CYBER EXTORTION AND RANSOMWARE: LEGAL IMPLICATIONS

ABSTRACT

The escalating prevalence of cyber extortion and ransomware in the digital era has emerged as a critical concern, significantly impacting individuals, businesses, and critical information infrastructures. Cyber extortion refers to the exploitation of digital vulnerabilities to coerce victims into complying with financial or other demands under threats of data theft, system disruption, or reputational damage. A key subset of cyber extortion, ransomware, employs malicious software to encrypt victims’ data, rendering it inaccessible until a ransom is paid—often with no assurance of complete data recovery.

The legal framework in India addressing cyber extortion and ransomware is primarily derived from the Information Technology Act, 2000, and the Indian Penal Code, which serve as foundational statutes for prosecuting cybercrimes. These laws contain specific provisions that impose penalties for unauthorized access, identity theft, cyber terrorism, and the destruction or compromise of computer systems. Despite the existence of these legal measures, challenges related to enforcement, jurisdictional complexities, and the transnational character of cybercrimes create significant obstacles in establishing effective deterrence and providing redress to victims.

A detailed examination of ransomware attack phases reveals that perpetrators often initiate their schemes through social engineering techniques, subsequently introducing malware into targeted systems and demanding ransom payments for decryption keys. The impact of such attacks is evident in notable cases within India, including the Uttar Haryana Bijli Vitran Nigam (UHBVN) ransomware incident, which compromised sensitive customer data, and the cyberattack on the All India Institute of Medical Sciences (AIIMS), which severely disrupted healthcare services. Additionally, the rise of cybercrimes directed at minors, particularly within online gaming platforms, highlights the expanding scope of these threats and the need for protective measures.

On an international scale, prominent cases such as the WannaCry ransomware attack underscore the widespread ramifications of cyber threats. The WannaCry attack, which disrupted critical systems across various industries worldwide, highlighted the necessity for timely cybersecurity updates, stringent security protocols, and enhanced global collaboration. Moreover, judicial developments in different jurisdictions have examined privacy rights and cross-border data access, illustrating the complexities associated with regulating cybercrimes in an increasingly interconnected digital world.

India’s evolving legal framework seeks to address these challenges through various initiatives, including the National Cyber Security Policy, 2023, and the activities of the Indian Computer Emergency Response Team (CERT-In), which functions as a central authority for managing cybersecurity incidents. Additionally, the proposed Digital India Act aims to modernize and strengthen existing cyber laws, ensuring comprehensive protection against emerging technologies such as artificial intelligence and blockchain. Regulatory measures such as the Aadhaar (Authentication and Offline Verification) Regulations, 2021, further emphasize data encryption, access control, and audit mechanisms designed to safeguard sensitive information and prevent unauthorized breaches.

Given the evolving nature of cyber threats, the urgent need for a dynamic and adaptive legal framework becomes increasingly apparent. Robust cybersecurity measures, combined with a collaborative approach involving governmental authorities, private sector entities, and international organizations, are essential to combat cyber extortion and ransomware effectively. Enhancing public awareness, continuously updating policy frameworks, and fostering proactive international cooperation will play a pivotal role in strengthening resilience within the digital ecosystem and mitigating future cyber threats.

Keywords

Cyber Extortion, Ransomware, Information Technology Act, National Cyber Security Policy, Digital India Act, Cross-border Cybercrime.

INTRODUCTION

The rapid evolution of the digital world has transformed every aspect of human life, fostering unprecedented connectivity, efficiency, and innovation. From personal communications to global commerce, technology has reshaped how people interact, transact, and conduct business. However, alongside these advancements, the digital realm has also become a fertile ground for cyber threats, with cyber extortion and ransomware emerging as particularly alarming phenomena. These cybercrimes not only jeopardize individuals’ privacy but also threaten the stability of businesses, critical infrastructure, and national security.

Cyber extortion is a malicious act where perpetrators exploit vulnerabilities in digital systems to coerce victims into complying with demands, often under threats of data theft, reputational damage, or service disruptions. A prominent subset of this threat is ransomware, where attackers deploy malicious software to encrypt a victim’s data, effectively holding it hostage until a ransom is paid. While some victims comply in the hope of recovering their data, payment does not guarantee restoration, leaving many without recourse and often exposing them to further exploitation. The ramifications of these attacks extend beyond monetary losses, as they can erode public trust, compromise sensitive data, and disrupt essential services.

