Serangan Ransomware Bashe Sasar BRI Indonesia

Reports of a recent ransomware attack on Bank Rakyat Indonesia (BRI), one of Indonesia's largest banks, have surfaced. This attack, attributed to the Bashe ransomware group, follows a warning issued by cybersecurity firm Falcon Feeds on X. The incident highlights the growing trend of ransomware attacks targeting major organizations globally, demanding ransoms in exchange for preventing data destruction or access disruption.

The Bashe Ransomware Group

Bashe, previously identified as APT73 or Eraleig, emerged in April 2024. Their tactics closely resemble those of LockBit, another prominent ransomware group, focusing on critical industries and employing data extortion via a Tor-based Data Leak Site (DLS). The group's DLS shares striking similarities with LockBit's, featuring sections such as "Contact Us," "How to Buy Bitcoin," "Web Security Bug Bounty," and "Mirror," suggesting a potential connection. This echoes LockBit's previous attack on a national data center in Surabaya.

Bashe's Operational Tactics and Global Reach

Cybersecurity firm Vectra classifies Bashe as an "Advanced Persistent Threat" (APT), a designation possibly aimed at enhancing credibility. Vectra's analysis reveals Bashe operates through the Tor network, utilizing infrastructure hosted in the Czech Republic and relying on the AS9009 ASN—a network previously exploited by other malicious actors, including DarkAngels, Vice Society, TrickBot, Meduza Stealer, and Rimasuta. This strategic infrastructure selection aids in evasion of detection. Their attacks have impacted organizations across North America, the UK, France, Germany, India, and Australia, demonstrating a broad global reach targeting high-value data.

Targeted Sectors and Impact

Bashe prioritizes high-value sectors, including technology, business services, manufacturing, consumer services, finance, transportation, logistics, healthcare, and construction. At least 35 organizations have reportedly fallen victim to their attacks. This targeted approach maximizes the potential impact and leverage for ransom demands.

What sectors does Bashe ransomware primarily target?

Bashe ransomware prioritizes high-value sectors, including technology, business services, manufacturing, consumer services, finance, transportation, logistics, healthcare, and construction. Targeting these sectors maximizes the impact and leverage for ransom demands.

How does Bashe ransomware operate?

Bashe ransomware operates via the Tor network, utilizing infrastructure hosted in the Czech Republic and relying on the AS9009 ASN. Their tactics mirror those of LockBit, focusing on vital industries and leveraging data extortion through a Tor-based Data Leak Site (DLS).

What is the nature of Bashe's Data Leak Site (DLS)?

Bashe's DLS mirrors LockBit's, featuring sections like "Contact Us," "How to Buy Bitcoin," "Web Security Bug Bounty," and "Mirror," suggesting a possible connection to LockBit.

Which countries have been affected by Bashe ransomware attacks?

Bashe's attacks have impacted organizations in North America, the UK, France, Germany, India, and Australia, highlighting a global reach.

What is Bashe's connection to other malicious groups?

Bashe utilizes the AS9009 ASN network, previously used by other malicious groups including DarkAngels, Vice Society, TrickBot, Meduza Stealer, and Rimasuta.

What is BRI’s response to the reported ransomware attack?

BRI issued a statement assuring customers that their data and funds remain safe and that all banking systems are operating normally. They emphasized the security of all banking transactions and their commitment to protecting customer information.

BRI's Response and Security Measures

Following the reports, BRI released a statement on X assuring customers that their data and funds remain secure and that all banking systems are functioning normally. They emphasized the continued secure operation of all banking transactions, including digital ones. BRI affirmed that its security systems undergo regular updates to mitigate potential threats and meet international standards, reiterating its commitment to safeguarding customer information through proactive measures.