Security
Compromised identities have become the leading entry point for ransomware attacks in India, with 81% of incidents now originating from stolen or compromised credentials, according to Sophos' State of Ransomware 2026 report.
The cybersecurity vendor's India-specific findings indicate a significant shift in attacker tactics, with malicious email (28%) and phishing (26%) replacing software vulnerabilities as the primary causes of ransomware incidents. Exploited vulnerabilities accounted for just 11% of attacks in India, compared with 24% globally.
The report, based on responses from 500 IT and cybersecurity decision-makers in India, found that four out of five ransomware attacks were also the most significant identity-related security incident experienced by affected organizations during the past year.
"India's ransomware numbers this year confirm what we're seeing on the ground: attackers are no longer breaking down the door, they're using stolen keys," said Sunil Sharma, managing director and vice president, India and SAARC, Sophos.
"The majority of ransomware in India now begins with a compromised identity, not a technical exploit. As AI lowers the cost of large-scale phishing and credential theft, Indian organizations need to treat identity as their primary line of defense by enforcing phishing-resistant multi-factor authentication, auditing both human and non-human accounts, and closing the visibility gaps attackers are exploiting," Sharma said.
The study found that 60% of Indian organizations hit by ransomware had their data encrypted, higher than the global average of 56%. In 16% of incidents, attackers both encrypted and stole data.
Despite wider adoption of backup and recovery technologies, more than half (56%) of affected Indian organizations paid the ransom to recover their data, compared with the global average of 48%. About 67% recovered data using backups, while 18% relied on other recovery methods.
Sophos also found that multi-factor authentication (MFA) had already been deployed in 98% of Indian incidents involving compromised credentials, suggesting that MFA alone is insufficient if attackers exploit gaps in identity protection or authentication coverage.
Recovery capabilities, however, have improved. More than half (58%) of Indian organizations restored operations within a week of a ransomware attack, while 14% recovered within a day. The average cost of recovering from a ransomware incident in India stood at $1.11 million, lower than the global average of $1.7 million.
Ross McKerchar, chief information security officer at Sophos, said organizations have become more resilient against ransomware but warned that AI is making identity-based attacks easier to execute.
"As AI becomes more capable, attackers will be able to enumerate identity misconfigurations and weak points across organizations far more cheaply and quickly than before," McKerchar said. "Organizations can no longer rely on complexity or obscurity to hide gaps in their environment. The same technology also gives defenders an opportunity to find and fix those gaps faster, but only if prevention, detection and response work together as part of a unified cybersecurity strategy."
The report recommends that organizations strengthen identity threat detection and response, deploy phishing-resistant MFA, improve backup and recovery strategies, maintain exposure management programs, integrate firewall telemetry with XDR and MDR platforms, and align cybersecurity investments with evolving regulatory requirements, including India's Digital Personal Data Protection (DPDP) Act.
The cybersecurity vendor's India-specific findings indicate a significant shift in attacker tactics, with malicious email (28%) and phishing (26%) replacing software vulnerabilities as the primary causes of ransomware incidents. Exploited vulnerabilities accounted for just 11% of attacks in India, compared with 24% globally.
The report, based on responses from 500 IT and cybersecurity decision-makers in India, found that four out of five ransomware attacks were also the most significant identity-related security incident experienced by affected organizations during the past year.
"India's ransomware numbers this year confirm what we're seeing on the ground: attackers are no longer breaking down the door, they're using stolen keys," said Sunil Sharma, managing director and vice president, India and SAARC, Sophos.
"The majority of ransomware in India now begins with a compromised identity, not a technical exploit. As AI lowers the cost of large-scale phishing and credential theft, Indian organizations need to treat identity as their primary line of defense by enforcing phishing-resistant multi-factor authentication, auditing both human and non-human accounts, and closing the visibility gaps attackers are exploiting," Sharma said.
The study found that 60% of Indian organizations hit by ransomware had their data encrypted, higher than the global average of 56%. In 16% of incidents, attackers both encrypted and stole data.
Despite wider adoption of backup and recovery technologies, more than half (56%) of affected Indian organizations paid the ransom to recover their data, compared with the global average of 48%. About 67% recovered data using backups, while 18% relied on other recovery methods.
Sophos also found that multi-factor authentication (MFA) had already been deployed in 98% of Indian incidents involving compromised credentials, suggesting that MFA alone is insufficient if attackers exploit gaps in identity protection or authentication coverage.
Recovery capabilities, however, have improved. More than half (58%) of Indian organizations restored operations within a week of a ransomware attack, while 14% recovered within a day. The average cost of recovering from a ransomware incident in India stood at $1.11 million, lower than the global average of $1.7 million.
Ross McKerchar, chief information security officer at Sophos, said organizations have become more resilient against ransomware but warned that AI is making identity-based attacks easier to execute.
"As AI becomes more capable, attackers will be able to enumerate identity misconfigurations and weak points across organizations far more cheaply and quickly than before," McKerchar said. "Organizations can no longer rely on complexity or obscurity to hide gaps in their environment. The same technology also gives defenders an opportunity to find and fix those gaps faster, but only if prevention, detection and response work together as part of a unified cybersecurity strategy."
The report recommends that organizations strengthen identity threat detection and response, deploy phishing-resistant MFA, improve backup and recovery strategies, maintain exposure management programs, integrate firewall telemetry with XDR and MDR platforms, and align cybersecurity investments with evolving regulatory requirements, including India's Digital Personal Data Protection (DPDP) Act.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.




