India tops APAC ransomware target list as cyberattacks surge 165% in Q1 2026: Cyble

India has emerged as the most targeted country for ransomware attacks in the Asia-Pacific region in the first quarter of 2026, underscoring the growing cyber risk confronting the country’s rapidly digitising economy.

According to Cyble’s Asia and Pacific Threat Landscape Report for Q1 2026, India recorded 45 ransomware incidents during the January-March quarter, marking a sharp 165 per cent jump over the same period last year and a 55 per cent increase sequentially. The report tracked a total of 277 major cyber incidents across APAC during the quarter, including ransomware attacks, data breaches, compromised access sales, vulnerability exploitation and hacktivist activity.

The findings point to a significant escalation in organised cybercrime targeting businesses, government-linked entities and critical infrastructure operators across the region, with attackers increasingly exploiting digital transformation gaps and enterprise vulnerabilities.

Manufacturing, IT and BFSI under sustained attack

Cyble said manufacturing and IT & IT-enabled services emerged as the most heavily targeted sectors across APAC, while Indian entities in healthcare, banking and financial services (BFSI), automotive and professional services also witnessed sustained attack activity.

The report highlighted the rise of “spray-and-pray” ransomware campaigns in India, where cybercriminal groups simultaneously target multiple industries to maximise operational disruption and financial gains. Threat actors linked to ransomware groups such as The Gentleman, Sinobi, Vect, Tengu and CL0P were found actively targeting Indian organisations during the quarter.

Across APAC, Cyble Research and Intelligence Labs (CRIL) observed 238 ransomware incidents in Q1 2026, with The Gentleman group alone accounting for nearly 24 per cent of all attacks. Qilin and INC Ransom also remained among the most active ransomware operators in the region.

“India’s sharp rise in ransomware activity reflects how threat actors are aggressively targeting digitally expanding economies and critical business sectors where operational disruption can generate maximum financial and strategic impact,” said Daksh Nakra, Senior Manager of Research and Intelligence at Cyble.

Underground access markets fuel cyber risks

Beyond ransomware, the report flagged growing activity in underground access marketplaces and data leak forums. CRIL observed 20 incidents involving the sale of unauthorised enterprise access during the quarter, with retail and professional services accounting for half of such cases.

Indian companies were repeatedly referenced in underground forums offering compromised credentials and leaked datasets. In one instance, threat actors allegedly advertised administrator-level database access linked to a billion-dollar Indian construction company, claiming possession of over 44 GB of sensitive data.

The report also pointed to an acceleration in the exploitation of critical software vulnerabilities affecting enterprise management systems, cloud-connected infrastructure and network appliances, including flaws linked to Ivanti, Cisco, Fortinet, Microsoft, Citrix and SolarWinds technologies.