Hackers have encrypted systems at Indonesia’s national data center with ransomware, disrupting immigration checks at airports and a variety of other public services, according to the country’s communications ministry.

In a statement on Monday, the ministry said the systems of the Temporary National Data Center (PDNS) were infected with Brain Cipher, a new variant of the notorious LockBit 3.0 ransomware.

Minister of Communication Budi Arie Setiadi told the state news agency Antara that hackers have demanded $8 million in ransom in exchange for decrypting the data and emphasized that the government would not pay or comply with the demands. 

The attack affected the national data center branch located in Surabaya, Arie Setiadi said —  not the other location in the capital, Jakarta. 

The breach has the potential to expose data belonging to state institutions and local governments.

The cyberattack began last Thursday and has affected services like visa and residence permit processing passport services and immigration document management systems, according to the head of the country’s national cyber agency, Hinsa Siburian.

People had to wait in long lines at immigration desks at airports, according to Antara. As of Monday, most of the affected immigration services have been restored and important data has reportedly been migrated to the cloud.

The attack also affected the platform used for online enrollment to schools and universities, forcing the regional government to extend the registration period, local media reported. In total, the ransomware reportedly disrupted at least 210 local services.

According to Siburian, the hackers likely deactivated the center’s Windows Defender security feature, allowing them to get into the system unnoticed. Then, they “infected the targeted systems with malware, deleted important files, and deactivated running services.”

While the investigation into the attack is still ongoing, the country’s authorities said they have “isolated” the infected areas. The artifacts they can use to analyze the attack are limited because systems were encrypted, Siburian said.

The communications ministry did not respond to a request for comment.

LockBit’s return

Although the hackers used LockBit ransomware, it is possible that a different group could be behind the hack. A number of threat actors use the leaked LockBit 3.0 builder and claim it as their own, said Will Thomas, an instructor at the SANS Institute. For example, he said, the operators of SEXi ransomware have used the builder and recently targeted a data center in Chile.

LockBit was one of the most prolific ransomware operations before the police shut down its extortion site in February. Just three months later, the cybercriminals appeared to have resurrected it. 

The group has not listed the Indonesian government on its leak site, according to cybersecurity analyst Dominic Alvieri. “There’s usually a delay in listing due to negotiations. Entities in India and Indonesia are notorious for not paying, so I doubt they did,” Alvieri told Recorded Future News.

This is not the first time Indonesia’s data center has popped up as a target of hackers. In 2023, the group ThreatSec claimed to breach the center’s systems, purportedly stealing sensitive data, including criminal records.

Another major data breach in Indonesia affecting the country’s largest Islamic bank, BSI, was attributed to LockBit. Last May, the hackers reportedly stole the personal information of more than 15 million BSI customers and employees.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.