PT Kalimantan Prima Persada data breach
Categories

PT Kalimantan Prima Persada Data Breach Exposes Mining Company to $100,000 Ransom Demand

The PT Kalimantan Prima Persada data breach has been confirmed after the Medusa ransomware group claimed responsibility for a major cyberattack on the Indonesian mining company. According to the group’s leak site, attackers infiltrated PT Kalimantan Prima Persada (KPP) and exfiltrated large volumes of internal company data, demanding a $100,000 ransom to prevent its release.

The breach was first observed on November 7, 2025, and remains one of the most significant cyberattacks in Indonesia’s mining sector this year. Medusa listed KPP on its dark web portal, providing company details, ransom countdown timers, and payment options. The attackers threatened to delete or publicly release the data if their ransom is not paid before the timer expires.

Background on PT Kalimantan Prima Persada (KPP)

PT Kalimantan Prima Persada (KPP) is a subsidiary of PT Pamapersada Nusantara (PAMA), one of Asia’s leading mining and heavy equipment companies. KPP was founded to expand PAMA’s mining development and service capabilities, operating across South and East Kalimantan. The company focuses on coal mining operations, project management, and technology-driven resource extraction.

As part of the PT United Tractors group under the Astra International conglomerate, KPP employs more than 1,800 people and serves as a key partner in Indonesia’s coal supply chain. The company’s operations include exploration, production, and logistics management across multiple mining sites.

According to public sources, KPP manages extensive databases containing geological data, engineering blueprints, employee records, and financial systems that make it a high-value target for ransomware actors seeking to exploit industrial enterprises.

Details of the Breach

The Medusa ransomware group’s leak page for KPP lists a $100,000 ransom with options for victims to extend the payment deadline, delete all stolen data, or purchase the data outright. These features are part of Medusa’s standard extortion interface, which allows victims to interact directly with the group’s payment portal on the dark web.

The listing includes:

  • Company name and logo
  • Sector: Mining and Quarrying
  • Headquarters: Jakarta, Indonesia
  • Ransom amount: $100,000
  • Time until data release: 26 days from publication

At the time of reporting, no public data samples have been released. However, the group’s previous operations suggest that stolen materials typically include business contracts, HR files, payroll records, financial statements, and confidential project documentation.

About the Medusa Ransomware Group

The Medusa ransomware group emerged in early 2023 and quickly became known for targeting government agencies, educational institutions, and major corporations worldwide. Medusa operates a professional leak portal where it publicly lists compromised companies along with ransom amounts and deadlines.

Unlike many other ransomware groups, Medusa maintains a structured pricing model. Victims can choose from three options displayed on the leak site: pay to extend the ransom deadline by 24 hours, pay to delete all data, or pay to download all data themselves. This “menu” system increases psychological pressure on victims while creating multiple revenue streams for the attackers.

The group’s attacks typically involve network intrusion via stolen credentials, exploitation of unpatched vulnerabilities, or malware-laced phishing campaigns. Once inside a system, Medusa actors escalate privileges, disable backups, and exfiltrate sensitive data before encrypting networks.

Potential Data Exposed

While Medusa has not yet published samples from the PT Kalimantan Prima Persada data breach, the attack’s nature suggests that several categories of sensitive information may have been compromised:

  • Employee Data: Names, contact details, national ID numbers, tax documents, and payroll information.
  • Financial Records: Invoices, contracts, payment reports, and internal budgeting documents.
  • Operational Data: Mining site reports, production logs, and geological surveys.
  • Corporate Documents: Board meeting files, legal correspondence, and project proposals.
  • Technical Files: Engineering diagrams and infrastructure designs for mining operations.

The leak of such data could have serious consequences for KPP’s business partners, including parent company PAMA and its affiliates in Indonesia’s coal mining sector. Any exposure of proprietary engineering data or project details could damage the company’s competitiveness and reputation.

Timeline of the Attack

Medusa’s listing for PT Kalimantan Prima Persada was first recorded on November 7, 2025. The attackers provided a countdown timer set to expire in 26 days, after which the stolen data may be published or sold. The ransom amount, $100,000, is consistent with the group’s typical pricing for medium to large-scale enterprise victims in developing economies.

Security researchers monitoring Medusa’s dark web activity noted that the KPP listing uses the group’s most recent leak site design, which includes a clean user interface and verified payment routing through cryptocurrency wallets. This suggests the group continues to operate actively despite international law enforcement pressure.

Regional Context and Sector Impact

Indonesia’s mining sector has become a frequent target for ransomware and cyber espionage operations due to its strategic importance in the global energy market. Companies involved in coal extraction, oil, and gas frequently handle critical infrastructure data that can be leveraged for financial or political gain.

