What to do if I shared my Aadhaar details in a dual extortion scam?

Immediately report to the UIDAI helpline and block your Aadhaar number. Visit cybercrime.gov.in for further verification and advice.

How can I identify a dual extortion ransomware note?

Look for alarming language, threats of data leaks, and unexpected requests for payment in cryptocurrency or obscure financial services.

How do I report a dual extortion ransomware incident in India?

Report incidents at the cybercrime helpline 1930 or through cybercrime.gov.in. You can also contact your bank’s fraud department for affected transactions.

What steps can I take to recover funds or secure my accounts after an attack?

Contact your bank immediately to freeze your accounts. Change all related passwords and monitor transactions closely. Engage with cybersecurity professionals to help mitigate future risks.

Dual Extortion Ransomware on Critical Sectors

INDIA — By BharatSecure Threat Intelligence Team · Updated May 13, 2026

Verdict: Suspicious | Risk Score: 10/10 | Severity: critical

Category: Phishing

How Dual Extortion Ransomware on Critical Sectors Works

Overview: Indian healthcare, government, and educational institutions are increasingly targeted by dual extortion ransomware scams. Hackers not only lock vital computer systems but also steal sensitive data—patient records, government documents, and more—threatening to release them publicly unless a hefty ransom is paid. The risk to public safety and privacy makes this one of the most dangerous digital threats for organizations and citizens alike. How It Works: Criminal syndicates gain access to internal networks often through compromised employee accounts, phishing, or exploiting unpatched software. Once inside, attackers move silently, stealing large quantities of confidential data before triggering ransomware that encrypts entire IT systems. Victims find their websites, databases, and communication tools disabled. A ransom note appears demanding cryptocurrency payment for restoration & non-disclosure. If refused or delayed, hackers threaten to leak data on dark web forums, sometimes providing samples as proof. India Angle: These scams have struck across major Indian cities—Delhi, Mumbai, Bengaluru—and especially target public-sector hospitals, state government offices, and universities. The attacks exploit the digital rush and at-times outdated defences in India’s critical sectors. Known groups like LockBit and BianLian have executed high-profile strikes (e.g., AIIMS Delhi breach), demanding crores in ransom. Real Examples: - Delhi hospital staff arrive to find all patient records locked; a message threatens "records leaked online unless payment of 10 BTC in 48 hours." - State government email servers disabled with ransom notes offering to "return files and not publish VIP details for 200 crore rupees to wallet xyz." Red Flags: - Sudden multi-day system outages across networks - Messages indicating 'data leak' or threats of publishing sensitive files - Instructions to reply only through compromised devices - Crypto wallet ransom notes specifying escalating payment threats Protective Measures: All institutions must update system software regularly, mandate strong authentication, and train staff to detect phishing. Regular offline data backups and secure, segmented network configurations are essential. Monitor systems for unusual activity and restrict administrator account usage. If Victimised: Isolate affected servers and notify IT security teams immediately. Do not engage directly with attackers. Inform CERT-In, report at cybercrime.gov.in and contact law enforcement. Patients or citizens impacted should be informed transparently. Related Scams: Similar attacks include database breach ransom demands (e.g., client info theft), targeted phishing of officials, and website defacement with ransom notices.

How This Scam Works — Detailed Explanation

Dual extortion ransomware targeting critical sectors in India has increasingly become a tool for cybercriminals. These syndicates often begin by identifying vulnerabilities in institutions like hospitals, educational bodies, and government agencies. They may exploit weak firewalls or outdated software to gain access. Methods include phishing emails that appear to be legitimate, often masquerading as trusted entities. For example, a phishing email might claim to be from the National Payments Corporation of India (NPCI) requesting urgent updates. Once they gain access, the attackers install ransomware that locks critical data while simultaneously siphoning sensitive documents like patient records or government files.

Once infiltrated, these criminals employ psychological tactics to manipulate their victims. The immediate shock of being locked out of their systems leads many organizations to act hastily. The ransomware typically provides a countdown timer, enhancing the sense of urgency. Victims receive ransom notes emphasizing the severity of their situation, often mentioning the leaked data's potential consequences, such as public embarrassment or legal ramifications. This creates a moral dilemma for the organizations: pay the ransom to protect their reputation and data, or refuse and risk their sensitive information becoming public.

Victims often find themselves caught in a nightmarish spiral. For instance, a case arose with a major hospital in Haryana whose systems were disabled for several days, significantly disrupting patient care. Patients couldn’t access their records through UPI payments or other hospital services, leading to lines of frustrated individuals waiting for treatment. The hackers had even demanded a ransom amount exceeding ₹5 crore, threatening to release personal health data of thousands if the payment wasn't made. Abandoned by technology, many hospitals have found themselves reverting to manual processes, which only worsen the chaos and increase operational costs.

The impact of dual extortion ransomware in India is stark. According to reports, losses incurred by organizations due to such attacks surged to ₹7,500 crore just in 2022 alone. The Ministry of Home Affairs and the Reserve Bank of India have issued advisories cautioning against vulnerabilities in digital systems, especially those handling sensitive information like Aadhaar. The Computer Emergency Response Team of India (CERT-In) regularly updates guidelines aiming to mitigate these threats, urging all organizations to prioritize cybersecurity.

Identifying legitimate communications can be difficult amidst such attacks. Ransom notes often replicate official email templates, making them deceptively believable. However, organizations should always verify through trusted channels. For instance, never respond to a ransom note directly via the compromised system. Instead, reach out to the organization's cybersecurity team or contact emergency response teams available through cybercrime helplines like 1930 or visit cybercrime.gov.in for assistance. Always stay alert for red flags such as multi-day access loss to systems and any correspondence mentioning sensitive data that could lead to public exposure.

Visual Intelligence:

BharatSecure's AI has identified this as a used in scams targeting Indian users.

Who Does Dual Extortion Ransomware on Critical Sectors Target?

General public across India

Red Flags — How to Identify Dual Extortion Ransomware on Critical Sectors

Multi-day loss of access to systems
Ransom notes referencing government or hospital data
Threats of revealing confidential files online
Communication via compromised devices

What To Do If You Encounter Dual Extortion Ransomware on Critical Sectors

Report the incident immediately at 1930 or cybercrime.gov.in to take necessary actions.
Consult with your organization’s IT department or cybersecurity team to assess the situation.
Do not pay the ransom without understanding the long-term implications and legal advice.
Communicate with affected stakeholders to inform them of potential data breaches.
Change all passwords associated with the compromised systems immediately.
Set up rigorous monitoring for any further suspicious activity on your networks.

How to Report Dual Extortion Ransomware on Critical Sectors in India

Call 1930 — National Cyber Crime Helpline (24x7)
File a complaint at cybercrime.gov.in
Contact your bank immediately if money was lost
Call RBI helpline: 14440 for banking fraud

Frequently Asked Questions

What to do if I shared my Aadhaar details in a dual extortion scam?: Immediately report to the UIDAI helpline and block your Aadhaar number. Visit cybercrime.gov.in for further verification and advice.
How can I identify a dual extortion ransomware note?: Look for alarming language, threats of data leaks, and unexpected requests for payment in cryptocurrency or obscure financial services.
How do I report a dual extortion ransomware incident in India?: Report incidents at the cybercrime helpline 1930 or through cybercrime.gov.in. You can also contact your bank’s fraud department for affected transactions.
What steps can I take to recover funds or secure my accounts after an attack?: Contact your bank immediately to freeze your accounts. Change all related passwords and monitor transactions closely. Engage with cybersecurity professionals to help mitigate future risks.

Related Scams in India

Verify Any Suspicious Message

Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.