The National Cyber and Crypto Agency (BSSN) explains efforts to repair disruptions to the Temporary National Data Center. One of them is coordinating directly with the Ministry of Communication and Information and also Telkom Sigma.
“As soon as the BSSN incident happened, we coordinated on June 20, the BSSN team in Ragunan, we went to Surabaya, to help friends from Kominfo and Telkom Sigma who manage the Temporary National Data Center,” explained the Head of BSSN, Hinsa Siburian, Monday (24/6/ 2024).
From the findings, the incident that occurred on June 20 2024 was a brain cipher ransomware attack . This is the latest type of lockbit 3.0 ransomware, based on samples taken.
He said the existing data was still encrypted. All parties are working to solve this problem.
“Currently BSSN and Kominfo and Cybercrime Polri and Telkom Sigma are still in the process of carrying out a thorough investigation into the forensic evidence obtained with all limited evidence or evidence. Because the condition of the evidence is encrypted. Because the attack encrypts data, among other things, Hinsa said. “So this is also our job to solve.”
On that occasion, Hinsa said the disruption occurred at the Temporary Data Center. The use of the data center is because the National Data Center (PDN) is still under construction.
The PDNS that was hit by the attack was in Surabaya, while the other PDNS location was also in Jakarta. Currently, data-related services at PDNS are also starting to gradually recover.
“This Monday morning, this is the final report from immigration. The affected immigration services are operating normally. These include visa and residence permit services, immigration checkpoint services, passport services, visa on arrival services, visa on boarding, immigration document management services. “This is already underway, although of course further evaluations will continue to be carried out later,” said Hinsa.
Brain Cipher Ransomware
Ransomware actors continue to sprout from left and right, and in this protection bulletin, we’ll briefly discuss one which uses a Lockbit variant having recently emerged in the threat landscape. Dubbing themselves ‘Brain Cipher Ransomware’ per their ransom note ([randomID].README.txt), this group appear to perform double extortion – exfiltrating sensitive data and encrypting it. Victims are provided with an encryption ID to use on the group’s Onion website to get in touch.
At this time, their tactics, techniques, and procedures remain unclear although they likely leverage known playbooks for initial access, including through initial access brokers (IABs), phishing, exploiting vulnerabilities in public-facing applications, or compromising Remote Desktop Protocol (RDP) setups.
Symantec protects you from this threat, identified by the following:
Adaptive-based
- ACM.Untrst-RLsass!g1
Behavior-based
- SONAR.Ransom!gen82
- SONAR.Ransomware!g38
File-based
- Ransom.Lockbit!g6
Machine Learning-based
- Heur.AdvML.B!200
Carbon Black-based
- Associated malicious indicators are blocked and detected by existing policies within VMware Carbon Black products. The recommended policy at a minimum is to block all types of malwares from executing (Known, Suspect, and PUP) as well as delay execution for cloud scan to get maximum benefit from VMware Carbon Black Cloud reputation service.
https://www.broadcom.com/support/security-center/protection-bulletin/brain-cipher-ransomware