Introducing new Vectra AI Platform coverage for Copilot and Microsoft Azure

Vectra AI Japan、ITR発行の最新レポート内「NDR市場」にて国内トップシェアを獲得
詳細を見る
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Threat actors
>
Ransomware Group

Brain Cipher

Brain Cipher Ransomware is a variant of the LockBit ransomware family that has recently emerged in the Indonesian cybersecurity landscape.

Detect Brain Cipher's TTPs
Is Your Organization Safe from Brain Cipher Ransomware Attacks?
Background
Targets
TTPs
Detection
FAQs
Watch Threat Briefing

The Origin of Brain Cipher

Brain Cipher ransomware group gained widespread attention following a high-profile attack on Indonesia's National Data Center (Pusat Data Nasional - PDN) on June 20 2024, which led to the disruption of essential public services, including immigration.

In their statement published on July 2, 2024, the group emphasized that their attack was a demonstration of the importance of financing the cybersecurity industry and recruiting qualified specialists, asserting that their actions were not politically motivated but rather a form of post-payment penetration testing.

The group has kept its promise and made decryption keys available at no cost, enabling victims to restore their encrypted data without needing to pay a ransom.

Screenshot source: X

The Origin of Brain Cipher
Targets

Brain Cipher's Targets

Countries targeted by Brain Cipher

The ransomware group has previously shown a preference for targeting organizations within Southeast Asia, particularly Indonesia. However, with their recent attacks on victims in the US and Israel, it is evident that their operations are expanding beyond this region.

Industries Targeted by Brain Cipher

Brain Cipher Ransomware has primarily targeted the public sector, with a specific focus on critical infrastructure. They have recently expanded their attacks to include the finance and manufacturing sectors. The attack on the PDN demonstrated the group's ability to disrupt vital services, causing widespread chaos and impacting public safety.

Industries Targeted by Brain Cipher

Brain Cipher Ransomware has primarily targeted the public sector, with a specific focus on critical infrastructure. They have recently expanded their attacks to include the finance and manufacturing sectors. The attack on the PDN demonstrated the group's ability to disrupt vital services, causing widespread chaos and impacting public safety.

Brain Cipher's Victims

The most notable victim of Brain Cipher Ransomware to date is the Pusat Data Nasional (PDN) in Indonesia. This attack led to the disruption of immigration services and other public services, affecting 210 institutions. The full extent of the group's victimology remains under investigation.

Stats source: ransomware.live

Attack Method

Brain Cipher's Attack Method

Initial Access
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Execution
Exfiltration
Impact
A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.

Brain Cipher Ransomware gains initial access through phishing campaigns. Deceptive emails trick recipients into downloading and executing malicious files.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.

The ransomware bypasses User Account Control (T1548.002) to gain elevated privileges within the targeted systems.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.

Similar to its privilege escalation techniques, it bypasses User Account Control (T1548.002) to avoid detection by security systems.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.

Brain Cipher steals web session cookies (T1539), credentials from web browsers (T1555.003), and credentials stored in files (T1552.001) to further infiltrate the network.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.

Brain Cipher performs system information discovery (T1082), queries the registry (T1012), and discovers installed software (T1518) to map out the infected environment.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.

The ransomware moves laterally within the network to maximize its impact, though specific techniques for this stage are not detailed.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.

It collects sensitive information from the infected systems, preparing for potential data exfiltration.

A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.

Brain Cipher uses Windows Command Shell (T1059.003) and user execution of malicious files (T1204.002) to run its payloads.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.

Engages in double extortion by exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.

The primary impact tactic is data encryption for impact (T1486), rendering the victim's data inaccessible until the ransom is paid.

