Chartered Accountancy (CA) and consulting firms across India are facing a surge in ransomware attacks, with cybercriminals increasingly focusing on Network Attached Storage (NAS) devices, according to a recent advisory from the Indian Cyber Crime Coordination Centre (I4C). Threat actors are exploiting vulnerabilities in these storage systems to encrypt sensitive data, steal confidential information, and demand ransom payments under threat of public disclosure.

NAS Devices as Prime Targets

NAS devices serve as centralized storage systems for businesses, allowing multiple users to access critical files, including financial records, audit reports, tax filings, and client data. Cybersecurity analysts warn that compromising NAS systems can simultaneously lock both primary data and backups, leaving organizations with few recovery options and increasing pressure to pay ransom. Devices exposed to the internet, running outdated firmware, or secured with weak credentials are especially vulnerable.

How Attacks Unfold: Double Extortion Strategy

The advisory from I4C outlines a structured attack chain:

1. Reconnaissance: Automated scans identify internet-facing NAS management ports.
2. Exploitation: Hackers exploit unpatched software vulnerabilities, brute-force weak passwords, or bypass systems without multi-factor authentication.
3. Data Exfiltration: Sensitive client and financial data is stolen before encryption.
4. Ransomware Deployment: All storage volumes, including backups, are encrypted.
5. Double Extortion: Attackers demand ransom both to decrypt data and prevent public disclosure of stolen information.

This method has increasingly become a preferred tactic because it maximizes leverage over targeted organizations.

Consequences for Firms

Ransomware attacks can cause severe operational and financial disruptions:

• Loss of critical business records and client documentation
• Missed regulatory deadlines and disrupted services
• Reputation damage among clients and partners
• Exposure of personal and financial data leading to identity theft or fraud
• Costs for forensic investigations, legal consultations, and cybersecurity upgrades
• Mandatory breach reporting and regulatory scrutiny

Recommended Security Measures

I4C urges organizations to strengthen NAS security immediately:

• Limit internet exposure and restrict access to trusted IPs or secure internal networks
• Enable multi-factor authentication (MFA) for all accounts
• Update firmware and security patches promptly
• Change all default passwords and disable unused services or legacy protocols (FTP, Telnet, SMBv1)
• Maintain offline or air-gapped backups and consider immutable backup solutions
• Conduct regular restoration testing to ensure backup reliability
• Enable comprehensive logging and alerts for unusual activity and large-scale data transfers
• In case of an attack, isolate affected systems without powering them off to preserve forensic evidence

Incidents can be reported via the official portal at https://cybercrime.gov.in or through the national helpline 1930. Organizations are also advised to follow vendor advisories from manufacturers like QNAP and Synology for timely security updates.

The rise in ransomware targeting NAS systems highlights the urgent need for proactive cybersecurity measures, particularly for firms handling sensitive financial and client data.

Mumbai, March 3, 2026 – The Broadband India Forum (BIF), a leading telecom industry association, has urged the Department of Telecommunications (DoT) to revisit the recently implemented cybersecurity amendment rules and SIM-binding directive. Industry experts warn that the regulations, which are set to take effect from March 1, may introduce legal ambiguities and operational challenges that could extend beyond the scope of the Telecommunications Act, 2023, and impose additional obligations on digital platforms.

Understanding the SIM-Binding Directive

The SIM-binding rule requires messaging applications, including popular platforms like WhatsApp and Signal, to operate only when the registered SIM card is physically active in the device. While the government positions this measure as a step to enhance cybersecurity, BIF and other stakeholders argue that it could disrupt the operational model of digital communication services and affect user convenience.

Expanding Regulatory Scope

A legal assessment obtained by BIF highlights that the directive introduces a new classification called Telecommunication Identifier User Entities (TIUEs). This category may cover businesses that use mobile numbers, IP addresses, or device identifiers for user authentication or service delivery, potentially extending to sectors such as banking, fintech, and online communications.

Legal and Compliance Concerns

Industry representatives caution that applying telecom-like regulations to digital platform providers may be legally contentious. Licensed telecom operators have specific rights and obligations under the Telecommunications Act, whereas application service providers traditionally operate outside this framework. BIF stresses that merely using a phone number within an app does not equate to providing telecom services.

The forum also highlighted that inconsistent rules across sectors could increase administrative costs and complicate compliance for digital businesses. Experts warn that unclear regulations may stifle innovation and create legal uncertainty for technology companies operating in India’s expanding digital ecosystem.

Operational Implications for Digital Platforms

Under the new rules, TIUEs must block fraudulent identifiers as directed by authorities, adhere to data protection standards, participate in Mobile Number Verification systems, and cooperate with law enforcement. Industry experts note that implementing these obligations will require detailed technical guidance and operational clarity to avoid disruption.

Analysts emphasize that India’s rapidly growing internet user base makes it a critical market for global technology services. They advocate for comprehensive stakeholder consultation to assess the practical impact of the policy before it is enforced.

Balancing Cybersecurity and Innovation

In its memorandum to the DoT, BIF emphasized the need for transparent rule-making that maintains legal stability while fostering innovation. The association called for collaboration between the government, technology experts, and industry stakeholders to develop an effective anti-fraud framework that safeguards users without undermining business confidence.

Awaiting Government Response

As of now, the DoT has not issued an official response to BIF’s appeal. The industry is closely monitoring whether the government will initiate a review or amendment of the new cybersecurity framework. Observers note that this policy could represent a significant regulatory shift as India’s digital economy continues to grow.

New Delhi: The Unique Identification Authority of India (UIDAI) has unveiled a new Aadhaar App designed to reduce reliance on photocopies, OTPs, and outdated mobile numbers, while giving users greater control over how their personal information is shared. The move comes amid growing concerns about identity fraud, data misuse, and the vulnerabilities associated with sharing Aadhaar details across services like hotel check-ins, SIM card issuance, and office verification.

Offline Verification: A Key Feature

The standout feature of the new Aadhaar App is offline verification, which enables identity authentication without exposing Aadhaar numbers, biometric data, or requiring an internet connection.

The app offers two offline verification options:

1. Share ID: Users generate a password-protected Aadhaar file and choose which details to disclose—such as name or age—depending on the requirement.
2. QR Code Verification: Institutions display a QR code that can be scanned via the app for instant verification without sharing physical documents.

Officials say these features will reduce the risk of data leaks and make verification more accessible in areas with poor network connectivity.

Mobile Number and Address Updates Made Easy

The app allows users to update mobile numbers and addresses from home, resolving a common problem where OTP-based authentication fails due to outdated contact details. After Aadhaar-based login, users can enter the new information in the “Update Aadhaar Details” section, complete the verification process, pay a nominal fee, and see the updated records reflected in Aadhaar.

This feature is particularly helpful for users whose Aadhaar is linked to inactive mobile numbers, often causing disruption in banking, government services, and welfare schemes.

One Device, Multiple Profiles

The app now supports multi-profile management, allowing a single device to host up to five Aadhaar profiles. This feature enables families to manage Aadhaar details for children, elderly members, or dependents efficiently.

Additionally, the Aadhaar Contact Card lets users securely share pre-defined limited information, further reducing unnecessary exposure of sensitive data.

Greater Control Over Digital Identity

By discouraging photocopy sharing, promoting offline verification, and enabling controlled data disclosure, UIDAI aims to make Aadhaar usage safer, simpler, and more user-centric.

The authority has indicated that additional features will be added to enhance convenience, streamline Aadhaar-related services, and strengthen trust in digital identity verification.

As Aadhaar becomes central to everyday transactions, the new app is expected to play a crucial role in balancing privacy, security, and usability.