Exclusive: Indian brokerages hit by ransomware amid rising cybersecurity threats

In a grim reminder of the vulnerabilities facing the financial services sector, market sources have revealed to Fortune India that ransomware attacks have hit at least six leading equity brokerage firms over the past six-seven months, with the latest episode reported in December. 

This revelation comes on the heels of a ransomware attack in the first week of December that targeted Comtel’s data centre, which left over 16 brokerages disconnected from critical trading operations.

While Fortune India has learned the identities of the affected brokerages, their official denial of the incidents has compelled this publication to withhold the names. Off the record, however, exchange officials confirmed the breaches, but publicly, they too have denied any such occurrences.

The gravity of the situation cannot be understated. A confidential source from one of the impacted brokerages shared with Fortune India a photograph of a ransomware-infected terminal. The image revealed a ransom note displayed in a Notepad window, demanding ₹60 crore to resolve the compromise. The message included contact details — a Telegram handle and an email ID — for further communication with the attackers.

“It was a nightmarish episode,” the source admitted. The brokerage was forced into a crisis mode, activating emergency communication lines with exchanges, the Securities and Exchange Board of India, and even the finance ministry. The stakes were high, with fears of a payout crisis looming large.

The attacks on Indian brokerages are part of a growing global phenomenon. According to research conducted by the Research Wing of CyberPeace, ransomware groups orchestrated 5,233 claims across 153 countries in 2024 alone, using underground networks and encrypted communication platforms. India witnessed a sharp 55% surge in ransomware incidents, with 98 recorded attacks in 2024 alone, primarily targeting the industrial sector (75%), healthcare (12%), and finance (10%). Notable peaks in activity were observed in May and October.

In fact, the arrest of Telegram’s founder and CEO sparked global debates as messaging platform has increasingly been linked to cybercrime activities such as ransomware negotiations, malware distribution, and the sale of stolen credentials. Experts argue that platforms like Telegram must be held accountable for their role in enabling such illicit activities.

Incidentally, this cyber ransom attack coincides with the Cybersecurity and Cyber Resilience Framework (CSCRF), which officially came into effect from January 1 for six Sebi-regulated entities (REs) that were already subject to previous cybersecurity guidelines, that include stock brokers, depository participants, mutual funds and asset management companies, KYC registration agencies, qualified registrars to an issue and share transfer agents, and portfolio managers. For other regulated entities, the framework will take effect on April 1, 2025, covering entities such as alternative investment funds, bankers to an issue and self-certified syndicate banks, clearing corporations, collective investment schemes, credit rating agencies, and custodians.

The CSCRF adopts a comprehensive five-pillar approach, focusing on anticipating cyber threats, ensuring operational continuity even during attacks, containing the spread and impact of breaches, swiftly recovering affected systems, and continuously evolving defences to stay ahead of emerging risks. Besides, all the entities are mandated to establish or onboard Security Operations Centres (SOCs) for real-time threat monitoring and response, with smaller entities permitted to utilise SOCs established by major exchanges such as the NSE and BSE. The regulated entities have to report all cyber incidents through Sebi's online portal, while also implementing standardised incident response plans and cyber crisis management plans to handle such events effectively.