This guide is written for practical orientation. The correct legal response depends on the documents, transaction trail, police station, complaint stage, devices involved and the specific allegations.
Immediate priorities
- Isolate affected systems without wiping evidence
- Preserve ransom notes, wallet addresses and communication channels
- Capture logs, admin actions and network indicators
- Assess whether personal data, bank data or confidential information is impacted
- Coordinate legal, forensic, insurance and communication teams
Legal issues
- Cyber crime complaint and law-enforcement strategy
- CERT-In or sectoral reporting assessment
- DPDP and contractual notification assessment
- Vendor and cloud-provider evidence requests
- Customer and board communication without overstatement
Evidence to preserve
- Ransom note and demand messages
- Malware samples and indicators of compromise
- Network, firewall, VPN and endpoint logs
- Backup status and restoration records
- External leak-site screenshots and wallet addresses
Frequently asked questions
Should a company pay ransom?
Payment decisions involve legal, operational, sanctions, insurance and practical considerations. No general answer applies; a matter-specific assessment is required.
Can ransomware be reported to cyber police?
Yes, ransomware is a cyber extortion and unauthorised access matter that may require law-enforcement reporting depending on facts.
What if attackers threaten to leak data?
Preserve the threat evidence, assess impacted data, consider legal notices/reporting and prepare communication strategy.
Does restoring from backup end the legal issue?
No. Evidence, reporting, root-cause, customer impact, contract obligations and possible data exposure may still need legal review.