Brain Cipher
Brain Cipher Ransomware is a variant of the LockBit ransomware family that has recently emerged in the Indonesian cybersecurity landscape.
The Origin of Brain Cipher
Brain Cipher ransomware group gained widespread attention following a high-profile attack on Indonesia's National Data Center (Pusat Data Nasional - PDN) on June 20 2024, which led to the disruption of essential public services, including immigration.
In their statement published on July 2, 2024, the group emphasized that their attack was a demonstration of the importance of financing the cybersecurity industry and recruiting qualified specialists, asserting that their actions were not politically motivated but rather a form of post-payment penetration testing.
The group has kept its promise and made decryption keys available at no cost, enabling victims to restore their encrypted data without needing to pay a ransom.
Screenshot source: X
Targets
Brain Cipher's Targets
Countries targeted by Brain Cipher
The ransomware group has previously shown a preference for targeting organizations within Southeast Asia, particularly Indonesia. However, with their recent attacks on victims in the US and Israel, it is evident that their operations are expanding beyond this region.
Industries Targeted by Brain Cipher
Brain Cipher Ransomware has primarily targeted the public sector, with a specific focus on critical infrastructure. They have recently expanded their attacks to include the finance and manufacturing sectors. The attack on the PDN demonstrated the group's ability to disrupt vital services, causing widespread chaos and impacting public safety.
Industries Targeted by Brain Cipher
Brain Cipher Ransomware has primarily targeted the public sector, with a specific focus on critical infrastructure. They have recently expanded their attacks to include the finance and manufacturing sectors. The attack on the PDN demonstrated the group's ability to disrupt vital services, causing widespread chaos and impacting public safety.
Brain Cipher's Victims
The most notable victim of Brain Cipher Ransomware to date is the Pusat Data Nasional (PDN) in Indonesia. This attack led to the disruption of immigration services and other public services, affecting 210 institutions. The full extent of the group's victimology remains under investigation.
Stats source: ransomware.live
Attack Method
Brain Cipher's Attack Method
Brain Cipher Ransomware gains initial access through phishing campaigns. Deceptive emails trick recipients into downloading and executing malicious files.
The ransomware bypasses User Account Control (T1548.002) to gain elevated privileges within the targeted systems.
Similar to its privilege escalation techniques, it bypasses User Account Control (T1548.002) to avoid detection by security systems.
Brain Cipher steals web session cookies (T1539), credentials from web browsers (T1555.003), and credentials stored in files (T1552.001) to further infiltrate the network.
Brain Cipher performs system information discovery (T1082), queries the registry (T1012), and discovers installed software (T1518) to map out the infected environment.
The ransomware moves laterally within the network to maximize its impact, though specific techniques for this stage are not detailed.
It collects sensitive information from the infected systems, preparing for potential data exfiltration.
Brain Cipher uses Windows Command Shell (T1059.003) and user execution of malicious files (T1204.002) to run its payloads.
Engages in double extortion by exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid.
The primary impact tactic is data encryption for impact (T1486), rendering the victim's data inaccessible until the ransom is paid.
Initial Access
Brain Cipher Ransomware gains initial access through phishing campaigns. Deceptive emails trick recipients into downloading and executing malicious files.
Privilege Escalation
The ransomware bypasses User Account Control (T1548.002) to gain elevated privileges within the targeted systems.
Defense Evasion
Similar to its privilege escalation techniques, it bypasses User Account Control (T1548.002) to avoid detection by security systems.
Credential Access
Brain Cipher steals web session cookies (T1539), credentials from web browsers (T1555.003), and credentials stored in files (T1552.001) to further infiltrate the network.
Discovery
Brain Cipher performs system information discovery (T1082), queries the registry (T1012), and discovers installed software (T1518) to map out the infected environment.
Lateral Movement
The ransomware moves laterally within the network to maximize its impact, though specific techniques for this stage are not detailed.
Collection
It collects sensitive information from the infected systems, preparing for potential data exfiltration.
Execution
Brain Cipher uses Windows Command Shell (T1059.003) and user execution of malicious files (T1204.002) to run its payloads.
Exfiltration
Engages in double extortion by exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid.
Impact
The primary impact tactic is data encryption for impact (T1486), rendering the victim's data inaccessible until the ransom is paid.
MITRE ATT&CK Mapping
TTPs used by Brain Cipher
This list of TTPs is not exhaustive as we are still working to fully understand the behavior of Brain Cipher; it will be updated regularly as we gather more information.
Source: Peris.ai
TA0001: Initial Access
No items found.
TA0002: Execution
T1204
User Execution
T1059
Command and Scripting Interpreter
TA0003: Persistence
No items found.
TA0004: Privilege Escalation
T1134
Access Token Manipulation
T1548
Abuse Elevation Control Mechanism
TA0005: Defense Evasion
T1134
Access Token Manipulation
T1548
Abuse Elevation Control Mechanism
T1562
Impair Defenses
TA0006: Credential Access
T1539
Steal Web Session Cookie
T1555
Credentials from Password Stores
T1552
Unsecured Credentials
TA0007: Discovery
T1012
Query Registry
T1082
System Information Discovery
TA0008: Lateral Movement
No items found.
TA0009: Collection
No items found.
TA0011: Command and Control
No items found.
TA0010: Exfiltration
No items found.
TA0040: Impact
T1490
Inhibit System Recovery
T1486
Data Encrypted for Impact
Platform Detections
How to Detect Brain Cipher with Vectra AI
List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack.
FAQs
What is Brain Cipher Ransomware?
Brain Cipher is a ransomware group known for targeting large organizations and causing significant disruptions through data encryption and ransom demands.
How does Brain Cipher Ransomware gain initial access?
The group primarily uses phishing campaigns to trick victims into downloading and executing malicious files.
What sectors are most at risk from Brain Cipher attacks?
Public sector organizations and critical infrastructure are at high risk, as evidenced by the attack on Indonesia's National Data Center.
What defensive measures can organizations take against Brain Cipher?
Implementing phishing awareness training, using advanced endpoint protection, and maintaining up-to-date security patches can help mitigate the risk.
How does Brain Cipher Ransomware evade detection?
It bypasses User Account Control and uses legitimate system tools like Windows Command Shell to avoid detection.
What should an organization do if infected by Brain Cipher?
Isolate the affected systems, notify law enforcement, and consult with cybersecurity experts before considering ransom payment.
Does Brain Cipher engage in data exfiltration?
Yes, Brain Cipher employs double extortion by exfiltrating data and threatening to release it if the ransom is not paid.
How significant was the attack on Indonesia's National Data Center?
The attack disrupted immigration services and affected 210 institutions, highlighting the ransomware's capacity for large-scale impact.
What role do Extended Detection and Response (XDR) solutions play in combating Brain Cipher?
XDR solutions provide comprehensive threat detection and response capabilities, helping to identify and mitigate ransomware attacks like those conducted by Brain Cipher.
Does Brain Cipher Ransomware shares similarities with other ransomware groups?
Brain Cipher Ransomware share several similarities with LockBit 3.0, such as their advanced encryption techniques and double extortion strategies.