ICYMI, the Story:

On the 20th June, one of the two national datacenters in use by the Indonesian government was attacked, and ransomware deployed.

Normally that is a headline in itself, but the story gets worse when you dive into it. This datacenter, housing more than 200 government agencies, had very little in the way of backups. According to an official from Indonesia’s cyber security agency, approximately 98% of the government data stored in the datacenter had not been backed up. (Source: TomsHardware).

The government regardless took the stance that they would not pay for the decryption key and would instead manually proceed to working on decrypting & recovering the data, which I don’t doubt would be challenging if at all possible, and the risk to the integrity of the encrypted data is a reality here.

In this scenario, the story supposedly has a happy ending, as the ransomware group behind this attack have allegedly apologised and offered a decryption key. Until the Indonesian government confirm all is restored however, this situation might not be over anytime soon. (Source: TomsHardware)

Why the attack and reversal?

Now heavily into the world of speculation, there are many rumours and theories as to why the ransomware group has released the key, and even with statements from the group being released, speculation remains (ultimately, a criminal group should never be trusted!).

Some of the common themes are around the attack being too high-profile and the attention it will bring to themselves might have made someone decide releasing the key could be a good deescalation strategy. Another theory is that by releasing the key and proving that the keys work, the ransomware group improve their credibility as a group that can be trusted to return your data after paying an extortion.

An interesting spin is that the ransomware group decided to release a donation link alongside their apology, again proving that the ultimate goal of the attacks by this group is mainly financially motivated, and the more that organisations continue to pay the ransom, the more likely these attacks are to continue.

Lessons Learned:

There are some lessons to be learned here.

Firstly, that although according to the original source of this story, the datacenter was a ‘temporary’ datacenter, this doesn’t negate the need for a solid data protection strategy, especially when the story alleges that there was sufficient data protection capabilities and capacity within the datacenter that were simply not utilised.

Secondly, a lack of backups means a lack of recovery testing, so it’s entirely possible that there isn’t a recent DR test for these applications and services. As part of the recovery efforts, it would pay huge dividends to the Indonesian government to document the recovery efforts and issues they encounter along the way, and plan to mitigate these for the next incident.

Finally, for the victim in this scenario is some ways could be quite ‘lucky’, to elaborate, it sounds like the attackers took a copy of the data, and are offering to provide copies if the originals can’t be decrypted (don’t treat these as heroes yet, remember they still stole the data!), but what about a different scenario, such as fire/flood/other natural disaster? In these scenarios the data would be lost, permanently. Plans need to be drawn to ensure that not only is there a backup, but contingency plans to survive the loss of a location, off-site immutable backups whether on WORM tape or immutable object storage come to mind.