In India, the legal framework for addressing cyber extortion and ransomware is primarily built upon the Information Technology Act, 2000, and the Indian Penal Code, 1860. These statutes provide critical legal provisions to counter cybercrimes, such as penalties for unauthorized access, identity theft, cyber terrorism, and damage to computer systems. Despite these legal safeguards, enforcement remains a persistent challenge due to the sophisticated and transnational nature of cybercrimes. Jurisdictional limitations, lack of technical expertise, and difficulties in tracing anonymous perpetrators often hinder effective prosecution and victim redress.

Globally, the response to cyber extortion and ransomware is equally complex. The absence of a unified international legal framework complicates efforts to combat these crimes, as they frequently transcend national borders. Differing legal standards, inadequate cooperation among countries, and the rapid evolution of technology have created significant gaps in cybersecurity enforcement. This fragmented approach leaves victims—whether individuals, corporations, or governments—vulnerable to an increasingly organized and resourceful cybercriminal ecosystem.

The rise of cyber extortion and ransomware attacks also raises critical questions about privacy, data protection, and the adequacy of current laws to address evolving threats. Modern cybercrimes leverage advanced tactics, such as social engineering, phishing, and exploitation of zero-day vulnerabilities, making traditional approaches to cybersecurity insufficient. Attackers frequently target high-value sectors, including healthcare, finance, energy, and education, amplifying the consequences of these attacks. For instance, ransomware incidents disrupting hospital operations or compromising financial institutions highlight the urgency of addressing these threats at both the national and international levels.

The challenges posed by cyber extortion and ransomware necessitate a multifaceted response. Strengthening legal frameworks, enhancing cybersecurity infrastructure, and fostering international collaboration are critical steps in combating these threats. Initiatives such as India’s National Cyber Security Policy and the forthcoming Digital India Act represent significant progress in modernizing the country’s approach to cybersecurity. However, these measures must be complemented by robust public-private partnerships, increased investment in cybersecurity research and development, and widespread public awareness campaigns to educate individuals and organizations about preventive measures.

This article aims to provide a comprehensive analysis of cyber extortion and ransomware, focusing on their impact, legal implications, and strategies for mitigation. By examining key case studies and legislative developments, it seeks to shed light on the urgent need for a cohesive and dynamic approach to addressing these challenges. In a digital age where threats evolve rapidly, the importance of resilience, collaboration, and proactive policy adaptation cannot be overstated. Only through coordinated efforts can we safeguard the digital ecosystem and ensure its continued growth and security.

THE PHASES OF A RANSOMWARE ATTACK

Initiation and Setup: The attacker begins by identifying a target and gathering information through publicly available sources or social engineering tactics. This may include creating fake websites or sending phishing emails.

Infection: At this stage, the attacker introduces malware into the victim’s system using pre-determined methods, such as malicious email attachments, compromised software, or network vulnerabilities.

Encryption: Once the malware is active, it encrypts the victim’s data stored on servers or devices, rendering it inaccessible. Any existing backups are often deleted to increase the pressure on the victim.

Extortion: The victim receives a ransom demand, usually accompanied by instructions for payment in exchange for a decryption key or tool. Payments are often requested via crypto currencies to maintain the attacker’s anonymity.

Decryption: If the victim agrees to the attacker’s demands and pays the ransom, they are typically provided with a decryption tool to recover their data. However, there is no assurance that the attacker will deliver the promised solution or that the data will be fully restored.

INSTANCES OF CYBER EXTORTION AND RANSOMWARE IN INDIA

‘Your husband could also be involved’: Cyber extortionists threaten Pune doctor with Rs.82-cr money-laundering claim.’ [1]

A Pune-based doctor became a victim of cyber extortion, with fraudsters attempting to prevent her from seeking her husband’s support by falsely insinuating his involvement. The scammers, masquerading as government officials, threatened her with arrest on fabricated money laundering charges, claiming ₹82crore had been deposited in her account. The doctor, in her 60s, filed a complaint at Warje Malwadi police station, leading to an FIR on Saturday. She reportedly lost ₹6.1 lakh to the cybercriminals in June. The ordeal began with a call from someone posing as an official from the Telecom Regulatory Authority of India (TRAI) in Delhi, who falsely warned her that her phone number would be disconnected due to a criminal case involving the Uttar Pradesh police. She was subsequently directed to a video call with an individual pretending to be an officer from the Alambagh police station in Lucknow. This imposter dramatized the situation by calling a fake “control room” via a wireless set, falsely claiming there was an arrest warrant against her linked to the alleged ₹82crore money laundering case.

