GRCDesk
Free AssessmentTemplatesConsultationBlogAbout
Start Free Assessment
All Articles
Cybersecurity10 min read11 April 2026

AI-Powered Cyberattacks Are Hammering Indian Companies in 2026. Here Is What I Am Seeing.

From AI-generated phishing to supply chain breaches hitting banks — the 2026 threat landscape in India has changed. A GRC consultant breaks down what is happening and what to do about it.

Three months into 2026, and I have already handled more incident response calls than all of 2024 combined. Something has changed. The attacks are faster, smarter, and harder to detect. And the common thread? Artificial intelligence.

I am not talking about some theoretical future threat. I am talking about what is happening right now to Indian companies — mid-size manufacturers, hospitals, fintech startups, and banks. The attackers have upgraded their playbook, and most Indian businesses are still defending with yesterday's tools.

Let me walk you through what I am seeing on the ground.

The Numbers Are Alarming

India recorded over 265 million malware detections in the first quarter of 2026 alone. Ransomware groups are rebranding faster than ever, deploying cross-platform encryption that hits both Windows and Linux servers simultaneously. The manufacturing sector, healthcare, education, and energy are getting hit hardest.

But the raw numbers only tell part of the story. What has changed is the quality of attacks. Phishing emails that used to have obvious spelling mistakes and generic subject lines now read like they were written by your CFO. Because in a way, they were — by an AI trained on publicly available communication patterns.

AI-Generated Phishing: The Game Has Changed

I audited a Pune-based manufacturing company last month after they lost 47 lakh rupees to a business email compromise. The attacker had sent an email to the accounts team requesting an urgent vendor payment. The email matched the CEO's writing style perfectly — same greeting, same sign-off, same tone. It even referenced a real project the company was working on.

The accounts team followed their process. They verified the email address (it was spoofed convincingly), checked the project reference (it was accurate — scraped from LinkedIn posts), and processed the payment.

This is what AI-powered social engineering looks like. The attacker did not need to breach your network. They just needed to sound like someone you trust.

How to Defend Against This

  • Implement a mandatory callback verification for any payment above 5 lakh rupees — voice call to a known number, not the number in the email
  • Train your finance team specifically on AI-generated phishing. Show them examples. Old-school awareness training about "check for spelling mistakes" is useless now
  • Deploy email authentication — SPF, DKIM, and DMARC with a reject policy. This will not stop all spoofing, but it stops the lazy attempts
  • Limit what employees share on LinkedIn about ongoing projects and vendor relationships. Attackers mine this data

Supply Chain Attacks: Your Vendor Is the Backdoor

The attack on a third-party vendor portal linked to ICICI Bank was a wake-up call for the entire banking sector. The Bashe ransomware group did not attack the bank directly — they targeted a vendor with weaker security and used that access to harvest credentials.

I see this pattern everywhere. Companies spend crores on their own security perimeter and then give admin-level VPN access to a vendor running Windows Server 2012 with no endpoint detection.

When I do vendor risk assessments, I ask three simple questions:

  1. Does the vendor have an incident response plan? (Most do not.)
  2. When was their last penetration test? (If the answer is "never" or "I will check," you have a problem.)
  3. What personal data of yours do they hold, and where? (They usually cannot answer this clearly.)

Under the DPDP Rules, you — as the Data Fiduciary — are responsible for your vendor's data handling. Section 8 of the Act makes this explicit. If your processor causes a breach, the Board comes knocking on your door first.

What You Need to Do

  • Maintain a live vendor risk register — not a spreadsheet from 2023, a current assessment of every vendor with access to your data or network
  • Require SOC 2 Type II or ISO 27001 certification from critical vendors. No certification? Conduct your own assessment
  • Implement network segmentation — vendor access should never touch your production environment
  • Add breach notification clauses in every vendor contract. They must notify you within 24 hours of detecting an incident. The DPDP timeline leaves no room for delays

Ransomware in 2026: Double Extortion Is the Baseline

The ransomware playbook has evolved. Groups like Bashe, RansomHub, and their constantly rebranding successors now treat double extortion as standard operating procedure. They encrypt your data AND exfiltrate it. Pay the ransom to decrypt, or they leak sensitive data publicly.

