Cyber Extortion Response Playbook for Indian Businesses

Cyber extortion — the use of a threat to publish data, sustain a DDoS attack, or maintain ransomware encryption unless a payment is made — is among the fastest-growing categories of cybercrime affecting Indian businesses. The threat actor’s leverage is real: encrypted systems cannot be recovered without decryption keys; stolen data, once published, cannot be unpublished. The legal and tactical response to a cyber extortion incident is fundamentally different from the response to conventional cyber fraud, because the organisation is being asked to make a decision — to pay or not — that carries significant legal, commercial, and reputational consequences either way.

Do Not Pay Without Legal Advice

The instinctive response to a ransomware or data extortion demand is often to pay quickly and quietly. This approach carries substantial legal risk. Payment to a threat actor — particularly an entity that may be sanctioned or operating from a designated jurisdiction — can expose the paying organisation to liability under the Prevention of Money Laundering Act, 2002 (PMLA) and applicable sanctions regimes. Payment does not guarantee data deletion, decryption key delivery, or the absence of a subsequent demand. Organisations should treat payment as a last resort and only after thorough legal and technical assessment.

Immediate Steps: Evidence Preservation and Containment

The first actions upon receiving an extortion demand should be to preserve the demand in its original form (email, darkweb communication, screen recording), to isolate affected systems to prevent further lateral movement, and to retain all logs, timestamps, and network traffic data that establish the scope of the intrusion. This evidence is essential both for the criminal complaint and for any insurance claim. Counsel should be engaged before any communication is made to the threat actor, and before any public or customer-facing statement is released.

Legal Reporting Obligations

Organisations covered by CERT-In’s April 2022 Directions must report a ransomware or data extortion incident to CERT-In within six hours of detection. This obligation arises independently of any decision on payment, and non-reporting carries regulatory consequences. Where the extortion involves a threat to publish personal data, the Data Protection Board must also be notified under Section 8(6) of the Digital Personal Data Protection Act, 2023 once the breach is confirmed. A complaint should be filed with the cybercrime portal (cybercrime.gov.in) and the jurisdictional cybercrime police station, citing Sections 66 and 66B of the IT Act and Sections 308 (extortion) and 351 (criminal intimidation) of the Bharatiya Nyaya Sanhita, 2023.

Board Governance and Insurance

Boards of directors have fiduciary duties under the Companies Act, 2013 that are engaged when a cyber extortion incident materially affects the business. Directors must be informed promptly and documented resolutions should reflect the governance decisions made. Where the company holds cyber insurance, the policy must be notified within the prescribed window — typically 24–72 hours — and the insurer’s panel counsel engaged immediately; failure to notify in time can void coverage. Recovery requires forensic root cause analysis and closure of the attack vector before system restoration — reconnection before the attack vector is closed invites reinfection.

DPDP Act and Regulatory Reporting Obligations

Where the extortion incident involves a personal data breach — as it commonly does in data theft cases — the Digital Personal Data Protection Act, 2023 imposes independent obligations on the affected Data Fiduciary. While the implementing rules are being notified progressively, the framework requires notification to the Data Protection Board of India and to affected Data Principals upon a qualifying personal data breach. Organisations should assess at the outset of any incident whether personal data has been exfiltrated, since the DPDP Act notification obligations run independently of the commercial decision whether to pay the demand.

CERT-In's April 2022 Directions require covered entities to report cyber incidents — including ransomware attacks and data exfiltration incidents — to CERT-In within six hours of detection. This obligation applies regardless of whether the organisation intends to pay the demand and regardless of whether the incident has been fully characterised at that stage. The report can be updated as further information becomes available. Failure to report within the six-hour window is an independent regulatory breach. Regulated entities — banks, NBFCs, insurance companies, market intermediaries — face parallel reporting obligations to their respective sectoral regulators that must be managed alongside the CERT-In timeline.

Communication and Reputation Management

Managing external communications during a cyber extortion incident is as important as the technical and legal response. Premature or inaccurate public statements can prejudice regulatory proceedings, crystallise contractual liability, and provide the threat actor with information about the organisation's response posture. Legal privilege should be maintained over all incident-related communications prepared in contemplation of litigation or regulatory proceedings. Customer, partner, and supplier notifications — where contractually or legally required — should be reviewed by legal counsel before despatch to ensure they are accurate, appropriately qualified, and do not constitute admissions of liability. Where the incident attracts media attention, a consistent holding statement approved by legal counsel should be prepared and issued through a single designated spokesperson.