Crypto24 Ransomware Claims Breach of Bayu Buana Travel in Indonesia
Overview
The Crypto24 ransomware group has claimed responsibility for a data breach impacting Bayu Buana Travel, one of Indonesia’s most prominent corporate and leisure travel agencies. The claim appeared on Crypto24’s dark web leak site on October 27, 2025, listing the company as a new victim and alleging theft of customer booking records and personally identifiable information (PII).
Incident Details
According to threat-intelligence trackers and ransomware monitoring platforms such as Ransomware.live, Bayu Buana Travel was added to Crypto24’s victim list under the tag “Indonesia.” The leak post reportedly includes sample files containing internal travel booking data, invoices, and customer information that the group claims to have exfiltrated prior to encryption.
At the time of reporting, Bayu Buana Travel has not released a public statement confirming or denying the breach. No official law-enforcement notifications have yet been observed, and the extent of the data exposure remains unverified.
About the Threat Actor: Crypto24
Crypto24 is a relatively new ransomware-as-a-service (RaaS) operation first observed in early 2024. The group typically targets medium-sized organizations across Europe and Asia, focusing on sectors such as finance, manufacturing, and travel. Their leak site follows the standard double-extortion model — encrypting local systems and threatening to publish stolen data if ransom demands are not met.
Crypto24 has been linked to previous incidents involving organizations in Malaysia and Thailand, using a combination of phishing emails, stolen RDP credentials, and exploitation of unpatched VPN appliances to gain initial access. The ransomware itself is built on a modified Golang payload with AES-256 encryption and custom exfiltration tooling.
Potential Data Exposure
If verified, the breach could expose:
- Customer and corporate client booking records
- Passport and travel identification data
- Payment-related information (invoice and transaction metadata)
- Internal employee correspondence and vendor contracts
Given Bayu Buana Travel’s extensive presence in Indonesia’s travel ecosystem — including enterprise clients and global airline partners — the data involved could be of high sensitivity and commercial value.
Industry Context
The travel and hospitality sector continues to face rising ransomware activity, driven by the high volume of stored PII and the industry’s dependence on legacy booking systems. Threat groups like LockBit, Akira, and Crypto24 have increasingly targeted travel management firms for both direct extortion and data-resale opportunities.
NeuraCyb Expert Insight
NeuraCyb analysts assess this incident as part of a broader regional trend in Southeast Asia, where financially motivated ransomware actors are expanding operations beyond traditional enterprise IT networks into cloud-linked booking and logistics systems. Organizations handling travel data should immediately review their access controls, network segmentation, and endpoint monitoring policies.
Mitigation Recommendations
- Implement multi-factor authentication for all remote access and RDP sessions.
- Audit VPN and web-facing application patch levels for recent vulnerabilities.
- Review backup integrity and ensure offline, immutable storage copies exist.
- Harden data retention policies to limit the exposure of sensitive travel and payment data.
- Monitor dark-web sources for leaked records associated with Bayu Buana Travel domains or assets.
Status
As of October 28 2025, the claim remains unverified. No decryption keys or ransom correspondence have been made public, and the leak page contains only partial samples. NeuraCyb Intelligence will continue to track the situation and update this report as more evidence emerges.
Sources: Ransomware.live, X (Dark Web Monitor feeds), MalwareHunterTeam, NeuraCyb Threat Analysis.
