Key made out of binary code showing ransomware decryptor for Indonesian national data center

Cyber Crime Group Provides Ransomware Decryptor to Indonesian National Data Center for Free, Asks for Donations

The cyber crime group that locked up an Indonesian national data center last month, impacting hundreds of government services, has opted to provide the ransomware decryptor for free. This was accompanied by an apology, but also a donation link exhorting the Indonesian government and public to show gratitude for their supposed generosity.

“Brain Cipher” is a relatively new group that uses their own version of the LockBit 3.0 ransomware build, created from a version that was leaked by a former LockBit developer in 2023. The group had been trying to extort a payment of $8 million from the country before its sudden outburst of charity.

National data center coming back online slowly

Indonesia has four national data centers that operate at the country’s highest security level and are meant to be the backbone of national government operations. The hackers attacked a temporary data center that is in place as a new facility with the highest level of security yet is under construction, deploying ransomware and causing a broad range of damage. The most immediate impact was felt by travelers and applicants for immigrant status, as airport systems went offline. But the attack has had more far-reaching effects that were previously expected to take weeks or months to resolve, in everything from education to business permiting.

On July 4, the Ministry of Communications and Informatics (Kominfo) confirmed that it had received a ransomware decryptor from Brain Cipher and had used it to successfully recover six sets of data from the impacted national data center. However, officials cautioned that they had not yet confirmed that the decryptor was able to unlock the full range of impacted systems and data. It is still possible that it could take weeks for the 230 government agencies that were impacted to see their functions fully restored, even if the ransomware decryptor works as advertised.

Brain Cipher handed over the ransomware decryptor on July 3, but with a dark web post outlining some apparent terms and conditions. The group cautioned that Kominfo could only use the decryptor to recover its data, and that if the agency sought outside help it would respond by publicly dumping the stolen data. It also said this is the “first and last” time it will provide a free ransomware decryptor to victims and went on to boast of its generosity, encouraging donations of crypto as a show of appreciation.

There is no clear reason as to why the gang forked over the ransomware decryptor, as Kominfo has not mentioned any prior communication between the two groups. It is possible that after a firm refusal of payment, the hackers saw this as a way to boost their profile while also avoiding the sort of international law enforcement backlash that has felled bigger groups in recent years.

Indonesia’s Political, Legal and Security Coordinating Minister Marshal (Purn) Hadi Tjahjanto issued a statement on July 1 indicating that the national data center was breached due to an employee sharing their password, and that this person could expect to be targeted for legal action. The incident led to immediate tightening of national security protocols, including the implementation of monitoring of all government employees using the impacted temporary PDN system. Backup systems for government data were also expanded. Kominfo’s Director-General of Informatics Applications, Semuel Abrijani Pangerapan, also resigned from his post as a result of the national data center attack.

Ransomware decryptor process could take some time as government cybersecurity culture upgrades

The incident has shaken up the national approach to cybersecurity, which has endured criticism for being overly lax for some time. The country has seen cyber attacks rise at a pace of about 30 million per year in recent years, most of these phishing or attempts to obtain login credentials. Some in government have criticized the placement of political appointees with no IT experience into key roles as a factor, along with a generally outdated conception of how damaging data theft can be. The country has also struggled with making adequate backups of data, as government agencies are not required to do so and must implement plans independently.

Brain Cipher has only been in operation since June, and the national data center attack was its first big score. The group is likely looking to make a name for itself with the ransomware decryptor giveaway as some of the bigger players in the ransomware-as-a-service game, LockBit themselves included, have been targeted by major law enforcement raids and have seen clients start to drift away. Not much is known about the group as of yet, but it does otherwise seem to be taking a hardline policy with victims in refusing to allow them to bring in police or third-party negotiators.