Another case in Jamnagar[2], a 14-year-old boy named Mayank became visibly distressed after his gaming account was taken over by an online acquaintance, who then demanded a ransom for its return. Concerned, Mayank’s parents sought help from a counsellor and eventually involved the Cybercrime police. The authorities traced the 17-year-old perpetrator through his IP address, contacted his parents, and successfully restored Mayank’s account.

This incident is part of a growing trend where minors are targeted in cyber extortion schemes related to online gaming. According to the state’s cybercrime helpline, approximately 15 to 20 such cases are reported each month. In these scenarios, children’s gaming accounts are compromised, and they are coerced into paying ransoms, sometimes using their parents’ debit card information. Notably, international cybercriminals exploit the lack of two-factor authentication in certain countries to withdraw funds with just debit card details, leaving parents unaware until they review their bank statements. Authorities advise parents to monitor their children’s gaming activities and be aware of their online interactions to prevent such incidents.

UHBVN Ransomware Attack: The Uttar Haryana Bijli Vitran Nigam faced a cyberattack where hackers accessed sensitive customer billing data and demanded ₹1crore ransom, threatening to withhold the information.
AIIMS Cyberattack (2023): Hackers targeted AIIMS Delhi, disrupting healthcare services and exposing sensitive patient data. The incident highlighted the critical need for strengthened cyber security in the healthcare sector.

LEGAL FRAMEWORK IN INDIA

Information Technology Act, 2000 (IT Act)[3]

Section 66: Penalizes hacking or unauthorized access with imprisonment up to 3 years and a fine up to ₹5 lakh.

Section 66B: Punishes receiving stolen digital assets dishonestly.

Section 66C: Focuses on identity theft with penalties up to 3 years imprisonment and ₹1 lakh fine.

Section 66D: Addresses cheating by impersonation, carrying similar penalties as Section 66C.

Section 66E: Criminalizes unauthorized use of private images.

Section 66F: Covers cyber terrorism, targeting attacks threatening national security or critical infrastructure.

Section 43: Penalizes damages to computer systems or data, with compensation for affected parties.

Section 70B: Mandates reporting cyber incidents to CERT-In; non-compliance may result in fines or sanctions.

Compensation and Appeals:

Section 46: Victims can claim financial compensation for losses.

Section 48: Decisions by adjudicating authorities can be appealed before the Cyber Appellate Tribunal.

CERT-IN[4]

As outlined by the CERT rules and Section 70B of the IT Act, the Computer Emergency Response Team (CERT-In) serves as a trusted authority for addressing cybersecurity incidents. Individuals and organizations can report ransomware attacks to CERT-In, which assesses the severity and nature of the incident. Based on its resources and expertise, CERT-In aims to respond promptly to limit further damage or data loss, ensuring swift action in critical situations. To support this, CERT-In operates a 24/7 Incident Response Help Desk, accessible via its official website. Additionally, it is important to note that certain types of cybersecurity breaches, including ransomware attacks, must be reported to CERT-In by entities such as corporate bodies and intermediaries to ensure timely and effective mitigation measures.

NATIONAL CYBER SECURITY POLICY, 2023[5]

The primary goal of this policy is to protect both digital information and the infrastructure that supports cyberspace. It aims to develop the necessary capabilities to prevent and effectively respond to cyber threats, reduce vulnerabilities, and minimize the impact of cyber incidents.

This objective will be achieved through a combination of institutional frameworks, skilled professionals, well-defined processes, cutting-edge technology, and collaborative efforts. The policy is designed to build trust and confidence in IT systems while strengthening the regulatory framework to enhance security and ensure the resilience of the country’s critical information infrastructure (CII).

