Disclosed officially only one month after the fact, with disclaimers of non-disruption: one expert sees this as complacency.

One month after the central bank of the Republic of Indonesia, Bank Indonesia (BI) was attacked by ransomware, the incident was finally disclosed on 20 Jan 2022, with the bank issuing disclaimers that the risk(s) from the attack had been mitigated and did not affect its public services.

The bank’s head of communications department, Erwin Haryono, had told local media of its comprehensive evaluation of the matter: “BI is aware of a ransomware hack last month. We are aware that we have been hit by a cyberattack. This is a crime, it is real, and we are exposed to it.”

The attackers had stolen what BI called “non-critical data” belonging to Indonesia employees, and then deployed their ransomware payloads on over a dozen systems on the bank’s network. Since then, the ransomware-as-a-service group Conti has claimed credit for the double-extortion attack.

Although the bank insisted that there were no disruptions of service, the fact they were hit, and data was exfiltrated, would likely have a negative impact on its customers’ confidence in the security of the institution, according to CK Chim, Field Chief Security Officer (APAC), Cybereason.  

“This recent attack is a learning lesson for other banks and institutions that it’s time to do more than the minimum. It’s time to tighten up and get the security practices right. Least privilege. Resilience. Planning for the worst. A detection mindset. Don’t just do more of the same: Presume infection will happen; get good at preventing it, finding it, recovering from it; and limiting the blast radius when it happens,” Chim said.

Chim also urged the public and private sectors to work together to protect the connected world, reverse the ransomware scourge and put ransomware attackers on notice that “their next cyberattack will likely be their last.”