Cyber Blog

Indonesia’s national data center has fallen victim to a significant cyber attack, with hackers demanding an $8 million ransom to restore full system functionality.

The attack, which began last Thursday, has disrupted services for over 200 government agencies at both national and regional levels, according to Samuel Abrijani Pangerapan, the Director General of Informatics Applications with the Communications and Informatics Ministry.

While some government services, such as immigration at airports, have been restored, efforts continue to bring other services, including investment licensing, back online, Pangerapan stated on Monday.

The attackers have also held data hostage, demanding an $8 million ransom for access. However, the Indonesian government has refused to pay.

In a statement on Monday, Communication and Informatics Minister Budi Arie Setiadi confirmed the government’s stance against paying the ransom. “We have tried our best to carry out recovery while the National Cyber and Crypto Agency is currently carrying out forensics,” Setiadi said.

Pratama Persadha, Chairman of Indonesia’s Cybersecurity Research Institute, noted that this is the most severe ransomware attack on Indonesian government agencies and companies since 2017. “The disruption to the national data center and the days-long recovery process indicates an extraordinary ransomware attack,” Persadha said. “It highlights that our cyber infrastructure and server systems were not being properly managed.”

LockBit Detected in Indonesia Data Center Cyber Attack

Indonesia’s PT Telkom is collaborating with authorities domestically and internationally to investigate the breach and attempt to decrypt the data. The National Cyber and Crypto Agency has detected samples of the Lockbit 3.0 ransomware, though this does not definitively implicate the LockBit gang.

Kelvin Lim, Senior Director at the Synopsys Software Integrity Group, explained that multiple threat actors use the leaked LockBit 3.0 builder, making it difficult to attribute the attack to a single group. “Threat actors using LockBit often employ a double-extortion strategy, encrypting data and demanding payment to prevent the release of stolen information,” Lim said.

LockBit was among the most prolific hacker groups until police shut down its extortion site in February. The group appeared to resurrect the site three months later, continuing to engage in PR and damage control efforts.

“If this was the LockBit ransomware group, the attack could be an attempt to demonstrate their strength and maintain the confidence of their affiliates,” noted Suzan Sakarya, Senior Manager of EMEIA Security Strategy at the cybersecurity firm Jamf. She praised Indonesia’s decision not to pay the ransom. “Ransom payments fund future criminal activities. If the attackers fail to secure a payment, their attack ultimately fails,” Sakarya added.

Critical Infrastructure Under Attack

This incident is not the first cyber attack on Indonesia’s national infrastructure. The national data center was previously attacked by ransomware in 2022, though public services were not affected. In 2021, the ministry’s COVID-19 app was hacked, exposing the personal data and health status of 1.3 million people.

“Ransomware attacks can be devastating, impacting critical government functions and causing widespread problems for citizens,” said Thomas Richards, Principal Consultant at the Synopsys Software Integrity Group. “LockBit is a well-known cybercriminal organization targeting large businesses and governments. The new variant of their malware may complicate incident response efforts if the ransom is not paid.”

Anne Cutler, Cybersecurity Expert at Keeper Security, emphasized the importance of protecting critical infrastructure from cyber attacks. “Protecting critical infrastructure from cyber attacks is as crucial as defending it from physical threats, as the consequences can be equally disastrous,” Cutler told EM360Tech. “This recent attack on Indonesia’s national data center underscores this reality. The attack not only potentially compromised sensitive government data but also threatened national security. The disruption of airport operations highlighted the immediate and significant impact cyber attacks on critical infrastructure can have on Indonesians,” Cutler added.