[INCRANSOM] – Ransomware Victim: Sarulla Operation

AI Generated Summary of the Ransomware Leak Page

On November 11, 2025, a leak page attributed to the Incransom group surfaced regarding Sarulla Operation, an energy sector company based in Indonesia. The post frames the event as a data leak rather than solely a cryptographic encryption incident and lists the data categories allegedly accessed or exfiltrated, including administrative records, financial operations, budgets and account balances, user information, confidential information, and more than 1,000 passport records. It also cites payment instructions and other accounting documents, as well as discussions around contracts and final contracts, among other sensitive materials. The page indicates a claim URL is available for readers to verify additional evidence, though the actual URL is defanged and not shown here. No ransom amount is disclosed within the provided metadata, and no explicit compromise date is stated in the post; the posted date serves as the post date.

According to the accompanying data, the leak page contains no images or screenshots (images_count = 0) and there are no downloadable files listed. The post identifies the victim as Sarulla Operation and attributes the leak to the group Incransom, with a defanged claim URL provided on the page for those seeking more information. The post date remains 11 November 2025, used here as the post date in the absence of a separately stated compromise date. This incident underscores the ongoing risk to energy sector operators in Indonesia when highly sensitive data—such as personnel documents and contractual information—can be exposed in ransomware-related data leaks.