Introduction

Cybercrime has transformed rapidly over the past decade, becoming more aggressive, complex, and transnational. Among the most damaging forms is ransomware, where attackers encrypt a victim’s data and demand a ransom—often in cryptocurrency—for its release. Other evolving techniques include phishing-as-a-service, deepfake fraud, botnets, cryptojacking, and AI-powered cyberattacks. These techniques are outpacing the ability of traditional legal frameworks to respond, making enforcement, prosecution, and victim protection increasingly difficult.

India and many countries are now struggling to modernize outdated laws, harmonize international cooperation, and balance privacy rights with national security amid a rising tide of digital crime. As cybercriminals become more sophisticated and operate in the shadows of global infrastructure, legal systems are forced to rethink their definitions, procedures, and enforcement strategies.

1. Ransomware and Anonymous Payments Undermine Legal Enforcement

Ransomware has evolved into a billion-dollar criminal industry, often operating through Ransomware-as-a-Service (RaaS) models. Attackers use tools sold on the dark web, demand ransom in cryptocurrencies like Bitcoin or Monero, and vanish without a trace.

Legal challenges:

• Indian laws like the Information Technology Act, 2000, and Indian Penal Code (IPC) do not have specific provisions targeting ransomware

• Tracing cryptocurrency payments remains difficult due to lack of regulation or real-time monitoring tools

• Cross-border nature of ransomware gangs complicates jurisdictional enforcement

Example: In 2023, multiple hospitals and municipal bodies in India were targeted by ransomware attacks. Although FIRs were filed, tracing the perpetrators or recovering the ransom remains unresolved due to technical and legal gaps.

2. Legal Frameworks Are Often Reactive, Not Proactive

Most laws were designed to tackle conventional crimes like fraud, theft, or extortion. Emerging techniques such as polymorphic malware, AI-generated phishing, or fileless attacks are not clearly defined in Indian statutes.

Result:

• Investigating agencies often struggle to fit new cybercrimes into old legal categories

• Courts lack technical expertise to assess the complexity of such attacks

• Companies hesitate to report attacks due to fear of reputation loss and lack of effective legal remedy

3. Difficulty in Attribution Undermines Prosecution

New cybercrime methods are designed to obfuscate identity—ransomware uses decentralized C2 servers, phishing emails are routed through hijacked systems, and attacks are launched from botnets globally.

Legal implication:

• Without attribution, law enforcement cannot prosecute anyone

• Indian law requires a clear chain of evidence and digital trail, which attackers often erase

Example: Phishing scams operated from Southeast Asia targeting Indian banking customers often go unpunished due to jurisdictional hurdles and lack of extradition treaties.

4. Jurisdictional Complexities in Transnational Cybercrimes

Cybercriminals often operate from countries with weak laws or poor law enforcement cooperation. When the server is in one country, the criminal in another, and the victim in India, the current Indian legal system cannot handle such complexity without relying on Mutual Legal Assistance Treaties (MLATs).

Challenges:

• MLATs are slow and bureaucratic (taking months or years)

• Not all countries have treaties with India

• There is no single global cybercrime treaty (India is not a member of the Budapest Convention)

5. Data Protection and Privacy Laws Create Conflicts

The Digital Personal Data Protection Act (DPDPA), 2023 and global laws like the GDPR prioritize individual data rights. However, this creates tension when law enforcement needs access to encrypted or protected data during an investigation.

Conflicting interests:

• Companies are unsure whether to disclose user data to police without violating privacy laws

• End-to-end encrypted platforms like WhatsApp resist law enforcement data requests

• Cloud services hosting data abroad pose access problems due to foreign laws

6. Lack of Comprehensive Laws on New Cybercrime Models

India’s IT Act, 2000, was drafted at a time when ransomware, deepfakes, and phishing-as-a-service did not exist. It lacks specific provisions for:

• Deepfake crimes or impersonation using AI

• Cyber-extortion involving stolen intimate content

• Cryptojacking (hijacking computing power for cryptocurrency mining)

• Dark web marketplaces and virtual anonymity networks

Result:

• Police often rely on outdated IPC sections such as 420 (cheating) or 465 (forgery), which do not reflect the digital nature of the crime

• Judges face difficulty applying analog laws to digital offenses

7. Encryption and End-to-End Security Block Evidence Gathering

Modern cybercriminals use encryption, secure messaging apps, and anonymous hosting to evade detection. While these technologies improve personal privacy, they make it harder for investigators to gather evidence.

Example: A ransomware attacker may encrypt files and communicate with the victim through anonymous email and the Tor network. Law enforcement may be unable to intercept or decrypt the conversation without breaching legal limits on surveillance.

8. Legal Ambiguity in Paying Ransom

Most victims of ransomware quietly pay the ransom to regain their data. There is no clear legal guideline in India on whether:

• Paying ransom is lawful or punishable

• Companies must disclose ransomware attacks to authorities

• Insurance payouts on ransomware are valid

This legal ambiguity allows criminals to flourish, and victims to suffer quietly without seeking justice.

9. Lack of Training and Infrastructure in Law Enforcement

Law enforcement agencies often lack:

• Cyber forensic expertise

• Tools for cryptocurrency tracing

• Real-time access to digital service provider data

• Awareness of evolving threats like spear-phishing and AI-based scams

The judiciary also lacks technical familiarity with new-age cybercrimes, delaying case resolution.

10. Weak Cybersecurity Mandates for Businesses

Unlike Europe’s GDPR or the US’s HIPAA, India’s compliance laws on cybersecurity for private sector companies are weakly enforced. Many businesses lack strong data protection practices, making them easy targets.

The DPDPA 2023 does introduce accountability, but enforcement is still under development.

11. Delayed Legal Reforms and Absence of Cybercrime Codes

While discussions around updating the IT Act and introducing cybercrime-specific legislation have begun, the pace is slow. India still does not have a comprehensive Cybercrime Code that clearly defines modern offenses and penalties.

Need for Reform:

• Specific classification of emerging cybercrimes (e.g., AI-based fraud, ransomware, doxing)

• Faster reporting obligations and penalties for breach non-disclosure

• Legal empowerment for CERT-In to investigate and take pre-emptive action

• Data retention policies for tech platforms to aid investigations

Conclusion

Evolving cybercrime techniques like ransomware, phishing-as-a-service, deepfakes, and AI-driven attacks are challenging the relevance and effectiveness of current legal frameworks. Indian laws, though foundational, are insufficient to handle the complexity, anonymity, and scale of these threats. The criminal justice system must modernize its tools, laws, and procedures, and promote international collaboration, stronger business compliance, and investigator training.

The solution lies in:

• Enacting cybercrime-specific legislation

• Upgrading enforcement infrastructure and digital forensics

• Balancing privacy rights with national security through robust legal mechanisms

• Creating real-time international cooperation networks for faster attribution and response

Without proactive legal adaptation, the cybercriminal ecosystem will continue to grow faster than the rule of law can contain it.