The Brain Cipher ransomware attack targeted Indonesia’s National Data Center (PDN), encrypting government servers and disrupting immigration and other services across more than 200 agencies. The operation appears tied to a broader ecosystem using LockBit’s leaked builder, with the group later apologizing and offering a decryption tool, while the deeper mechanics and indicators are documented by researchers. Hashtags: #BrainCipher #LockBit
Keypoints
- Brain Cipher executed a high-profile ransomware attack against Indonesia’s National Data Center (PDN), impacting immigration services and other government online functions.
- The group leverages LockBit’s leaked builder (LockBit 3.0) to create ransomware components, adjusting the config to tailor the encryptor and C2 server settings.
- Initial ransom demand reached $8,000,000, but Brain Cipher apologized to Indonesia on July 2, 2024, and promised a free decryption tool with optional donation via a Monero wallet.
- Brain Cipher’s attacks exhibit classic ransomware behavior: file encryption with a distinctive extension, encryption of numerous files, and attempted data impact alongside extortion.
- Defensive researchers note strong evasion and anti-analysis tactics, including self-deletion, process/Browser data modification, and code obfuscation (e.g., a specific obfuscation sequence).
- Key indicators include specific Brain Cipher sample hashes, onion-based data-leak site links, and public contact/communication channels; some infrastructure details (C2) are configurable via the builder’s config.json.
MITRE Techniques
- [T1486] Data Encrypted for Impact – “Brain Cipher is a variant of the LockBit ransomware family. It is designed to encrypt files on compromised systems, append a distinctive file extension, and demand a ransom payment for decryption.”
- [T1070.004] File Deletion – “Upon execution, Brain Cipher immediately deletes itself to hinder forensic analysis and detection.”
- [T1027] Obfuscated/Encrypted Files or Information – “The obfuscation technique used… involves the instruction sequence push FFFFFF9Ch; retf.”
- [T1564.001] Hide Artifacts: Hide Thread/Debugger Evasion – “hides threads from debuggers and executes in a suspended mode to avoid detection.”
- [T1071] Command and Control – “it can specify the command and control server” within its builder configuration (config.json).
- [T1190] Exploit Public-Facing Application – “initial access vectors, such as vulnerability exploitation” mentioned as a possible vector.
- [T1566.002] Spearphishing Link – “initial access vectors… a spear-phishing operation.”
Indicators of Compromise
- [Hash] MD5, SHA1, SHA256 – 448f1796fe8de02194b21c0715e0a5f6, 935c0b398373f8c5e8ef03c92d606c72c44f49b8, eb82946fa0de273dbaaaef320e8925d9a8cc5b7e839e97e2982a1d18ba43c1a4 – Brain Cipher sample 9gGB296kd4.exe (associated with the LockBit family)
- [File] 9gGB296kd4.exe – Brain Cipher sample filename associated with the LockBit lineage
- [Hash] – Additional Brain Cipher hashes referenced: 0ed5729655b3f09c29878e1cc10de55e0cbfae7ac344f574d471827c256cf086, 6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417
- [URL] Onion-based Data Leak Site: http://vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd[.]onion/ and Communication for victims: http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad[.]onion/
- [Wallet] Bitcoin: bc1qqjzd8jrcvz5tl895uvgy6ph83g7sh06uzu6vn8 – mentioned as a payment channel; Monero wallet noted for donations but address not disclosed
Read more: https://socradar.io/dark-web-profile-brain-cipher/