In recent years, threat groups including Medusa, LockBit, and BlackCat have expanded operations into Southeast Asia, exploiting weak endpoint security and legacy network configurations. Many of these companies rely on centralized enterprise resource planning (ERP) systems that manage everything from procurement to payroll, creating large, interconnected attack surfaces.

If Medusa follows through on its threat, the PT Kalimantan Prima Persada data breach could become one of the most high-profile industrial ransomware incidents in Indonesia this year, potentially exposing supply chain and partner information tied to PAMA and Astra International.

Potential Consequences for KPP and Stakeholders

The immediate risks for PT Kalimantan Prima Persada include data exposure, business disruption, and reputational harm. However, the broader implications extend to:

  • Regulatory Scrutiny: KPP may be subject to investigation by Indonesia’s Ministry of Communication and Information Technology (Kominfo) under the nation’s data protection regulations.
  • Legal Liability: If employee or client data is confirmed to be leaked, the company could face lawsuits or compliance penalties.
  • Operational Disruption: Ransomware infections can cripple internal systems, delaying payroll, procurement, and project schedules.
  • Financial Loss: Beyond ransom payments, recovery costs, downtime, and reputation damage could result in millions of dollars in losses.

Additionally, the breach may erode stakeholder confidence in KPP’s cybersecurity maturity and resilience, prompting clients and partners to reassess data-sharing agreements.

How Medusa Targets Organizations

Medusa’s operations are known for methodical reconnaissance and persistence within compromised networks. The group often infiltrates systems months before detection, identifying valuable data and ensuring backup systems are accessible. Typical indicators of compromise include:

  • Unauthorized remote desktop connections
  • New administrative accounts created outside normal business hours
  • Large data transfers to external servers
  • Disabling of antivirus and monitoring software

Medusa’s use of targeted extortion tactics makes it one of the more pragmatic ransomware operations active today. The group often tailors ransom demands to match a victim’s perceived financial capacity, ensuring higher payment likelihood.

Company and Industry Response

As of this publication, PT Kalimantan Prima Persada has not issued an official public statement acknowledging the incident. No updates have been posted on the company’s website or official social media pages. Industry sources in Indonesia report that KPP’s systems remain operational, suggesting that encryption may not have been deployed, and that the attack focused primarily on data exfiltration.

Cybersecurity experts recommend that KPP immediately isolate affected systems, notify relevant authorities, and begin incident response procedures. Digital forensics should focus on identifying the initial intrusion vector, potential backdoors, and exfiltrated datasets.

Local cybersecurity analysts also warn other mining and energy companies in Indonesia to review their remote access policies, enforce multi-factor authentication, and monitor for potential lateral movement indicative of Medusa’s intrusion patterns.

Preventive Measures and Recommendations

To protect against ransomware threats similar to the PT Kalimantan Prima Persada data breach, organizations are advised to:

  • Apply timely security updates to all network infrastructure and endpoint devices
  • Enforce multi-factor authentication for VPN and remote desktop access
  • Segment internal networks to restrict lateral movement of attackers
  • Maintain offline backups of critical data and verify their integrity regularly
  • Conduct continuous monitoring for suspicious traffic and privilege escalations
  • Provide regular cybersecurity training for employees to detect phishing attempts

Individuals and partners potentially affected by this breach should remain alert for identity theft, targeted phishing, or fraudulent financial activity. Scanning systems using reputable software such as Malwarebytes can help detect and remove residual threats.

Ongoing Developments

The Medusa ransomware group continues to expand its targeting scope globally, moving beyond healthcare and education into industrial sectors. If the ransom is not paid by the expiration date, the group is expected to release KPP’s stolen data to the public, as it has done in prior cases involving manufacturing and construction firms.

Security researchers will continue monitoring Medusa’s dark web portal for updates or sample data related to the breach. Botcrawl will update this report as new evidence or statements from PT Kalimantan Prima Persada become available.

For verified coverage of major data breaches and the latest cybersecurity news, visit Botcrawl for expert analysis on global ransomware activity and cyber threat intelligence.

Written by

Sean Doyle

Sean is a tech author and security researcher with more than 20 years of experience in cybersecurity, privacy, malware analysis, analytics, and online marketing. He focuses on clear reporting, deep technical investigation, and practical guidance that helps readers stay safe in a fast-moving digital landscape. His work continues to appear in respected publications, including articles written for Private Internet Access. Through Botcrawl and his ongoing cybersecurity coverage, Sean provides trusted insights on data breaches, malware threats, and online safety for individuals and businesses worldwide.

More Reading

Post navigation

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.