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.
Initial Access

Brain Cipher Ransomware gains initial access through phishing campaigns. Deceptive emails trick recipients into downloading and executing malicious files.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.
Privilege Escalation

The ransomware bypasses User Account Control (T1548.002) to gain elevated privileges within the targeted systems.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.
Defense Evasion

Similar to its privilege escalation techniques, it bypasses User Account Control (T1548.002) to avoid detection by security systems.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.
Credential Access

Brain Cipher steals web session cookies (T1539), credentials from web browsers (T1555.003), and credentials stored in files (T1552.001) to further infiltrate the network.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.
Discovery

Brain Cipher performs system information discovery (T1082), queries the registry (T1012), and discovers installed software (T1518) to map out the infected environment.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.
Lateral Movement

The ransomware moves laterally within the network to maximize its impact, though specific techniques for this stage are not detailed.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.
Collection

It collects sensitive information from the infected systems, preparing for potential data exfiltration.

A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.
Execution

Brain Cipher uses Windows Command Shell (T1059.003) and user execution of malicious files (T1204.002) to run its payloads.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.
Exfiltration

Engages in double extortion by exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.
Impact

The primary impact tactic is data encryption for impact (T1486), rendering the victim's data inaccessible until the ransom is paid.

MITRE ATT&CK Mapping

TTPs used by Brain Cipher

This list of TTPs is not exhaustive as we are still working to fully understand the behavior of Brain Cipher; it will be updated regularly as we gather more information.

Source: Peris.ai

TA0001: Initial Access
No items found.
TA0002: Execution
T1204
User Execution
T1059
Command and Scripting Interpreter
TA0003: Persistence
No items found.
TA0004: Privilege Escalation
T1134
Access Token Manipulation
T1548
Abuse Elevation Control Mechanism
TA0005: Defense Evasion
T1134
Access Token Manipulation
T1548
Abuse Elevation Control Mechanism
T1562
Impair Defenses
TA0006: Credential Access
T1539
Steal Web Session Cookie
T1555
Credentials from Password Stores
T1552
Unsecured Credentials
TA0007: Discovery
T1012
Query Registry
T1082
System Information Discovery
TA0008: Lateral Movement
No items found.
TA0009: Collection
No items found.
TA0011: Command and Control
No items found.
TA0010: Exfiltration
No items found.
TA0040: Impact
T1490
Inhibit System Recovery
T1486
Data Encrypted for Impact
Platform Detections

How to Detect Brain Cipher with Vectra AI

List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack.

Azure AD Unusual Scripting Engine Usage

External Remote Access

Privilege Anomaly: Unusual Account on Host

RPC Recon

Ransomware File Activity

Suspicious Port Scan

View more detections
Assess your attack exposure

FAQs

What is Brain Cipher Ransomware?

Brain Cipher is a ransomware group known for targeting large organizations and causing significant disruptions through data encryption and ransom demands.

How does Brain Cipher Ransomware gain initial access?

The group primarily uses phishing campaigns to trick victims into downloading and executing malicious files.

What sectors are most at risk from Brain Cipher attacks?

Public sector organizations and critical infrastructure are at high risk, as evidenced by the attack on Indonesia's National Data Center.

What defensive measures can organizations take against Brain Cipher?

Implementing phishing awareness training, using advanced endpoint protection, and maintaining up-to-date security patches can help mitigate the risk.

How does Brain Cipher Ransomware evade detection?

It bypasses User Account Control and uses legitimate system tools like Windows Command Shell to avoid detection.

What should an organization do if infected by Brain Cipher?

Isolate the affected systems, notify law enforcement, and consult with cybersecurity experts before considering ransom payment.

Does Brain Cipher engage in data exfiltration?

Yes, Brain Cipher employs double extortion by exfiltrating data and threatening to release it if the ransom is not paid.

How significant was the attack on Indonesia's National Data Center?

The attack disrupted immigration services and affected 210 institutions, highlighting the ransomware's capacity for large-scale impact.

What role do Extended Detection and Response (XDR) solutions play in combating Brain Cipher?

XDR solutions provide comprehensive threat detection and response capabilities, helping to identify and mitigate ransomware attacks like those conducted by Brain Cipher.

Does Brain Cipher Ransomware shares similarities with other ransomware groups?

Brain Cipher Ransomware share several similarities with LockBit 3.0, such as their advanced encryption techniques and double extortion strategies.

Is Your Organization Safe from Brain Cipher Ransomware Attacks?

Assess your attack exposure