Incident response
Ransomware response in Indonesia: what to do in the first 72 hours
In short
Step-by-step ransomware response for Indonesian companies: isolate, assess, recover, and meet UU PDP and BSSN reporting obligations within the legal deadline.
When ransomware encrypts your systems, every minute has a cost. Companies without a written response plan take on average two to three times longer to recover than those that have one. In Indonesia, the pressure is layered: alongside halted operations, UU PDP reporting obligations start running from the moment the incident becomes known.
This page explains what to do in the first 72 hours, when and to whom you are required to report, and how to decide whether an incident response retainer fits your organisation.
The first 72 hours that decide recovery
Ransomware response is not about heroics, it is about executing the right sequence of actions. The most common mistakes are either acting too quickly without understanding the scope of encryption first, or hesitating to investigate while encryption is still running.
- 1
0-2 hours: Isolate
Disconnect infected systems from other network segments, disable Wi-Fi and VPN on affected devices, do not power off servers before the forensics team secures volatile memory, and disconnect backup systems from the production network.
- 2
2-6 hours: Assess
Identify the ransomware variant from encrypted file extensions or the ransom note, verify that backups are isolated and untouched by encryption, and determine the initial entry point from available logs.
- 3
6-24 hours: Strategic decision
With a clearer picture of scope, decide on a recovery path: restore from clean backup, negotiate with legal counsel, or a combination. Activate your business continuity plan for critical operations.
- 4
24-72 hours: Structured recovery
Rebuild from clean, verified images rather than simply decrypting files. Patch the exploited entry vector before systems come back online. Monitor for lateral movement for the following 30 days.
Reporting obligations in Indonesia
Ransomware almost always involves data exfiltration before encryption, which means a personal data breach under UU PDP.
| Deadline | Obligation |
|---|---|
| Immediately on discovery | Internal incident documentation and response team activation |
| Within 14 days | Notification to BSSN regarding cyber incidents affecting personal data (UU PDP Article 46) |
| Concurrent with BSSN notification | Notification to affected data subjects if their specific data was exposed |
| On request | Full report to OJK for financial services entities, including operational impact and mitigation steps (POJK 11/2022) |
Failing to report within the deadline is not just a fine risk. Regulators assess preparedness based on the speed and quality of your response, not only on the incident itself.
The real cost of ransomware in Indonesia
The ransom figure often gets the attention, but it is usually not the largest cost.
Operational downtime
Average 21 days of full operational disruption. For a company with IDR 100 billion annual revenue, that is approximately IDR 5.8 billion in deferred or lost revenue.
System recovery
Forensics, rebuild, new software licensing, and security validation. Typically 20-40% of the ransom value, regardless of whether the ransom is paid.
Regulatory fines
UU PDP allows administrative sanctions up to 2% of annual revenue for violations involving personal data. For a mid-market company, this can exceed the ransom itself.
Reputational damage
Loss of client trust is hard to quantify, but industry surveys show 30-40% of business clients reconsider contracts after a public incident at a vendor.
Why to prepare before the incident
An incident response retainer is not insurance you hope never to use. It is a capability you pay to have ready when you need it.
| Without a retainer | With an active retainer | |
|---|---|---|
| Initial response time | 2-8 hours for external team onboarding | Under 1 hour, team already knows your environment |
| Cost certainty | Unpredictable, often surges when capacity is scarce | Locked in contract before the incident |
| Availability during a crisis | Not guaranteed, major incidents hit multiple companies simultaneously | Capacity already allocated to you |
| Knowledge of your environment | Team starts from scratch during the crisis | Tabletop exercises and documentation completed in advance |
| Regulatory readiness | Reporting templates created under pressure | UU PDP and OJK playbooks already prepared |
What Alpha Code incident response includes
Our Incident Response service covers 24/7 active response from our Jakarta Security Operations Center, digital forensics, regulatory communications with BSSN and OJK, and structured recovery with verification.
For companies that have not yet responded to a major incident, we also run tabletop exercises, simulated incidents that test your response plan before a real crisis, so your team knows exactly what to do and who to notify.
Frequently asked questions
The global average is around 21 days for full recovery, but companies without a tested response plan typically take two to three times longer. With an active incident response retainer and tested backups, many companies restore core operations within 3 to 5 days.
Related
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.