One hundred and thirty-three compromised user credentials and 39 exposed items on the external attack surface: those are the figures ransomware tracking platform Ransomware.live attributed to the Nova group's claim against Badan Pangan Nasional (BPN), Indonesia's National Food Agency, logged on 29 May 2026. The agency manages commodity pricing, food supply coordination, safety standards, and nutrition policy for a country of 280 million people.
What Nova Claims It Has
Nova's leak post follows the group's standard double-extortion playbook. The group states it will supply a file-tree and data samples to the agency if BPN contacts its support channel — a pressure tactic designed to demonstrate the depth of access before negotiations begin. No ransom figure has been disclosed publicly, and the full scope of exfiltrated data has not been independently verified. The claim should be treated as an unverified threat-actor assertion until BPN or Indonesia's Badan Siber dan Sandi Negara (BSSN) issues an official response.
Monitoring data cited by Ransomware.live indicates infostealer activity — consistent with Nova's documented modus operandi of harvesting valid credentials prior to encryption. BPN's infrastructure included multiple mail servers but no major cloud or SaaS platforms, which limits some exposure pathways but also suggests on-premise systems that may carry older patch profiles.
Who Is Nova
Nova is a ransomware-as-a-service (RaaS) operation with roots in an earlier group called RALord, which began operating in March 2025. Towards the end of April 2025, the group renamed its leak site "Nova" — a rebrand that preserved the affiliate model while scaling recruitment. According to threat intelligence reporting by Xcitium Threat Labs, affiliates retain approximately 85 per cent of ransom payments, an arrangement that accelerates recruitment and explains the group's rapid expansion. Ransomware.live's tracker records 129 confirmed Nova victims across five continents as of late May 2026 — a figure drawn from the live tracker and not independently corroborated; Xcitium's January 2026 analysis cited over 86 victims at that time, indicating continued growth through the first half of this year.
Government entities are not incidental targets for Nova. The group's confirmed victim list includes Brazilian secretariat bodies, Argentina's Ministry of Health, and — separately — another Indonesian local government body, Pemerintah Kabupaten Bojonegoro. BPN is the second Indonesian public institution Nova has claimed.
Indonesia's Ransomware Pattern
The BPN claim arrives less than two years after the most damaging ransomware incident in Indonesian government history. In June 2024, the Brain Cipher group — operating a LockBit 3.0 variant — struck the Pusat Data Nasional Sementara (PDNS), the national temporary data centre. The attack disrupted over 200 government agencies, shutting down immigration processing at airports and prompting a US$8 million ransom demand that Jakarta refused to pay.
The structural problem has not abated. BSSN recorded 3.64 billion cyber anomalies against Indonesian entities in the first seven months of 2025 alone — a figure BSSN's deputy for cyber operations noted "nearly matches the total anomalies over the past five years." Malware-based attacks accounted for 83.68 per cent of that volume.
Why a Food Agency Is a High-Stakes Target
The concern here extends beyond data privacy. BPN is the operational nerve centre for Indonesia's food security apparatus: it monitors commodity prices, coordinates distribution, and feeds into government subsidy decisions. A disruption to its systems — even temporary — could delay pricing data that markets and regulators depend on. For a country where rice and cooking oil prices are politically sensitive, that is not a trivial risk.
Indonesia enacted BSSN Regulation No 1/2024 on cybersecurity incident management, but regulatory frameworks have consistently lagged behind operational cyber hygiene in government agencies. The PDN breach exposed the absence of offsite backups; the BPN claim, if substantiated, points to credential management as the proximate failure point.
Defensive Posture
This article reports threat-actor claims for situational awareness only. No exploit methodology is reproduced here. Organisations in the Indonesian public sector should treat this incident as a prompt to audit externally exposed services, rotate credentials flagged by infostealer monitoring services, and validate that backup integrity is not contingent on the same network segment as production systems. BSSN's incident-reporting channel remains the appropriate first contact for agencies that identify anomalous activity.
View author profile → · Editorial policy
