brain cipher

Also known as: brain cipher

In mid-June 2024, a new ransomware operation named Brain Cipher emerged, notably targeting Indonesia’s National Data Center. This attack disrupted immigration operations at airports and various other government services. The payload employed by this group is based on the leaked LockBit 3.0 builder. Comparative analyses have confirmed significant similarities between Brain Cipher and LockBit 3.0 samples. Notably, the attackers modified the ransomware to not only append a new extension to encrypted files but also to encrypt the filenames themselves. Additionally, it was identified that the group appears to be in its early stages, as evidenced by their use of the leaked LockBit 3.0 builder and their recent operations. After encrypting the data, the ransomware generates ransom notes named “added_extension.README.txt.” These notes contain a description of what occurred and a link to the attackers’ website hosted on the Tor network.

Introduction

In mid-June 2024, a new ransomware operation named Brain Cipher emerged, notably targeting Indonesia’s National Data Center. This attack disrupted immigration operations at airports and various other government services. The payload employed by this group is based on the leaked LockBit 3.0 builder. Comparative analyses have confirmed significant similarities between Brain Cipher and LockBit 3.0 samples. Notably, the attackers modified the ransomware to not only append a new extension to encrypted files but also to encrypt the filenames themselves. Additionally, it was identified that the group appears to be in its early stages, as evidenced by their use of the leaked LockBit 3.0 builder and their recent operations. After encrypting the data, the ransomware generates ransom notes named “added_extension.README.txt.” These notes contain a description of what occurred and a link to the attackers’ website hosted on the Tor network.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • RIPTIDE:

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.