Ransomware Hits India Hardest in APAC, Incidents Jump 165%: Report

India emerged as the most targeted country in the APAC region for ransomware attacks, recording 45 incidents during Q1 2026 — representing a 165% increase compared to Q1 2025 and a 55% rise over the previous quarter. The sharp rise reflects an intensifying cyber threat environment, with attackers focusing on multiple sectors and critical infrastructure.

The findings were detailed in Cyble’s Asia and Pacific Threat Landscape Q1 2026 Report, released by Cyble Research and Intelligence Labs (CRIL), which recorded 277 major cyber incidents across the region during the quarter. These included ransomware attacks, data breaches, compromised access sales, vulnerability exploitation, and hacktivist activity affecting organisations across industries.

In India, key sectors targeted included IT, manufacturing, healthcare, banking, financial services and insurance (BFSI), automotive, and professional services. The report identified ransomware groups such as The Gentleman, Sinobi, Vect, Tengu, and CL0P as among the most active in carrying out attacks against Indian organisations.

A notable trend observed was the use of “spray-and-pray” ransomware campaigns, where attackers attempt to breach multiple organisations simultaneously. This approach is aimed at maximising operational disruption and increasing the chances of financial gain, particularly by targeting sectors with high dependency on digital infrastructure.

Across the Asia-Pacific region, ransomware continued to dominate the threat landscape, with 238 incidents recorded in Q1 2026. The Gentleman group accounted for nearly 24% of these attacks, while Qilin and INC Ransom also remained highly active. Manufacturing and IT and IT-enabled services (ITES) sectors were among the most frequently targeted industries across the region.

The report also highlighted a pattern of repeated targeting, where organisations faced multiple attacks after initial breaches became publicly known. This indicates that once vulnerabilities are exposed, threat actors continue to exploit them over time, increasing the risk for affected companies.

Beyond ransomware, incidents involving compromised enterprise access and data breaches remained a concern. CRIL observed 20 cases of unauthorised access sales during the quarter, with retail and professional services sectors accounting for nearly half of these incidents. Government and law enforcement agencies reported the highest number of data breach cases.

Indian organisations were also frequently referenced in underground forums where access credentials and sensitive data were traded. In one case, threat actors claimed to be selling administrator-level database access to a large Indian construction company, along with more than 44 GB of data.

The report further pointed to increased exploitation of critical vulnerabilities across enterprise technologies. Systems from companies such as Ivanti, Cisco, SolarWinds, Dell, Fortinet, Microsoft, and Citrix were targeted, with attackers leveraging high-severity flaws to gain unauthorised access. A zero-day vulnerability in Ivanti Endpoint Manager Mobile (CVE-2026-1340) was among the key risks identified.

Hacktivist activity also saw a rise during the quarter, particularly in Southeast Asia. CRIL recorded nearly 498 posts linked to data leaks impacting around 3,600 domains. Several threat groups focused on the Indian subcontinent, carrying out website defacements, distributed denial-of-service (DDoS) attacks, and information operations targeting government, telecom, media, and commercial organisations.