For Indian companies, this creates a nightmare scenario under the DPDP Act. If ransomware operators exfiltrate personal data and leak it, you now have a data breach that requires mandatory notification to the Data Protection Board and affected individuals. The regulatory penalty comes on top of the operational damage.

I worked with a healthcare provider in Delhi after a ransomware attack last year. Patient records, financial data, and administrative files were all compromised. The IT team had backups — but the backups were on a network-attached drive that the ransomware had encrypted too. No air-gapped backup. No tested recovery plan. Recovery took 11 days.

Practical Ransomware Defences

  • Air-gapped or immutable backups. Test your restore process quarterly — an untested backup is not a backup
  • Endpoint Detection and Response (EDR) on every machine, including servers. Traditional antivirus cannot detect modern ransomware behaviour
  • Disable Remote Desktop Protocol (RDP) exposure to the internet. If you need remote access, use a VPN with multi-factor authentication
  • Segment your network so that a compromise in one department cannot spread laterally to your entire infrastructure
  • Patch management — seriously. Most ransomware exploits vulnerabilities that have patches available for months. CERT-In advisories exist for a reason

Healthcare and Education: Soft Targets Getting Softer

Two Delhi hospitals — Sant Parmanand and NKS Super Speciality — had their servers hacked in mid-2025. Patient records, financial data, and administrative systems were all compromised. And these are just the incidents that made the news. I know of at least four other healthcare facilities that dealt with incidents quietly.

Hospitals run on legacy systems. Medical devices often cannot be patched. IT budgets are thin. Staff are not trained on security awareness. And the data they hold — health records, Aadhaar numbers, insurance details — is the most sensitive category under the DPDP Act.

Education is the same story. Ed-tech platforms handling children's data face strict obligations under Section 9 of the DPDP Act — verifiable parental consent, no behavioural tracking, no targeted advertising. A breach involving children's data carries penalties up to 200 crore rupees.

What CISOs and Business Owners Should Do This Quarter

If you are reading this and wondering where to start, here is my priority list for Q2 2026:

1. Run a tabletop exercise. Simulate a ransomware attack and a data breach. Walk through your response plan. Time it. See where it breaks. Most companies discover their plan does not work during the simulation — better than discovering it during a real incident.

2. Audit your vendor access. List every vendor with network access or data access. Check their security posture. Remove access that is no longer needed. This single step would have prevented several high-profile supply chain attacks.

3. Update your phishing training. Your team needs to see examples of AI-generated phishing. The old "hover over the link" advice is insufficient. Focus on process-based defences — verification callbacks, dual approval for payments, and healthy suspicion of urgency.

4. Check your breach response timeline. The DPDP Rules prescribe notification timelines. Can you detect a breach, assess it, and notify the Board and affected individuals within that window? If your SIEM takes 48 hours to flag anomalies, you have a problem.

5. Get a baseline security assessment. You cannot protect what you cannot see. A proper assessment covers your network architecture, access controls, endpoint security, backup strategy, and incident response readiness. We offer a free compliance assessment that covers the security safeguards required under the DPDP Act — it takes 10 minutes and gives you a clear starting point.

The threat landscape is not going back to what it was. AI has permanently raised the bar for attackers. The only question is whether Indian businesses will raise their defences to match.

AK
Akshay
GRC & InfoSec Consultant — ISO 27001, SOC 2, DPDP Act

Want to know where your business stands on DPDP compliance?

Take the Free Assessment

More Articles

DPDP Act

DPDP Rules Are Finally Here: The Phase-Wise Compliance Deadlines You Cannot Afford to Miss

DPDP Act

The DPDP Act, 2023: What Every Indian Business Needs to Know

DPDP Act

DPDP Act Penalties: The Real Cost of Non-Compliance in 2026