Ransomware attackers wielding a LockBit variant dubbed Brain Cipher have disrupted a temporary national data center facility which supports the operations of 200+ Indonesian government agencies and public services.
The attackers are asking for a $8 million ransom, which the Indonesian government is determined not to pay, according to The Jakarta Post.
“As of today, Monday 24 June 2024, since 07:00 Western Standard Time, the affected Immigration Services have been operating normally. These include Visa and Stay Permit Services, Immigration Checkpoint Services (TPI), Passport Services, Visa on Arrival (VOA) on boarding Services, and Immigration Document Management Services,” the Indonesian Ministry of Communication and Information (KomInfo) has announced on Monday.
The Jakarta Post says that the Ministry of Investment, the Coordinating Ministry for Maritime and Investment Affairs and the city of Kediri in East Java “have had their access to the databases restored and have resumed public services.”
About the attack
Indonesia is working on creating four national data centers to support digital government efforts.
In the meantime, two temporary national data centers – one in Jakarta and the other one in Surabaya – have been stood up. According to CNBC Indonesia, the attack occurred at the latter one.
The official announcement says that the attack started on June 17, 2024, with an attempt to deactivate Windows Defender protection.
But the bulk of the attack happened on June 20, when Windows Defender was successfuly deactivated, malicious files were installed, important file systems were deleted, and running services – including those related to data storage – were disabled.
The National Cyber and Crypto Agency (BSSN), the Communications Ministry, the cyber crime department of the Indonesian National Police (Cyber Crime Polri) and Telkom Indonesia with the help of two IT companies (Telkom Sigma and Lintasarta) are investigating the breach.
LockBit gang comeback?
Infamous ransomware-as-a-service group LockBit has previously hit Bank Syariah Indonesia, which didn’t pay the ransom and has had its stolen data leaked online.
It is unclear whether this latest attack can be linked to the LockBit RaaS or one of its affiliates, since the LockBit 3 builder has been leaked in September 2022 and can therefore be used by any threat actor to create customized versions on the ransomware.
The LockBit gang has its infrastructure disrupted in February 2024 and has feigned a return a few days after by publishing announcements of old incidents. Last month, its leader has been unmasked by the US Justice Deparment.
More recently, the gang has claimed to have breached a number of enterprises and the US Federal Reserve, and has threatened to leak 33 terabytes of sensitive banking information on Tuesday (i.e., today) if ransom negotiations are unsuccessful. The US Fed has not officially commented the claims.
The group did not provide any evidence of a successful breach, and has previously claimed other breaches and threatened data leaks that did not eventuate.