The Brain Cipher ransomware group caught international attention by attacking Indonesia’s temporary National Data Center on June 20th. This attack encrypted government servers, disrupting important services like immigration and passport control.
Over 200 government agencies were affected. The Indonesian government confirmed Brain Cipher was responsible. The attackers demanded $8 million in Monero cryptocurrency, threatening to leak stolen data if the ransom wasn’t paid.
Brain Cipher is a recently launched ransomware operation that targets organizations worldwide. Initially, the group did not have a data leak site, but their latest ransom notes now link to one, indicating their strategy of using double-extortion tactics. BleepingComputer has identified multiple samples of the Brain Cipher ransomware, which have been uploaded to various malware-sharing sites in recent weeks.
These samples were created using the leaked LockBit 3.0 builder, a tool that other cybercriminals have also exploited to launch their ransomware operations. Brain Cipher has made slight modifications to the encryptor, such as encrypting file names and appending extensions.
The ransomware operation also involves creating ransom notes formatted as [extension].README.txt, which contain brief descriptions of the attack, threats, and links to the Tor negotiation and data leak sites. Each victim receives a unique encryption ID for communication with the attackers via a Tor-based chat system.
One variation of the ransom note observed by BleepingComputer used the file name ‘How To Restore Your Files.txt.’ This system allows victims to negotiate with the ransomware gang directly.
In line with other ransomware operations, Brain Cipher’s attack methodology involves breaching corporate networks, moving laterally to other devices, and deploying ransomware after obtaining Windows domain admin credentials.
Prior to encrypting files, the attackers steal corporate data to leverage their extortion demands, warning victims of public data release if ransomware is not paid. The recently launched data leak site by Brain Cipher currently does not list any victims, but it is a crucial part of their extortion strategy.
Negotiations monitored by BleepingComputer reveal that Brain Cipher’s ransom demands range from $20,000 to $8 million.
Since the Brain Cipher encryptor is based on the LockBit 3.0 encryptor, it has been extensively analyzed, and unless Brain Cipher has altered the encryption algorithm, there are currently no known methods to recover the encrypted files without paying the ransom. The development of this ransomware operation highlights the ongoing evolution and adaptation of cybercriminal tactics in targeting organizations worldwide.