“The biggest difference is that the bad actors are no longer just encrypting your data. They are stealing it,” said Wayne Hankins, senior director analyst at Gartner. Hankins, who was speaking on the sidelines of the ongoing Gartner Security & Risk Management Summit, 2025 in Mumbai, said that organisations need to have a good backup plan. Ransomware attacks accounted for 23 per cent of all cybersecurity breaches last year, as per a Data Breach Investigations report. Ransomware has become one of the most formidable threats for organisations over the last few years. Hankins sat down with indianexpress.com to share his insights on the ransomware landscape and how bad actors are using sophisticated methods to entrap organisations for financial gains. “Organisations also need to be prepared to manage their data on leak sites. And then there's another level of negotiations that they may have to do with the bad actor to make sure that they're actually deleting that data,” Hankins explained. The Gartner executive explained that traditionally, ransomware was dealt with by trying to recover systems that had been encrypted using their backups. With extortion attacks, organisations face a different challenge. “They are not just locked out of their data but risk losing it entirely,” he said. According to Hankins, the cost of recovery in extortion cases is higher than traditional ransomware. As with such cyber attacks, apart from financial losses, businesses also have to manage customer expectations and potential trust issues. The seasoned analyst feels that the key focus should be to ensure recovery even when data cannot be retrieved. Cyber attackers and AI In the last two years, there has been an exponential increase in cyber attacks where threat actors used AI for sophisticated phishing and deepfake attacks. When asked how companies can defend themselves from such complex attacks, Hankins explained two ways. “Firstly, we have to continue to work with end users to ensure that they can identify phishing campaigns and certain trends. Secondly, we expect just the velocity and volume to significantly increase, so areas that need to really improve are their processes and procedures of how they manage a phishing campaign that hits their organisation," he said. Several studies have shown that ransomware gangs are targeting smaller businesses that are later used as gateways to bigger and more profitable victims. Of the total companies impacted, smaller organisations with under 1,000 employees are the most impacted at 40.2 percent. According to Hankins, smaller companies should start by putting a cybersecurity strategy in place and defining ownership, essentially who owns the cybersecurity for the organisation. “So the first thing would be identifying that cybersecurity is a business problem. We have to assign some responsibilities and roles to that area. And then the second thing is to look for external resources to help you manage your cybersecurity services,” said Hankins, explaining how smaller organisations can safeguard themselves. Hankins acknowledged that smaller organisations may not have the team required to manage a ransomware attack. However, he advised that these companies should start looking toward digital forensics and incident response organisations to augment their team. Quantum resilient encryption Encryption is changing; now they are becoming quantum resilient, meaning they are designed to become more secure against attacks from traditional and quantum computers. For the uninitiated, ransomware attacks use encryption to make files inaccessible, following which they demand ransom. When asked if quantum-resilient encryption would impact existing cybersecurity measures adopted by businesses, Hankins said that it should not. Hankins explained that when bad actors are using these more advanced encryption technologies, it gets even more important for organisations to have a strong disaster recovery and backup system. Based on numerous reports, the data encryption times for ransomware are shockingly fast, sometimes even under 10 minutes. We asked Hankins how organisations can detect and stop attacks before encryption occurs; he replied by saying that the first thing that needs to be done is to have the ability to block the bad actors from gaining access to the network. “Once they're in, within an hour, they're able to go ahead and execute. So we have to really nail down our identity access management and really put in a strong credential platform so that if bad actors get access to credentials, they can't access resources.” According to Hankins, deploying multi-factor authentication (MFA) and restricting access to critical tools can help prevent attackers from exploiting stolen credentials. Ransomware attacks and India Based on the 2023 Unit 42 Ransomware and Extortion Report, India is among the top 10 countries when it comes to ransomware volume. Hankins said that countries with large manufacturing sectors and critical infrastructure are particularly vulnerable. Attackers attempt to create severe disruption to force victims to pay ransom. “If they can shut down a manufacturing facility or critical infrastructure, they create immense pressure on businesses to comply.” According to Hankins, for small businesses, the challenge is slightly different; however, it is equally concerning. He explained that many small businesses provide services to larger organisations, making them integral to the supply chain. Attackers exploit this by targeting smaller firms to disrupt operations on a larger scale. These businesses face two major risks: they may be forced out of business if they cannot recover, or the attack can damage their relationships with larger clients, further pressuring them to pay the ransom. When asked what message he would like to give to Indian organisations and leaders, Hankins said that he would encourage them to work closely with their cybersecurity and IT teams to build a strong defence against ransomware. “Organisations should have well-defined playbooks in place to ensure they can continue operating at a minimal level, even if a critical system is compromised. Ultimately, ransomware isn’t just an IT or security issue—it requires a holistic, company-wide approach.”
