Indonesia PDNS Brain Cipher (LockBit 3.0) ransomware (2024)
Brain Cipher — a Lockbit 3.0–derived ransomware — encrypted Indonesia's Temporary National Data Center (PDNS), paralysing 282 government digital services from immigration to passport issuance for weeks. Attackers demanded $8M; the government refused. Brain Cipher subsequently released a decryptor free of charge, with an apology.
- Victim
- Pusat Data Nasional Sementara (PDNS), Indonesia
On 20 June 2024, Brain Cipher — a ransomware variant derived from LockBit 3.0 — activated inside Indonesia's Temporary National Data Center (PDNS) in Surabaya. The encryption paralysed 282 government digital services, from immigration and passport issuance to local-government workflows. Brain Cipher demanded $8 million; the Indonesian government refused. Two weeks in, Brain Cipher posted a decryption key on its leak site free of charge, accompanied by a public apology.
What happened
PDNS is the Indonesian government's centralised compute and data infrastructure for digital services. When Brain Cipher's encryption fired, 282 services across multiple agencies went offline. Immigration desks reverted to manual processing; flight delays cascaded; routine government workflows ground to a halt. Within days, BSSN — Indonesia's national cyber agency — identified the malware as a LockBit 3.0 variant branded Brain Cipher.
Brain Cipher's behaviour is consistent with the LockBit lineage: it disables Windows Defender, deletes Volume Shadow Copies (the system-restore snapshots), and then encrypts. The ransom demand was $8 million (~Rp 131 billion); the Indonesian government refused and the President ordered an audit of national data-centre architecture.
The unusual ending came on 2 July 2024: Brain Cipher published a statement on its leak site providing a decryption key at no cost to the Indonesian government, along with an apology citing public-interest considerations. The motive was widely debated — public pressure, an internal LockBit-affiliate dispute, or a tactical retreat — but the result was practical: PDNS used the key as part of staged recovery.
Officials later acknowledged that strategic data from intelligence and military services had also been within the affected systems, marking the case as not just an operational disruption but a national-security incident.
Impact
- 282 government digital services offline.
- Immigration, passport issuance, and local-government workflows degraded.
- $8 million ransom demand refused.
- Brain Cipher subsequently released a decryptor free of charge.
- Strategic data from Indonesian intelligence and military bodies acknowledged as affected.
Why it matters
PDNS is the largest publicly documented national-data-centre ransomware incident to date. The case raised hard questions in Indonesia about concentration risk (so many services running on a single compute footprint), backups (PDNS had limited working backups), and supply-chain accountability for the contractors operating shared government infrastructure. The unusual decryptor-with-apology denouement also previewed a tension within LockBit-derived affiliates between profit motives and the diplomatic cost of attacking a national government.
Financial impact
Reported costs in USD
Timeline
Brain Cipher ransomware activates inside Indonesia's Temporary National Data Center (PDNS) in Surabaya. 282 government digital services — including immigration and passport issuance — go offline.
BSSN (Indonesia's National Cyber and Crypto Agency) publicly identifies the ransomware as a variant of LockBit 3.0 branded 'Brain Cipher'. Ransom demand: $8M (~Rp 131B).
Indonesian government publicly refuses to pay the ransom; the President orders an audit of national data architecture.
Brain Cipher publishes a statement on its leak site providing a decryption key 'free of charge' along with an apology, citing public-interest considerations.
PDNS services begin staged restoration. Officials acknowledge that strategic data from intelligence and military services was affected; full recovery extends across the following weeks.
Sources
- kompas.idhttps://www.kompas.id/artikel/en-siapa-itu-brain-cipher-operator-serangan-ransomware-pdn
- kominfo.lhokseumawekota.go.idhttps://kominfo.lhokseumawekota.go.id/berita/read/bssn-identifikasi-pusat-data-nasional-sementara-diserang-ransomware-202407051720150165
- csirt.bpip.go.idhttps://csirt.bpip.go.id/posts/mengenal-ransomware-lockbit-3-0-yang-menyerang-pusat-data-nasional-sementara-pdns
- uici.ac.idhttps://uici.ac.id/mengenal-ransomware-lockbit-3-0-brain-chiper-yang-serang-pusat-data-nasional/