To accomplish this, a 24/7 National Critical Information Infrastructure Protection Centre (NCIIPC) will be established. Additionally, stringent security practices will be implemented across all stages, including the design, procurement, development, use, and operation of information systems and resources.

INFORMATION TECHNOLOGY (GUIDELINES FOR INTERMEDIARIES AND DIGITAL MEDIA ETHICS CODE) RULES, 2021[6]

Intermediary Rules (2021): Establish regulations for social media, OTT platforms, and digital news, with provisions for data protection and user grievance mechanisms.

Digital Personal Data Protection Act (DPDPA): Balances privacy rights with lawful data processing, mandates breach reporting, and enforces penalties for non-compliance.

Digital India Act: A forthcoming replacement for the IT Act, aiming to enhance online safety, accountability, and trust while addressing challenges from technologies like AI and block chain.

Bharatiya Nyaya Sanhita (BNS): Includes cybercrime provisions complementing the IT Act.

National Cyber Crime Reporting Portal: Enables citizens to report cybercrimes, emphasizing offenses against women and children.

CYBER CELL

If an individual or organization falls victim to a ransomware attack, they can file a First Information Report (FIR) at their local police station under the applicable sections of the Information Technology Act (and/or the Indian Penal Code). The case will then be investigated by the cybercrime cell. Offenses under the IT Act are subject to trial in Indian courts, which will follow the procedures outlined in the Code of Criminal Procedure, 1973.

Aadhaar (Authentication and Offline Verification) Regulations, 2021[7]: Data Encryption: Ensure that authentication data is securely encrypted both while being transmitted and when stored, as required under Regulation 12(2).

Access Controls: Enforce robust access control measures to limit access to authentication data only to authorized individuals, as mandated by Regulation 10.

Audit Logs: Maintain detailed audit logs to record all authentication requests and responses, in compliance with Regulation 18.

CONCLUSION

The increasing prevalence of cyber extortion and ransomware attacks in the digital landscape presents significant and evolving challenges for individuals, organizations, and governments. These cybercrimes exploit vulnerabilities within digital infrastructures, causing widespread disruptions to operations, compromising sensitive data, and inflicting severe economic and social consequences. The rapid advancement of these cyber threats has outpaced traditional legal and technological defenses, necessitating a multi-faceted and adaptive approach to effectively counteract them.

India’s legal framework, primarily established under the Information Technology Act, 2000, and the Indian Penal Code, provides essential statutory provisions to address cyber extortion and ransomware. However, enforcement efforts are often hindered by jurisdictional complexities, a lack of specialized technical resources, and the sophisticated nature of these crimes. Recent instances of ransomware attacks targeting critical sectors, such as healthcare institutions, power utilities, and financial systems, underscore the urgent need for strengthened cybersecurity measures and more robust deterrence mechanisms.

The introduction of the National Cyber Security Policy, 2023, and the establishment of CERT-In as a central authority for managing cybersecurity incidents mark significant strides towards a coordinated and proactive response to cyber threats. These initiatives aim to fortify the protection of critical information infrastructure, enhance resilience against cyberattacks, and bolster public confidence in the digital ecosystem. The anticipated enactment of the Digital India Act is expected to further modernize the legal landscape by addressing the complex challenges posed by emerging technologies, including artificial intelligence and blockchain. Additionally, fostering international collaboration through mechanisms such as mutual legal assistance treaties (MLATs) and cross-border data-sharing agreements is imperative to bridge existing legal and enforcement gaps and ensure a unified global response to cyber threats.

The role of private sector stakeholders is equally crucial in the fight against cyber extortion and ransomware. Businesses must adopt and enforce stringent cybersecurity protocols, including the deployment of advanced threat detection systems, conducting regular vulnerability assessments, and cultivating a culture of cyber awareness among employees. Public-private partnerships can further enhance the overall capacity to prevent, detect, and respond effectively to cyber incidents, ensuring a more resilient cybersecurity infrastructure.

Public awareness and education also play a vital role in mitigating cyber risks. Citizens must be informed about the potential dangers of cybercrimes and the preventive measures they can take to safeguard themselves. Awareness campaigns and specialized training programs can empower individuals to recognize and avoid cyber threats, thereby reducing the likelihood of victimization. Special attention should be given to vulnerable populations, such as children and the elderly, who are particularly susceptible to cyber fraud and exploitation.

