Author: Ashima Sarin, Student at Maharaja Surajmal Institute, GGSIPU
Abstract
Ransomware can paralyze the operations of hospitals, hamper the business and endanger huge amounts of confidential information within minutes. With rapid expansion of the digital economy and development of digital infrastructure in India, ransomware is considered as one of the most significant forms of cyber threats faced by both public and private sector entities. In addition to financial damage, there are various legal issues involved in relation to cyber-crime, data security and regulation.
In this paper, the author attempts to analyze if the cyber laws prevailing in India are sufficient enough to counter the challenge posed by ransomware. The analysis includes study of Information Technology Act, 2000, Bharatiya Nyaya Sanhita, 2023, CERT-In Directions and Digital Personal Data Protection Act, 2023. The author further analyses the recent incidents of ransomware and related judicial precedents to find out the effectiveness of the law prevailing in this regard.
Introduction
The disruption of the digital systems of a hospital. Files belonging to a firm made inaccessible within a single night. Criminals requesting payment through cryptocurrencies to restore access. Such occurrences have ceased to be an anomaly and become increasingly common in the current era. Ransomware has become one of the most dangerous cyber crimes faced by governments, hospitals, financial firms and corporate houses across the world.
India’s accelerated process of digitalization has brought about a marked improvement in the realm of governance, business transactions and public services delivery. The country’s increasing reliance on digital technology, however, leaves it more vulnerable to cyber attacks. What differentiates ransomware from ordinary hacking is that it is intended not just for accessing but also for extortion.
Legal issues raised by the above mentioned types of attacks go beyond mere cybersecurity. Usually, the attacks on individuals using ransomware entail unauthorized access to computer networks, stealing sensitive data, extortion, abuse of identity, among others. Thus, combating ransomware demands the implementation of an integrated legal regime that would allow for its prevention, investigation, prosecution and regulation.
The present paper critically analyses the ability of Indian cyber laws to deal with digital extortion carried out by means of ransomware.
Introduction To Ransomware: The New Look Of Digital Extortion
Ransomware is a type of malware that locks down victims’ documents or blocks access to computers until ransom is paid using cryptocurrencies. Contemporary ransomware attacks regularly employ double extortion strategy, during which criminals take confidential data from victims and threaten to disclose or sell it unless ransom is paid.
Legally speaking, ransomware does not constitute any single crime but rather comprises various illegal actions committed by criminals. Depending on the particular case, the attack may include unauthorized access to computer equipment, damage to computer systems, identity theft, fraud, criminal intimidation, extortion and processing of private data illegally. Thus, ransomware is one of the most complicated cybercrimes in terms of contemporary legislation.
Consequences go far beyond financial losses. Organizations experience business disruptions, damaged reputation, regulatory pressures and expenses related to recovery processes. Critical infrastructure organizations such as hospitals or government agencies may be affected even worse since it involves public safety and digital resilience of the country.
The Proof: Ransomware in India
The rising incidences of ransomware attacks have made it clear that India can no longer afford to remain impervious to such advanced cyber extortion attacks. Perhaps, one of the biggest instances of ransomware was the attack on the All India Institute of Medical Sciences (AIIMS), New Delhi in November 2022. This attack affected the digital hospital systems and records and thus made it necessary for the institution to revert to manual processes as multiple agencies including the Indian Computer Emergency Response Team (CERT-In) worked on the investigation.
This instance has made it clear that ransomware attack is not only a technical problem but also a crucial public infrastructure problem.
Considering the threat posed by ransomware attacks, CERT-In has classified it as a reportable cyber incident and improved India’s incident response system by adding mandatory reporting requirements and coordination mechanisms for the same.
Consequently, the increase in cases of ransomware gives rise to the legal question as to whether the laws and regulations against cybercrime that India has at its disposal are enough to fight the growing sophistication of ransomware attacks. This and more will be looked into in the next sections below.
Legal Framework on Ransomware in India
At the moment, there is no specific Indian law that punishes the act of ransomware. Rather, this is accomplished using a combination of cyber laws, criminal laws and regulation. In total, these can form a legal structure capable of dealing with various levels of a ransomware attack, including unauthorised access, digital extortion and data breach.
5.1 Information Technology Act, 2000
The Information Technology Act, 2000 is the principal law regulating cybercrimes in India. Even though the law was promulgated prior to ransomware becoming a global problem, many of the provisions contained within the Act can adequately cover conduct that is usually associated with ransomware attacks.
According to Section 43, any unauthorized access to the computer system, downloading or copying information, introducing computer contaminants or viruses, denial of services and any damage to the computer resources would be subject to civil liability. As ransomware usually encrypts documents and causes disruption to the computer resources, all these acts would be covered by this provision.
If the above mentioned acts were conducted either dishonestly or fraudulently, then Section 66 provides for the punishment for these crimes. Hence, people who use ransomware to blackmail others will be punished under this section.
There are other provisions which could be applied based on the nature of the particular incident. Identity theft under Section 66C entails any unauthorized usage of passwords or digital signature, while Section 66D covers cheating by personation via computer resources when using phishing e-mails.
In relation to this, the response to cyber attacks is made more effective through the use of Section 70B of the Act, which mandates the formation of the Indian Computer Emergency Response Team (CERT-In) as an authority that will gather information regarding cyber attacks, give directions, coordinate response mechanisms and improve security.
Moreover, Section 75 provides for the extraterritorial application of the Act when the computer resource located in India is attacked from outside India, which is of significance in this case since ransomware attacks normally come from other countries.
