How hackers penetrated Punjab’s Forensic Agency

LAHORE: The Punjab Forensic Science Agency (PFSA) — a key provincial entity that assists law enforcers in investigating heinous crimes — has recently come under a major cyberattack by international hackers, raising serious questions about the security of one of Pakistan’s most sensitive data repositories.

The breach was detected on November 7, 2025, when a notorious hacker group known as ‘Beast’ added PFSA to its “leak site” on the dark web. Such leak sites are hidden web platforms where ransomware groups publicly list victims and showcase samples of stolen data to pressure organisations into paying ransoms.

According to Beast Group, they infiltrated PFSA’s servers and extracted nearly 900GB of sensitive data, including forensic reports, criminal investigation files, DNA testing records, firearm analysis documents and internal communications.

Two days later, on November 9, the group published a detailed announcement on its leak site along with PFSA’s logo and samples of the stolen files. The hackers claimed they had gained full control of PFSA systems and threatened to release all data unless a ransom is paid.

PFSA initially claimed the attack had been “thwarted” and that international hackers had been “blocked.” However, Beast Group’s posting suggests a significant data breach did take place. The agency has not yet issued an official statement regarding any ransom demand or the status of recovery efforts, but internal teams are carrying out a large-scale investigation.

A senior PFSA official, speaking to Urdu News on condition of anonymity, said the attack triggered immediate firewall alarms. “Our IT teams acted instantly. The system was shut down the moment the breach was detected,” he said.

He dismissed the hackers’ claim of stealing 900GB of data, saying, “This is not even one per cent of our total data. We store data in terabytes. We have manual records and multiple servers. PFSA is one of the best labs in the world with strong security. Our systems are back online, recovery is under way, and every bit of data is being checked. We have not suffered any loss.”

What is the Beast ransomware attack?

The attack on PFSA is attributed to a ransomware group known as ‘Beast Ransomware’, active since 2024 and believed to be linked to Russia or Eastern Europe. The group specifically targets government and legal institutions.

Ransomware is a type of malicious software that locks files on a computer or server, preventing users from accessing their data. Hackers then demand payment — often in cryptocurrencies — to restore access. In PFSA’s case, the Beast group claims to have encrypted 900GB of data and posted proof of the breach on the dark web.

Ransomware attacks have existed for decades. One of the earliest known examples, the AIDS Trojan of 1989, spread via floppy disks and targeted hospitals. The rise of cryptocurrency in the 2010s led to a spike in such attacks, which now cause billions of dollars in financial damage globally every year.

How do these attacks happen?

According to cybersecurity expert Usman Latif, most ransomware breaches begin with phishing emails.

“The easiest method is when hackers send a fake email containing a malicious link or file. Once an employee opens it, the virus enters the system,” he explained.

Hackers also gain access through weak passwords, outdated software, or unprotected remote access services like Remote Desktop Protocol (RDP). Once inside, the malware encrypts files and displays a ransom note. If the ransom is not paid, attackers often sell or publish the data on the dark web — a method known as double extortion, frequently used by the Beast group.

Can such attacks be prevented?

Usman Latif says the risk can be reduced significantly by taking simple precautions including maintaining weekly offline backups on cloud or external drives; using updated antivirus and firewall software that blocks ransomware; training employees to recognise suspicious emails and avoid clicking unknown links and keeping all systems updated and using multi-factor authentication to prevent intrusions.

Has Pakistan faced such attacks before?

“Yes, Pakistan is an easy target,” Usman says adding that several major organisations have been hit in recent years.

In 2020, K-Electric was attacked by Netwalker ransomware, crippling its billing system and causing massive losses.

In August 2025, Pakistan Petroleum Limited was hit by BlueLocker ransomware, disrupting the oil and gas sector.

However, he notes that the PFSA breach appears to be the first attack in Pakistan by the Beast Group.

The biggest ransomware attack globally was WannaCry in May 2017, which infected over 200,000 computers in 99 countries — including the UK’s NHS system — causing an estimated $40 billion in damages. In terms of ransom paid, a Fortune 50 company set a record in 2024 by paying $75 million to the Dark Angels Group.

PFSA officials maintained that due to extensive backups and multiple servers, the agency remains unaffected by the Beast Group’s claims. They said that no response has been given to the hackers and none will be.