Lanka Government Cloud ransomware attack
A ransomware attack on Sri Lanka's Lanka Government Cloud encrypted around 5,000 gov.lk email accounts — including the Cabinet Office — and, because backups were also encrypted, permanently destroyed roughly three months of government email.
- Victim
- Lanka Government Cloud (ICTA Sri Lanka)
- users
- 5.0K
On 11 September 2023, Sri Lanka's Information and Communication Technology Agency (ICTA) confirmed that the Lanka Government Cloud (LGC) — the central platform hosting the state's official gov.lk email — had been hit by ransomware. Because the attack also encrypted the system's online backups, roughly three months of government email was permanently destroyed, including correspondence of the Cabinet Office.
What happened
Investigators traced the likely intrusion to around 26 August 2023, when a gov.lk user reported receiving suspicious links — consistent with a phishing-led compromise. The attackers encrypted the LGC mail servers, and the corruption then replicated to the online backup systems, defeating the agency's recovery plan.
The platform ran on Microsoft Exchange Server 2013, software that had reached end-of-support in April 2023 and was, in officials' words, obsolete and vulnerable. ICTA had planned to modernise the LGC as far back as 2021, but the upgrade was repeatedly delayed because of "budget constraints" and prior board decisions.
Impact
- Around 5,000 government email accounts on the
gov.lkdomain were affected, including the Cabinet Office, presidential officials, and the Ministries of Education and Health. - All email from 17 May to 26 August 2023 was unrecoverable for affected accounts — destroyed because no offline backup existed for that window, attributed to unresolved "administrative problems."
- The core system itself was restored within roughly 12 hours, but the lost data could not be brought back.
Response
Sri Lanka's government stated it had no intention of negotiating or paying any ransom. ICTA head Mahesh Perera publicly described the data loss and the failed backups. Going forward, the agency committed to daily offline backups and an urgent upgrade to a supported email platform. The country's computer emergency response team, CERT|CC, opened an investigation into the incident.
Why it matters
The LGC attack is a textbook case of how a backup strategy that only exists online offers no protection against ransomware — the very replication meant to ensure resilience carried the encryption into the backups. Combined with an end-of-life Exchange server left unpatched for budgetary reasons, it exposed the fragility of a nation's core digital infrastructure. The incident accelerated Sri Lanka's move toward a dedicated cyber-security authority and a hardened, properly air-gapped backup regime for government systems.
Timeline
A gov.lk user reports suspicious links; investigators later treat this as the likely start of the intrusion.
Sri Lanka's ICT Agency (ICTA) confirms a ransomware attack on the Lanka Government Cloud.
Officials restore the LGC system within roughly 12 hours, but find online backups were also encrypted.
Data spanning 17 May to 26 August 2023 is declared permanently lost for affected accounts; the government decides not to pay any ransom.
ICTA pledges daily offline backups and an upgrade from the obsolete Microsoft Exchange 2013 platform; Sri Lanka CERT|CC opens an investigation.
Sources
- therecord.mediahttps://therecord.media/sri-lanka-loses-months-of-government-data-in-ransomware-attack
- theregister.comhttps://www.theregister.com/2023/09/13/ransomware_attack_hits_sri_lanka/
- infosecurity-magazine.comhttps://www.infosecurity-magazine.com/news/ransomware-sri-lanka-government/
- sundaytimes.lkhttps://www.sundaytimes.lk/230910/news/massive-ransomware-attack-on-state-email-domain-532126.html
- bankinfosecurity.asiahttps://www.bankinfosecurity.asia/ransomware-attack-wipes-out-sri-lankan-government-emails-a-23075