Thailand's Government Ministry Hit by Tengu Ransomware — Hackers Demanded $300K

The Facts

A ransomware group operating under the name Tengu compromised a Thai government ministry in 2024, encrypting internal systems and demanding $300,000 for decryption keys and data non-disclosure. The attack targeted ministry administrative systems including document management, financial records, and staff databases.

Tengu is a relatively newer entrant to the ransomware landscape — less documented than Qilin, LockBit, or RansomHub — but the attack pattern follows the established double-extortion model: encrypt systems to cause operational disruption while exfiltrating data to leverage as a secondary threat.

Thailand's ranking among ASEAN's six most cyberattacked nations reflects the country's combination of high digitalisation in the Bangkok metropolitan area and government service infrastructure, alongside security controls that lag the attack sophistication of current threat actors. Positive Technologies' analysis placed government institutions alongside manufacturing and finance as the three most targeted sectors across ASEAN in 2023-2024.

The Thai government's PDPA has been in legal effect since June 2022, creating obligations for government agencies handling citizen data — but implementation of technical security controls consistent with the law's requirements has been uneven across different ministries and agencies.

Technical Deep-Dive

Government ministry networks typically present a distinctive attack surface: large numbers of employees with varying IT literacy, legacy systems deployed years before modern security controls were standard, and VPN or remote access infrastructure that expanded rapidly during the COVID-19 remote work period without proportional security hardening.

Thai government agencies have increasingly adopted cloud-based services — which introduces cloud misconfiguration risks alongside the legacy on-premises vulnerabilities. Publicly exposed administrative interfaces, weak authentication on remote access systems, and unpatched web applications are the common initial access vectors for ransomware groups targeting government organisations.

Detection of the Tengu intrusion — before the encryption payload was deployed — would have required network monitoring capable of flagging lateral movement, anomalous data access volumes, and connections to external command-and-control infrastructure. Most Thai government ministries do not operate 24/7 security operations centres capable of detecting these patterns in real time.

The ASEAN Perspective

Thailand's government cybersecurity investment has been increasing — the National Cybersecurity Agency (NCSA) established under the Cybersecurity Act BE 2562 provides a national coordination structure. However, implementation of practical security controls across the full breadth of Thailand's government infrastructure — spanning hundreds of agencies at national and provincial levels — is a multi-year programme that is still in progress.

The Tengu attack, alongside documented attacks on Thai hospitals and private sector organisations, sits within the broader ASEAN pattern where government institutions are being targeted at increasing frequency. The 344% year-on-year increase in government sector targeting documented by Qilin researchers alone illustrates the scale of escalation.

RECATOOLS Verdict

The $300,000 demand against a government ministry is notable not for its size — other groups demand far more — but for what it represents: the routine targeting of ASEAN government agencies by ransomware operators who have determined that these organisations are accessible, valuable, and operationally pressured enough to consider payment.

The response must be systematic investment in government security operations rather than event-by-event incident response.

Sources

• Positive Technologies ASEAN Cyberthreats 2023-2024
• CSIS Significant Cyber Incidents Timeline
• Thailand NCSA Cybersecurity Reports 2024

FAQ

What is Tengu ransomware? A ransomware group that targeted a Thai government ministry in 2024, demanding $300,000. A newer entrant operating the double-extortion model common among modern ransomware groups.

Did Thailand pay the ransom? The Thai government's ransom payment decision was not publicly disclosed.

What is Thailand's PDPA? Thailand's Personal Data Protection Act, in legal effect since June 2022, creating GDPR-style obligations for organisations handling Thai citizen personal data — including government agencies.

What is Thailand's NCSA? The National Cybersecurity Agency, established under the Cybersecurity Act BE 2562, responsible for national cybersecurity policy, standards, and incident coordination.

Why are government ministries targeted by ransomware? Operational criticality creates payment pressure, citizen data has high dark web value, and government IT security investment has historically lagged attack sophistication.