Sophos, a global cybersecurity leader, today released India-specific findings from its seventh annual State of Ransomware report, a vendor-agnostic survey of IT and cybersecurity leaders across 17 countries identifying the impact of ransomware on businesses and how prepared organizations are to defend against them. The India data shows identity is the dominant initial access vector (IAV) for ransomware in the country, with more than four in five (81%) attacks starting with compromised identities – ahead of the 79% global average.
As in the rest of the world, exploited vulnerabilities are no longer the leading root cause of ransomware attacks in India. Malicious email (28%) and phishing (26%) now account for more than half of all attacks, while exploited vulnerabilities have fallen to just 11% – a sharper drop than the global figure of 24%, and consistent with the broader shift toward identity-based intrusion.
“India’s ransomware numbers this year confirm what we’re seeing on the ground: attackers are no longer breaking down the door, they’re using stolen keys. The majority of ransomware in India now begins with a compromised identity, not a technical exploit. As AI lowers the cost of large-scale phishing and credential theft, Indian organizations need to treat identity as their primary line of defense – enforcing phishing-resistant multi-factor authentication, auditing both human and non-human accounts, and closing the visibility gaps attackers are exploiting,” said Sunil Sharma, managing director and vice president, India and SAARC, Sophos
The report also found that, out of Indian organizations hit by ransomware, 60% had their data encrypted by attackers – higher than the 56% global rate, and including 16% where data was both encrypted and stolen, matching the global figure exactly.
Additional India findings:
- 79% confirmed their ransomware incident was also their most significant identity attack of the year – well above the two-thirds (67%) reported globally, reinforcing identity compromise as the primary ransomware delivery mechanism in the country.
- When data was encrypted, 56% of Indian organizations paid the ransom and recovered their data – compared to 48% globally – while 67% used backups and 18% recovered through other means.
- Multi-factor authentication was already deployed in 98% of India incidents where compromised credentials were the root cause of the attack, almost identical to the 97% recorded globally – underscoring that MFA alone is not sufficient without full coverage gaps create exposure.
- The UK saw the highest median ransom demand recorded for any country at $2.5 million.
While organizations face prevention challenges as threat actors evolve their techniques, significant progress has been made to improve their ability to recover. Increased investment in backup infrastructure has likely contributed to organizations recovering faster following a ransomware attack; over half (58%) of Indian organizations manage to do so within one week, and 14% in less than a day.
- While improved strategies have impacted the adversary’s ability to extract financial gain through ransom demands, the average cost to rectify a ransomware attack in India was $1.11 million, below the $1.7 million global average
Ross McKerchar, chief information security officer, Sophos, said “Organizations have strengthened their ransomware resilience in the past year, and those investments are largely paying off. However, ransomware continues to cost organizations millions. As AI becomes more capable, attackers will be able to enumerate identity misconfigurations and weak points across organizations far more cheaply and quickly than before. Organizations can no longer rely on complexity or obscurity to hide gaps in their environment. The same technology also gives defenders an opportunity to find and fix those gaps faster, but only if prevention, detection, and response work together as part of a unified cybersecurity strategy.”
Sophos recommends the following best practices to help Indian organizations build integrated, AI-driven defenses that bring together technology, people and process:
- Treat identity as a foundational security layer – Prioritize identity threat detection and response (ITDR), enforce phishing-resistant multi-factor authentication across all access points, and regularly audit both human and non-human identities.
- Invest in backup and recovery infrastructure – Test backups regularly, store them offline or in immutable formats, and integrate them into a documented incident response plan that can be executed under pressure.
- Maintain exposure management programs – Keep rigorous patching schedules, prioritize internet-facing assets, and evaluate how AI-assisted tools can accelerate vulnerability identification and remediation.
- Reduce exposure via the firewall and use firewall telemetry to detect attacks early – Ensure firewalls receive rapid, ideally automated, updates and minimize internet-facing services like admin access and user portals. Connect firewalls to XDR and MDR solutions so telemetry can help detect ransomware before payloads are deployed.
- Align security investment to local regulatory pressure – With DPDP Act compliance now a stated priority for nearly a third of Indian organizations, security and compliance teams should treat identity and data-protection controls as shared infrastructure rather than separate workstreams.
This regional analysis is based on the 500 IT and cybersecurity decision-makers in India who took part in the broader Sophos State of Ransomware 2026 study, conducted by Vanson Bourne on behalf of Sophos in Q1 2026. Of those 500, 240 organizations had been hit by ransomware in the previous 12 months. Globally, 5,000 IT and cybersecurity decision-makers were surveyed across 17 countries: USA, Brazil, Chile, Colombia, Mexico, UK, France, Germany, Italy, Spain, Switzerland, Australia, India, Japan, Singapore, South Africa, and UAE. Respondents came from organizations with 100 to 5,000 employees across 15 industry sectors.
Download the full State of Ransomware 2026 report on Sophos.com.