However, even with the above provisions, the Act does not provide ransomware attack as a separate criminal act in India. Therefore, the investigator needs to refer to several provisions based on the nature of the attack.
5.2 Bharatiya Nyaya Sanhita, 2023
The Bharatiya Nyaya Sanhita, 2023 (BNS) serves as a supplement to the Information Technology Act in terms of the normal criminal behavior that occurs in the process of ransomware attacks. The criminals can be punished under other offenses such as extortion, cheating, criminal intimidation, and even forgery of electronic records.
Consequently, ransomware cases usually combine both the provisions of the IT Act and the BNS in order to allow punishment of cybercriminals for both unauthorized access to computer systems and the crimes committed during the process.
5.3 CERT-In Directions
Realizing the increasing complexity of cyber threats, CERT-In Directions made under Section 70B of the Information Technology Act have been effective in upgrading India’s framework for cyber incidents.
These Directions define ransomware as a reportable cyber incident which must be reported by specified entities to CERT-In. Further, they stipulate that certain system logs must be preserved and that entities must cooperate in investigations and provide all required information to CERT-In.
Such duties help with prompt reporting, coordination of response and enhanced national cyber resilience as they allow for more rapid identification and investigation of cyber threats.
5.4 Digital Personal Data Protection Act, 2023
Ransomware attacks often entail the stealing of personal data prior to the encryption of computer systems. Therefore, victims suffer not only from an operational problem but also a breach of personal data.
In such cases, the Digital Personal Data Protection Act, 2023 comes into play along with the Information Technology Act. Organizations dealing with personal data are supposed to provide proper protection and fulfill their legal duties when personal data is leaked. Thus, ransomware attacks raise the issues of both cybersecurity law and data protection law.
Judicial Perspective
Although no major decision has been pronounced by Indian courts specifically on the issue of ransomware, judicial opinions on cybercrime and electronic evidence can offer great insight.
One such decision is Anvar P.V. v. P.K. Basheer where the Supreme Court laid down the evidentiary rules that apply to electronic records highlighting the issues of reliability and genuineness of the evidence. As ransomware cases require the use of mostly electronic records, including system logs, emails, server data and forensics reports, these considerations acquire special relevance here.
The Supreme Court again reiterated its views in Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal where mandatory requirements for admission of electronic evidence were reaffirmed. Thus, all these decisions help build a proper evidentiary base for the investigation and prosecution of cybercrimes.
Despite the fact that these decisions are not specific to ransomware, they establish the procedure that can be applied in future ransomware cases.
Are Existing Laws Enough? A Critical Analysis
The legal regime in India clearly shows that there are ways to handle cases of ransomware via the existing legal instruments. There is a wide range of laws, which together provide an appropriate basis for investigation and punishment of cases related to ransomware attacks. These laws cover such aspects as unauthorized access to computers, cyberfraud, extortion, identity theft and compliance.
Nevertheless, the mere existence of such laws does not mean the enforcement of them. One of the biggest problems with handling cases related to ransomware attacks lies in their cross border character; many cybercriminal organizations do not conduct operations from India.
Another major problem is the increase in ransom payments via cryptocurrency. The anonymity provided by cryptocurrencies becomes a stumbling block for tracing the payments and finding the perpetrator. Moreover, a successful prosecution in case of ransomware attack requires cyber forensic skills, swift collection of evidence and cooperation between different law enforcement agencies. In addition, poor cybersecurity practices and delays in reporting cyber incidents make effective law enforcement even more difficult.
It seems that the main weakness of India’s legal system in terms of ransomware problem is not lack of laws but their enforcement. Better cyber forensics, better coordination of different agencies, timely reporting and better cooperation with other countries would definitely increase the efficiency of the fight against ransomware. Hence, even though India has sufficient legal instruments, its enforcement still requires improvement.
Conclusion
In the contemporary period, ransomware stands out as one of the most significant forms of cybercrime, impacting the lives of governments, businesses, health facilities and people alike. As cybercriminals develop innovative ways of committing crimes, it is vital for lawmakers to keep up with technological advancements in crafting solutions to curb such problems.
India possesses an established legal framework to counter ransomware through several legislative acts such as the Information Technology Act, 2000, the Bharatiya Nyaya Sanhita, 2023, CERT-In Directions and the Digital Personal Data Protection Act, 2023. All these acts contribute to investigation, prosecution and regulation of any ransomware offenses.
However, curbing the menace of ransomware goes beyond passing laws to ensure that there is efficient implementation of the legal provisions alongside enhanced collaboration among nations.
FAQ’s
Q1. What is Ransomware?
It is malware that locks or encrypts the user’s computer system and/or data and then extorts payment from the user, generally in cryptocurrency, to unlock access.
Q2. What is the applicable law for ransomware crimes in India?
The Information Technology Act, 2000, along with the Bharatiya Nyaya Sanhita, 2023, CERT-In Directions and in cases involving personal data, the Digital Personal Data Protection Act, 2023.
Q3. Is there a need to report the ransomware attacks?
Yes. As per CERT-In Directions made under Section 70B of the Information Technology Act, certain kinds of cyber incidents must be reported to CERT-In within the required reporting period.
Q4. Do the existing laws suffice for combating ransomware?
India has adequate laws to deal with ransomware attacks. Nonetheless, issues related to cross-border crimes, ransom demands made in cryptocurrency and insufficient cyber forensic capabilities suggest the necessity of more robust implementation and coordination of the legal framework.


