AIIMS-Style Ransomware Attack on Public Servers — How to Identify & Stay Safe
INDIA — By BharatSecure Threat Intelligence Team ·
Severity: CRITICAL | View Full Scam Details
🛡️ Want to check if you've received this scam?
Check This Scam on BharatSecure →AIIMS-Style Ransomware Attack on Public Servers in India 2026: WhatsApp & Phishing Scam Warning
A critical new ransomware scam targeting public servers in India, dubbed the AIIMS-style attack, uses WhatsApp phishing to trap victims and demand ransom payments.
What Is the AIIMS-Style Ransomware Attack on Public Servers?
The AIIMS-style ransomware attack is a cybercrime pattern recently reported in India, where fraudsters impersonate officials from reputed public institutions, falsely claiming to offer IT support or urgent notices. This scam primarily targets government or educational institution servers but also impacts individuals connected to these servers through WhatsApp messages. The attack aims to infect public servers and connected devices with ransomware—malware that locks files until a ransom is paid, often demanding payment via UPI or other digital wallets.
According to public complaints and cybersecurity reports, the scope of this ransomware pattern is growing steadily in India, affecting both central and state government units. CERT-In (Indian Computer Emergency Response Team) has issued warnings about such phishing-driven ransomware attacks and urges institutions and citizens to strengthen cyber hygiene. This scam has gained particular attention because it resembles earlier phishing attempts but now includes direct server infiltration, leading to widespread service disruptions.
How This Scam Works — Step by Step
Initial WhatsApp Message: Victims receive a WhatsApp message or call from a number claiming to be from AIIMS IT support or a government cybersecurity team. The message warns of an urgent security breach or server error.
Phishing Link or Attachment: The message contains a link to a supposed diagnostic tool or a document for “fixing” the issue. Clicking this link downloads ransomware onto the server or device.
Ransomware Activation: Once the ransomware encrypts the data, the victim sees a ransom demand, usually a cryptocurrency payment or UPI transfer to a specified ID, locking important files and databases.
False Threats: The fraudster threatens permanent data loss or public exposure if the ransom isn't paid promptly, often leveraging fear by citing fake police cases or cybercrime investigations.
Pressure to Pay Quickly: Victims receive repeated WhatsApp calls or messages pressuring immediate payment, sometimes receiving “proof” that their server or device is compromised.
Loss of Control and Money: If payment is made, there is no guarantee of file recovery. The attackers may continue demands or leak sensitive data if the victim refuses.
Real Warning Signs to Watch For
- WhatsApp messages or calls claiming urgent server issues from unknown numbers.
- Links requesting immediate download of software or files without official verification.
- Unsolicited messages mentioning AIIMS, government IT, or similar authorities demanding urgent action.
- Threats of legal action or police complaints related to cybercrime that seem scripted or fake.
- Requests for ransom payments via UPI IDs rather than official payment channels.
- Messages asking for personal or Aadhaar-linked details under the guise of verification.
- Lack of official email IDs or website references in the communication.
What Happens to Victims
Victims often face a heavy financial and emotional toll. Servers infected with ransomware halt essential services, leading to operational delays in public services or educational programs. Financially, victims lose money by paying ransom via UPI or other instant payment methods, which are irreversible and difficult to trace. Aadhaar data misuse is common when scammers extract personal IDs to increase pressure or attempt SIM swaps, amplifying risks for victims. Many report severe stress and helplessness due to data loss threats, impacting trust in digital infrastructure.
What RBI and CERT-In Say
CERT-In has highlighted phishing and ransomware as severe threats to India’s digital ecosystem, advising prompt patching and verification of all incoming messages related to IT security. According to CERT-In guidance, individuals and institutions should avoid clicking suspicious links and reporting all such incidents to cybercrime authorities.
RBI and the Indian Cyber Crime Coordination Centre (I4C) stress the importance of verifying UPI payment requests independently before authorizing any transaction. RBI helpline services and CERT-In recommend using the national cybercrime helpline number 1930 for reporting frauds. The government encourages citizens to register complaints on cybercrime.gov.in for timely assistance and investigation.
How to Protect Yourself
Verify sender identity: Always confirm WhatsApp messages or calls from official sources through independent channels before taking any suggested action.
Avoid clicking links in unsolicited messages, especially those claiming urgent IT fixes.
Never share Aadhaar details or OTPs via WhatsApp or phone calls.
Use strong passwords and multi-factor authentication on all public server login credentials.
Regularly update and backup data stored on servers and connected devices to reduce impact from ransomware.
Monitor UPI transactions closely and verify requests before approving payments.
Report suspicious messages or calls immediately to 1930 and cybercrime.gov.in.
What to Do If You've Been Targeted
Disconnect the affected device or server from the internet immediately to prevent further encryption.
Do not pay ransom hastily; consult cybersecurity experts or official helplines first.
Call the national cybercrime helpline at 1930 to report the incident.
File a complaint on the cybercrime portal at cybercrime.gov.in with full details of the scam.
Contact your bank or UPI service provider to freeze transactions or accounts linked to the fraud.
Inform CERT-In through their reporting channels for additional guidance and support.
Frequently Asked Questions
Q: Can ransomware demands be paid safely via UPI or WhatsApp?
No. Payments made via UPI or instant messaging platforms are typically irreversible. Government and law enforcement agencies discourage paying ransoms, as it encourages further criminal activity without guaranteeing data recovery.
Q: How do scammers get access to public servers for ransomware attacks?
Scammers often use phishing messages to trick IT staff or users into downloading ransomware disguised as official tools. Weak server security and unverified communications increase the risk of infection.
Q: What should I do if I receive a WhatsApp message about AIIMS or government server issues?
Do not click any links or share personal data. Verify the message by contacting official government or institutional IT support via publicly listed phone numbers or email IDs. Report suspicious messages to 1930.
Protect yourself by staying informed and cautious. When in doubt, verify all messages at BharatSecure.app and report fraud immediately at the 1930 cybercrime helpline.
Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.
Related Scams in Our Database
- BlueDart/DTDC Parcel Scams (General SMS/WhatsApp Delivery Issues) — Severity: MEDIUM
- Phishing for Personal Information — Severity: MEDIUM
- Smishing (SMS Phishing) for Personal Information — Severity: MEDIUM
Verify Any Suspicious Message
Check any suspicious message, link, or call for free at bharatsecure.app.