Indonesia won't pay $8M ransom in data center attack that disrupted major public services

Targeting a national data center, the attack brought down major public services, including airport immigration. Data migration efforts are ongoing.
Written by Eileen Yu, Senior Contributing Editor

The Indonesian government says it will not give in to ransom demands following a security breach over the past week that disrupted major public services -- including immigration -- causing backlogs at its international airport in Jakarta.

The ransomware attack targeted a national data center, impacting more than 200 institutions across the country -- including local states and several key public services -- since June 20. Some of these were restored this week, such as visa and residence permit services, immigration checkpoint services, and passport services.

Also: Most ransomware-hit enterprises report to authorities, but level of support varies

Indonesia's National Cyber and Crypto Agency (BSSN) has since revealed that the breach was the result of the ransomware Brain Cipher, the latest LockBit 3.0 variant, according to a report on Monday by government-owned news agency Antara. Investigation efforts into the attack are ongoing, said BSSN's head lieutenant-general Hinsa Siburian.

Meanwhile, Minister of Communication and Informatics Budi Arie Setiadi said the government would not be forking out a cent for the $8 million ransom demand. He noted that the attack had targeted a secondary data center site located in Surabaya, the capital city of the East Java province. 

The ministry's director-general of applications and informatics Semuel Abrijani Pangerapan said his team was able to isolate data stored in the affected systems. Data migration efforts are also ongoing to restore public services impacted by the breach. Pangerapan added that the government is looking into recovery and mitigation efforts to prevent a wider impact.

Telkom Indonesia, which is working with the government to investigate the security incident, is trying to break the data encryption, said the local telco group's director of network & IT solutions, Herlan Wijanarko. He did not provide further details on what this entailed, Antara reported

Also: Ransomware victims continue to pay up, while also bracing for AI-enhanced attacks

Various cybersecurity vendors have chimed in on the security breach, stressing the need for constant monitoring and systems recovery.

"This incident highlights the critical importance of continuous monitoring and real-time threat detection to mitigate the impact of such sophisticated attacks," Nigel Ng, Asia-Pacific Japan SVP for Tenable, said in a statement. "LockBit's repeated involvement in high-profile attacks across the globe demonstrates the evolving threat landscape that we all must be prepared for."

Kelvin Lim, senior director of security engineering at Synopsys Software Integrity Group, added that threat actors leveraging LockBit often encrypt victims' data and demand payment in exchange for not leaking the compromised data.

Also: 91% of ransomware victims paid at least one ransom in the past year, survey finds

Noting that ransom demands are two-fold, Lim said: "One [payment] for the decryption of their data and another to stop the leakage of their private data. LockBit threat actors occasionally also deploy a third extortion approach, distributed denial-of-service (DDoS), which target victims' computers and increase the pressure to pay the ransom."

Rather than comply, victims of ransomware attacks should instead focus their resources on recovery and improving their cybersecurity posture against future attacks, he said.

Editorial standards