or 81%, now begin with compromised identities, a figure that sits ahead of the 79% global average. The report is based on responses from 500 IT and cybersecurity decision-makers in India, part of a broader vendor-agnostic survey covering 5,000 respondents across 17 countries, conducted by Vanson Bourne on behalf of Sophos in the first quarter of 2026.
The data shows that exploited vulnerabilities, once the leading cause of ransomware incidents, have fallen sharply. Malicious email and phishing now account for 28% and 26% of attacks respectively, together making up more than half of all cases, while exploited vulnerabilities have dropped to just 11%, a steeper decline than the global figure of 24%.
Sunil Sharma, Managing Director and Vice President, India and SAARC, Sophos, said, “India’s ransomware numbers this year confirm what we’re seeing on the ground: attackers are no longer breaking down the door, they’re using stolen keys. The majority of ransomware in India now begins with a compromised identity, not a technical exploit. As AI lowers the cost of large-scale phishing and credential theft, Indian organizations need to treat identity as their primary line of defense – enforcing phishing-resistant multi-factor authentication, auditing both human and non-human accounts, and closing the visibility gaps attackers are exploiting.”
Among Indian organizations hit by ransomware, 60% had their data encrypted by attackers, higher than the global rate of 56%, and 16% of cases involved data being both encrypted and stolen, a figure that matches the global average exactly. Separately, 79% of respondents confirmed that their ransomware incident was also their most significant identity attack of the year, well above the two-thirds reported globally, reinforcing how central identity compromise has become to ransomware in the country.
When it came to paying up, 56% of Indian organizations that had their data encrypted chose to pay the ransom and recovered their data, compared to 48% globally, while 67% relied on backups and 18% recovered through other means. Multi-factor authentication was already in place in 98% of India incidents where compromised credentials were the root cause, almost identical to the global figure of 97%, a detail that points to a gap between having MFA deployed and having it applied consistently across every access point. The UK, for context, recorded the highest median ransom demand of any country surveyed at $2.5 million.
Recovery times have improved even as prevention remains a challenge. Over half of Indian organizations, 58%, managed to recover within a week of an attack, and 14% did so in under a day, a trend the report links to greater investment in backup infrastructure. The average cost to rectify a ransomware attack in India stood at $1.11 million, below the global average of $1.7 million.
Ross McKerchar, Chief Information Security Officer, Sophos, said, “Organizations have strengthened their ransomware resilience in the past year, and those investments are largely paying off. However, ransomware continues to cost organizations millions. As AI becomes more capable, attackers will be able to enumerate identity misconfigurations and weak points across organizations far more cheaply and quickly than before. Organizations can no longer rely on complexity or obscurity to hide gaps in their environment. The same technology also gives defenders an opportunity to find and fix those gaps faster, but only if prevention, detection, and response work together as part of a unified cybersecurity strategy.”
Sophos has recommended a set of measures for Indian organizations looking to build integrated, AI-driven defenses that combine technology, people and process. These include treating identity as a foundational security layer by prioritizing identity threat detection and response, enforcing phishing-resistant multi-factor authentication across all access points, and regularly auditing both human and non-human identities.
The firm also recommends investing in backup and recovery infrastructure, testing backups regularly, storing them offline or in immutable formats, and building them into a documented incident response plan.
Maintaining exposure management programs through rigorous patching schedules, prioritizing internet-facing assets, and evaluating AI-assisted tools for faster vulnerability remediation was also flagged as important, alongside reducing exposure through firewalls and using firewall telemetry to detect attacks early, including connecting firewalls to XDR and MDR solutions.
Sophos further advised aligning security investment with local regulatory pressure, noting that with DPDP Act compliance now a stated priority for nearly a third of Indian organizations, security and compliance teams should treat identity and data-protection controls as shared infrastructure rather than separate workstreams.
Send news announcements/press releases to:
editor@thefoundermedia.com
