Your laptop is showing a ransom demand — what does that mean?
Short answer: Ransomware is malicious software that encrypts (scrambles) your files and demands payment in cryptocurrency to restore them. Recovery without paying is possible in 70–80% of cases if you act immediately: isolate the device, identify the exact ransomware strain, and check whether a free decryptor exists before spending anything. The most important step is also the easiest one — stop using the device and disconnect it from the internet right now.
How to respond to ransomware in India
Step 1: Isolate immediately — before anything else
The moment you see a ransom note or find files with unfamiliar extensions (.locked, .enc, .crypt, .WNCRY, and hundreds of others), disconnect the laptop from Wi-Fi and unplug any LAN cable. Switch off Bluetooth. If the laptop is on a shared network — home, office, or hostel — the same ransomware may be scanning for other devices to infect. Isolation stops the spread.
Do not shut the laptop down yet. Some ransomware strains keep a residual memory of the encryption key in RAM (random access memory — the laptop's short-term working memory) for a short window. A forensic tool can sometimes extract that key before shutdown. If you are close to a professional lab, leave the laptop running but offline and get there within an hour. If you cannot reach a lab quickly, shut it down — the risk of further encryption outweighs the key-in-RAM chance.
Step 2: Identify the ransomware strain
Upload a small encrypted file and the ransom note text to ID Ransomware (a free service by MalwareHunterTeam). It identifies the exact strain in seconds. This step matters because the recovery path is completely different depending on the variant. Older or poorly written strains — including several that have targeted Indian SMEs — have been cracked by security researchers. The No More Ransom project (backed by Europol and national cybercrime units) hosts free decryptors for over 150 strains. If your variant is on that list, you may recover everything for free without negotiation or payment.
Step 3: The India threat landscape — what strains are common
India is among the top five most-targeted countries globally for ransomware, with SMEs and manufacturing firms bearing the highest attack volume. Strains that have hit Indian businesses and individual users include LockBit (which accounted for a significant share of Indian enterprise incidents), STOP/Djvu (the most common strain on individual laptops in India, spread via cracked software downloads), and Dharma/Phobos (targeting small offices and accounting firms). STOP/Djvu is notable because free decryptors exist for many of its older variants — making early identification especially valuable.
The spread vector in India follows a clear pattern: pirated software, cracked activation tools (KMSAuto, KMSpico), and fake utility downloads from third-party sites. Modern Windows 11 installations on Intel 12th/13th-gen laptops and M-series MacBooks running macOS are significantly more resistant to these attack vectors — Secure Boot, TPM 2.0 (Trusted Platform Module — a hardware security chip), and Gatekeeper on macOS block many entry paths that older systems leave open.
Step 4: India-specific legal requirements — DPDP Act and cybercrime.gov.in
If the ransomware attacked a laptop used for business that held any customer personal data — names, phone numbers, email addresses, financial records — India's Digital Personal Data Protection (DPDP) Act 2023 requires you to notify the Data Protection Board of India of the breach. Failure to report carries financial penalties. Even for individuals, reporting to the National Cyber Crime Reporting Portal at cybercrime.gov.in or calling 1930 (the national cybercrime helpline) creates a formal incident record that may be necessary for insurance claims or police follow-up. Many Indian SME owners skip this step and then face complications when attempting to claim on a cyber insurance policy.
If you need professional data recovery assistance alongside the ransomware response, the intake process is the same — bring or courier the device, and we assess before any fee is committed.
When to call a professional (and what it costs in India)
When DIY ends
Stop trying to handle it yourself and call a professional if: the strain is not on the No More Ransom decryptor list; the ransom note mentions a time limit for key deletion (some attackers genuinely do delete keys after 72 hours); the laptop holds critical business data with no backup; or you are considering paying. Professional incident response firms have negotiation experience and know which attacker groups actually deliver keys versus which simply disappear after payment.
Typical cost in India
Ransomware removal (cleaning the malware, OS reinstall): ₹2,500–₹6,000. Ransomware removal plus logical data recovery from non-encrypted backup copy: ₹5,000–₹15,000. Full incident response with forensic analysis for a business: ₹25,000–₹80,000+ depending on scope. The backup guide covers what to back up and how, so you are not in this position again.
A note from the LRW Engineer Team
The single best defence against ransomware is an offline backup — a drive physically disconnected from the laptop when not in use. A ransomware strain can only encrypt what it can reach. An offline backup on a USB drive sitting in a drawer cannot be encrypted. After every important project or at least weekly, plug it in, copy your work, unplug it. That habit costs nothing and eliminates the entire recovery problem.