The website for Thailand’s Ministry of Labor has been restored after hackers defaced the site and allegedly stole government data.

Boonsong Tapchaiyut, permanent secretary of the Ministry of Labor, confirmed the incident on Thursday and ordered officials to conduct an investigation. Tapchaiyut claimed the hackers only defaced the website and did not penetrate servers that stored any data. 

Tapchaiyut said the ministry briefly shut down the site, deleted the words written by the hackers and returned it to its original state. Ministry officials have changed passwords and taken other measures to limit potential sources of access for the hackers. 

“To prevent such incidents from happening again, I have ordered the agency to prepare a report to the Cyber Police to take action against the ‘hacker’ because he has damaged my reputation and is also in violation of the Computer Act by entering false information,” Tapchaiyut said. 

The ministry replaced the affected files with backups, allowing them to restore all functions. 

On Thursday morning, the Devman hacking group said it was responsible for the attack, writing on their dark web site that they stole 300 GB of data and are demanding a $15 million ransom. 

When the group defaced the Ministry of Labor website, they claimed to have been active in the organization’s directory and linux servers for more than 43 days. They also claimed to have encrypted 2,000 laptops and dozens of servers. 

The stolen data allegedly includes citizen data, information on foreign visitors and supposed classified documents. 

The Labor Ministry did not respond to requests for comment. 

In recent weeks, cybersecurity researchers have warned of the emergence of Devman, a relatively new group that began attacking organizations globally in April. Earlier this month cybersecurity firm Symantec said the group’s ransomware is a variant of the DragonForce malware family — a powerful tool used in dozens of attacks on governments and companies in the Asia-Pacific region. 

Symantec said the ransom note dropped during attacks “is a direct copy coming from the DragonForce ransomware variant.”

Researchers from cybersecurity firm Cyble published a report in June saying Devman claimed 13 victims in May, making it one of the leading ransomware gangs that month. It took credit for an attack on Philippines news outlet GMA and has attacked multiple companies across Thailand since emerging. 

Cyble noted that the group recently attacked a media company in Thailand and that some of the group’s threat actors have previously worked with Qilin, RansomHub and other ransomware gangs.