Skip to main content
← BlogThreat Intelligence

Top 5 Ransomware Attacks on Indonesian Companies (and What They Could Have Done)

A look at five major ransomware incidents affecting Indonesian organisations, what really happened versus what attackers claimed, and the controls that would have stopped them.

M
Mirna Indriasari · Security Program Manager
June 11, 2026·5 min read

Ransomware has hit some of Indonesia's most important institutions, from a state-owned bank to the national data centre. The lessons are valuable, but only if we are honest about the facts. In several of these cases the attackers made dramatic claims that the victims never confirmed, and in two the victims denied a breach entirely. Separating what is confirmed from what is alleged is the first discipline of good incident analysis, so that is how this article is written.

The five cases that defined the threat

Click through the cases below. Each shows what is confirmed versus claimed, the likely root cause, and the control that would have changed the outcome.

The first three are well documented. Bank Syariah Indonesia suffered a multi-day outage of mobile, ATM, and branch services in May 2023, which the bank initially described as maintenance. LockBit claimed responsibility and said it had taken 1.5 terabytes covering around 15 million people, a figure the bank never confirmed. The most damaging detail is not the claim but the days of downtime for a major bank.

The national data centre incident in June 2024 is the clearest case. Brain Cipher ransomware, built on a leaked LockBit toolkit, disrupted around 210 government services including immigration and airport checks. The national cyber agency confirmed that only about 2 percent of the data had been backed up, which turned a containable incident into a national outage.

Bank Indonesia disclosed a Conti infection in January 2022. The central bank said about 16 computers at one branch were affected with no core data lost, while researchers reported a much wider spread. The gap between the two accounts is itself a lesson in how breach scope gets contested.

The last two are cautionary. The railway operator KAI was listed by the Stormous group in January 2024, which claimed credentials and demanded a ransom; KAI said it found no evidence of a leak from its systems. Bank Rakyat Indonesia was named by another group in December 2024, but the bank, the cyber agency, and the ministry all denied any breach. A listing on a leak site is not proof of a compromise.

The common entry points

Across these cases and ransomware generally, the same handful of doors keep getting used.

Phishing remains the classic delivery method, as reported in the Bank Indonesia case. Stolen credentials used against an exposed VPN or remote desktop are now just as common, which is the entry point the attacker claimed for KAI. Unpatched internet-facing systems and weak or disabled endpoint protection complete the picture. At the national data centre, attackers reportedly disabled Windows Defender before deploying the ransomware, which points straight to an endpoint protection and monitoring gap.

Breaking the attack chain

Ransomware does not happen in a single moment. It moves through stages, and defenders can break the chain at any one of them. You do not need a perfect defence. You need to stop the attacker before encryption.

Two stages deserve special attention for Indonesian organisations. Lateral movement is what turned single-host intrusions into estate-wide disasters, as when an infection spread from one bank branch to many cities. Network segmentation and least privilege contain that spread. And the final stage, encryption, only forces a ransom decision if you cannot restore. Immutable, offline, regularly tested backups are the single most important control, as the national data centre learned the hard way.

What they could have done

The controls that would have prevented or contained these incidents are not exotic. Phishing-resistant multi-factor authentication on email, VPN, and administrator accounts would have closed the most common entry points. Endpoint detection and response with tamper protection, watched by a round-the-clock monitoring team, would have caught the disabling of security tools. Timely patching reduces the exposed surface. Network segmentation stops the spread. And immutable offline backups remove the attacker's leverage entirely.

The pattern across every case is that the expensive part was never the ransom itself. It was the downtime, the lost trust, and the scramble to recover without backups. Prevention is far cheaper than any of those.

At Alpha Code, we help Indonesian organisations build the layered defences that turn a potential headline into a contained incident. That means a 24/7 SOC that catches attacker behaviour before encryption, and a tested incident response plan for when prevention is not enough. If you are not sure your backups would survive a ransomware attack, that is the conversation to start.

References

  • Bank Syariah Indonesia outage and LockBit claim: BankInfoSecurity, The Jakarta Post (May 2023)
  • PDNS Brain Cipher incident and BSSN confirmation: The Record, Tirto.id (June 2024)
  • Bank Indonesia Conti disclosure: Kompas.com, CNBC Indonesia, VOI.id (January 2022)
  • KAI listing by Stormous and KAI denial: Jakarta Globe, VOI.id (January 2024)
  • BRI denial of Bashe claim: Jakarta Globe, Tempo.co, Komdigi statement (December 2024)
On This Page
The five cases that defined the threatThe common entry pointsBreaking the attack chainWhat they could have doneReferences
Written By
M
Mirna Indriasari
Security Program Manager

Mirna manages security programs across Alpha Code's client base in Southeast Asia, with a focus on ransomware preparedness, incident response, and the controls that reduce breach impact.

LinkedIn
Related Articles