Here are the tips and strategies that governments around the world can take away from the cyberattack and the recovery lags

On 26 June 2024, more than 230 Indonesian government agencies experienced the worst ransomware attacks of recent years, and immigration and airport services operations were disrupted for days.

The government relies on two major data centers — one in the capital city of Jakarta, and the other in Surabaya — to store data. The latter center was the one that suffered the cyberattack.

The questions lingering on the public’s minds are: Why did the data center’s defenses not ward off the attack? Why did the agencies involved take so many days to resume operations? If they did not wish to pay the ransom, we would assume they had robust and resilient disaster recovery processes in place, so, since the resumption of services took more than a day, what were the overarching reasons?

Then, on 4 July 2024, the group claiming responsibility, Brain Cipher,had issueda public statement on its website, promising to provide the decryption keys “for free”. The statement contained an apology: “We hope that our attack made it clear to you how important it is to finance the industry and recruit qualified specialists…  Citizens of Indonesia, we apologize for the fact that it affected everyone.”

How resilient are government backups?
According to Nathan Hall, Vice President & GM (Asia Pacific & Japan), Pure Storage, Indonesia must prioritize making its cyber security infrastructure more resilient, and “implement robust data protection and recovery measures to rebuild public trust and ensure the security and economic stability of the nation.”

This, according to Hall, includes incorporating advanced data backup and recovery systems into its data centers that will enable them to restore business operations rapidly. Other baseline characteristics of a mission critical disaster recovery system are:

  • Having immutable data snapshots and rapid restore solutions to reduce recovery time from weeks to hours.
  • Secure up-to-date offline backups to enable public agencies to restore systems independently, eliminate reliance on cybercriminals’ decryption keys and undermine the ransomware attacker’s business model.
  • A paradigm shift (in the case of Indonesia) to focus on maintaining uninterrupted operations and protecting critical services as legacy data storage solutions are no longer adequate. Traditional tape or disk-based backups are generally optimized for backup purposes but are often not efficient for recovery, often resulting in lengthy restoration times and high failure rates.
  • Advanced flash-based storage that offer recovery speeds of hundreds of terabytes per hour to restore ransomware-immune backups typically within minutes or hours, at any scale.
  • A focus around developing a comprehensive data protection strategy that both protects critical systems and restores them as quickly as possible.

“Formulating disaster recovery plans that encompass real-time data backups and, more importantly, the rapid recovery and restoration of data in public agencies can help Indonesia safeguard against future cyber threats and mitigate the disruptive impact of ransomware attacks on critical government services,” Hall said.

Despite unanswered questions, the government of Indonesia is lauded for its decision to reject payment of the ransom despite having a non-resilient disaster recovery system. This leads to the question: should any corporate victim of ransomware have any reason to pay the cybercriminals? The answer and the mantra to live by is, Do Not Pay, because:

  • Each ransomware payment has been known to fund up to 10 or more future cyberattacks, as one meta-analysis suggests.
  • Prevention is better than payment since the latter in no way guarantees that the attackers will keep their word after receiving payment, or will not treat the victim organization as a weak target ripe for repeated attacks in future.
  • Payment is illegal in some countries, and more governments will ban it in future, so taking the easy way out today is not a sustainable strategy for tomorrow.
  • Paying ransoms renders defense teams vulnerable to complacency, which invites repeat (and likely more sophisticated) attacks. Reinfections are also a higher risk since the teams will not be motivated to reinvent their security processes to the level expected of them.
  • Resisting payment also stress-tests a firm’s holistic defenses, which is a good thing for the longer term.
  • Surveys suggest that paying ransoms doubles the overall cost of recovering from a ransomware attack, shifting the responsibility to investors/shareholders/insurance coverage, and raising doubts about a firm’s priorities and brand of ethics and accountability.
  • Cyber insurance policies now reward the cyber diligent, and will consider firms with a history of paying ransoms unfavorably.