Threat landscape
What is ransomware and how do you recover from it?
In short
What ransomware is, how it gets into a network, whether to pay, and how Indonesian organisations detect, contain, and recover from an attack.
Staff arrive on a Monday morning, log in, and every screen shows the same thing: files renamed to gibberish, folders that will not open, and a plain text note explaining that the data has been encrypted and a payment is due. Nobody can reach the shared drive. The accounting system will not start. Somewhere over the weekend, while the office was empty, an attacker moved through the network and set off the encryption at the quietest possible moment. This is how most ransomware incidents announce themselves: not with a warning, but with work grinding to a halt.
What ransomware is
Ransomware is malware that takes your data hostage. In the classic form, it encrypts files across every machine and shared drive it can reach, then leaves a note demanding payment, usually in cryptocurrency, for the key that would unlock them. Until you have that key, or a clean backup, the data is unusable.
The threat has changed in recent years, and the change matters for how you defend against it. Most serious groups now run what is called double extortion. Before they encrypt anything, they quietly copy sensitive data out of the network. Then they make two threats at once: pay, or you do not get your files back, and pay, or we publish what we stole. This matters because a good backup solves the first problem but not the second. You can restore your systems and still face the prospect of customer records or contracts being leaked, which is why treating ransomware purely as a backup problem leaves half the risk unaddressed.
How ransomware gets into a network
Ransomware rarely breaks in through anything exotic. The entry points are the same ordinary weaknesses that let most intrusions happen, and the attacker only needs one of them to work.
| Common entry point | Why it works |
|---|---|
| Phishing email | Someone opens an attachment or clicks a link that runs the attacker's first payload |
| Exposed RDP or VPN | Remote access left reachable from the internet gives attackers a door to try passwords against |
| Unpatched internet-facing systems | A known flaw in a public-facing server or edge device is exploited before it is fixed |
| Stolen or reused credentials | Passwords bought from an earlier breach or reused across accounts let an attacker log in as a real user |
Getting in is only the start. Once inside, an attacker typically spends time moving from the first machine to more valuable ones, hunting for backups to destroy and for the accounts that control the whole network. The encryption you eventually see is the last step, not the first. That gap between the initial foothold and the final payload is exactly where an attack can be caught, if someone is watching.
- 01
Initial access
A phishing email, an exposed service, or a stolen password gives the attacker their first foothold on a single machine.
- 02
Spread and escalation
The attacker moves to other systems and takes over privileged accounts, mapping the network and looking for the crown jewels.
- 03
Backups and data targeted
Before encrypting, they find and delete backups and copy sensitive data out, setting up both leverage and the threat to leak.
- 04
Encryption and demand
Files are encrypted across the network, often at night or on a weekend, and a ransom note appears demanding payment.
Why it matters in Indonesia
Ransomware is not a distant problem for Indonesian organisations. In June 2024 a ransomware attack on a national data centre disrupted government services for days and became the clearest public example of how far the damage spreads when an attack is not detected early. Our explainer on what a SOC is covers that incident and what it revealed about detection gaps.
Most attacks here never reach the headlines, and that is part of the risk. The organisations that get hit are rarely singled out. They are reached through the ordinary entry points above, and the incident turns serious because nobody was watching the network closely enough to notice the attacker moving through it before the encryption ran. Many organisations operate with small security teams and no monitoring outside office hours, which is precisely why attackers strike at night and on weekends. The deciding factor is almost never whether ransomware could reach you. It is how quickly you would notice, and how ready you are to recover.
Detecting, containing, and recovering
Because ransomware moves through a network before it strikes, the most useful defence is noticing that movement early. Behaviour-based detection watches for the actions an attack takes, unusual logins, accounts being created, backups being deleted, files being encrypted at speed, rather than waiting for a known signature. Catching any of those steps buys time to act before the whole estate is locked.
When an attack is under way, the first priority is containment: isolate affected machines and cut the attacker's access so the encryption cannot spread further. Recovery then depends on preparation done long before the incident. Backups have to exist, be tested so you know they actually restore, and be kept offline or otherwise out of the attacker's reach, because deleting backups is one of the first things a capable group does. Rebuilding also means finding how the attacker got in and closing that route first, so a restored network does not simply get encrypted again a week later. Our guide to ransomware response in Indonesia walks through containment and recovery in more detail.
The ransom question sits inside all of this, and it deserves a clear head rather than a rule of thumb. Paying does not guarantee working decryption keys or the return of every file, it can mark an organisation as willing to pay and therefore worth targeting again, and depending on which group is behind the attack it can carry legal or sanctions risk. None of that is advice to pay or to refuse. It is the set of considerations that any organisation should weigh with law enforcement and legal counsel, not decide alone under the pressure of a countdown timer on a ransom note.
Where Alpha Code fits
Ransomware is decided in the time between the first foothold and the moment someone stops it. Alpha Code's incident response team helps organisations contain an active attack and recover in a controlled order, while SOC-as-a-Service provides the round-the-clock, behaviour-based monitoring that gives you a chance to catch an attack while it is still spreading rather than after everything is encrypted. The realistic goal is not a promise that ransomware will never reach you. It is being ready to see it early and recover without paying.
Reviewed by Mohit Bhansali, Head of Technology
Frequently asked questions
Ransomware is malware that locks you out of your own data, usually by encrypting files across a network, and then demands payment for the key. Modern attacks often go further and steal a copy of the data first, so the attacker can threaten to leak it as well. The goal is the same either way: force the victim to pay.
Related
Solutions
From the blog
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.