The battle against cyber extortion and ransomware is an ongoing and dynamic challenge that necessitates continuous evolution in legal, technological, and policy-driven strategies. Lawmakers, law enforcement agencies, private sector entities, and international organizations must collaborate effectively to create a secure, resilient, and inclusive digital environment. By fostering global cooperation, leveraging cutting-edge technological advancements, and reinforcing legal frameworks, it is possible to mitigate the risks associated with cyber threats and safeguard the digital ecosystem for future generations. This collective effort will ensure that cyberspace remains a safe and trustworthy domain for individuals, businesses, and governments alike.

REFERENCES

The Indian Express, Your husband could also be involved, THE INDIAN EXPRESS (July 8, 2024, 08:27 IST), https://indianexpress.com/article/cities/pune/cyber-extortionists-threaten-pune-doctor-money-laundering-claim-9438689/.
Ashish Chauhan & Paul John, Cyber extortion is now child’s play, THE TIMES OF INDIA (June 15, 2023, 07:42 IST), https://timesofindia.indiatimes.com/city/ahmedabad/cyber-extortion-is-now-childs-play/articleshow/101005395.cms.
Information Technology Act, 2000, §§ 66B, 66C, 66D, 66E, 66F, 43, 70B, 46, 48, No. 21, Acts of Parliament, 2000 (India).
Indian Computer Emergency Response Team, https://www.cert-in.org.in/ (last visited Feb. 3, 2025).
The Information Technology Rules, 2021, at 19, https://www.meity.gov.in/writereaddata/files/Information%20Technology%20%28Intermediary%20Guidelines%20and%20Digital%20Media%20Ethics%20Code%29%20Rules%2C%202021%20%28updated%2006.04.2023%29-.pdf (last visited Feb. 3, 2025).
SCC Times, https://www.scconline.com/blog/post/2024/02/01/unique-identification-authority-of-india-notified-aadhaar-authentication-and-offline-verification-amendment-regulations-2024/ (last visited Jan. 7, 2025).
National Cyber Security Policy, https://egovernance.vikaspedia.in/viewcontent/e-governance/national-e-governance-plan/national-cyber-security-policy?lgn=en (last visited Feb. 3, 2025).

[1] The Indian Express, Your husband could also be involved, THE INDIAN EXPRESS (July 8, 2024, 08:27 IST), https://indianexpress.com/article/cities/pune/cyber-extortionists-threaten-pune-doctor-money-laundering-claim-9438689/.

[2] Ashish Chauhan & Paul John, Cyber extortion is now child’s play, THE TIMES OF INDIA (June 15, 2023, 07:42 IST), https://timesofindia.indiatimes.com/city/ahmedabad/cyber-extortion-is-now-childs-play/articleshow/101005395.cms.

[3] Information Technology Act, 2000, §§ 66B, 66C, 66D, 66E, 66F, 43, 70B, 46, 48, No. 21, Acts of Parliament, 2000 (India).

[4] Indian Computer Emergency Response Team, https://www.cert-in.org.in/ (last visited Feb. 3, 2025).

[5] National Cyber Security Policy, https://egovernance.vikaspedia.in/viewcontent/e-governance/national-e-governance-plan/national-cyber-security-policy?lgn=en (last visited Feb. 3, 2025).

[6]The Information Technology Rules, 2021, at 19, https://www.meity.gov.in/writereaddata/files/Information%20Technology%20%28Intermediary%20Guidelines%20and%20Digital%20Media%20Ethics%20Code%29%20Rules%2C%202021%20%28updated%2006.04.2023%29-.pdf (last visited Feb. 3, 2025).

[7]SCCTimes,https://www.scconline.com/blog/post/2024/02/01/unique-identification-authority-of-india-notified-aadhaar-authentication-and-offline-verification-amendment-regulations-2024/ (last visited Jan. 7, 2025).

Disclaimer: The materials provided herein are intended solely for informational purposes. Accessing or using the site or the materials does not establish an attorney-client relationship. The information presented on this site is not to be construed as legal or professional advice, and it should not be relied upon for such purposes or used as a substitute for advice from a licensed attorney in your state. Additionally, the viewpoint presented by the author is personal.