Friend
Professional
- Messages
- 2,653
- Reaction score
- 851
- Points
- 113
The group's methods are suspiciously similar to other known threats.
Indonesian government services have been subjected to a large-scale cyberattack by the Brain Cipher group. On June 20, 2024, hackers dealt a severe blow to the country's critical infrastructure, paralyzing about 210 national and local government services. Customs and immigration have been particularly hard hit, resulting in significant delays for travelers at airports.
Initially, the attackers demanded a ransom of $8 million. However, they later unexpectedly published a decryptor for free. This case attracted the attention of specialists from Group-IB, who decided to conduct a thorough investigation of the group's activities.
The hackers left characteristic ransom notes on the infected systems. They contained instructions for communicating with the group to decrypt data. Contact information ranged from email addresses to links to hidden services on the Tor network.
Researchers have found that Brain Cipher has been active since at least April 2024. Analysis of various variants of the ransom notes has linked this group to other hacking associations, such as the EstateRansomware and SenSayQ.
One of the key discoveries was the connection between the Brain Cipher notes and the Lockbit malware samples. Experts also found similarities in the style and content of the notifications with those used by the SenSayQ group. Moreover, the online infrastructure of both groups, including sites on the Tor network, used similar technologies and scripts.
Interestingly, the contact email addresses of the SenSayQ, EstateRansomware, and another unnamed group were the same. The first traces of the EstateRansomware's activities were detected in April 2024. Based on this data, researchers have speculated that the same individuals may be behind the Brain Cipher and EstateRansomware.
Brain Cipher did not limit themselves to attacking Indonesia. Victims of their attacks were also found in the Philippines, Portugal, Israel, South Africa and Thailand. The group has its own data breach site (DLS), which at the time of writing has published data from seven companies.
Most of the ransom-demanding notifications left by Brain Cipher were related to malware samples identified as Lockbit. In addition, the group published a Linux decryptor for an Indonesian victim, which turned out to be a variant of the Babuk ransomware sample.
Analysis showed that in July 2024, attacks with similar notes were carried out under the name of the RebornRansomware group. Victims of this group were found in France, China, Kuwait and Indonesia.
The features of the Brain Cipher data leak site are also interesting. It contained information about hacked companies, with a countdown timer set for each leak. Such tactics created additional pressure on victims and forced them to make a decision on payment faster.
Group-IB analysts have compiled a timeline of events showing changes in the ransom notes of the supposedly related ransomware groups. Some Brain Cipher victims were discovered as early as August 2024, and some of the SenSayQ victims were added to their leak site later in June 2024.
The similarities in the notes, the correlation of the email addresses, and the chronological sequence of the name changes suggest that the same individuals are behind the EstateRansomware, SenSayQ, Brain Cipher, and RebornRansomware. However, researchers refrain from speculating about the reasons for the group's constant brand change in an era of active hunting for large ransomware.
Group-IB notes that their team will continue to monitor Brain Cipher's activities, regardless of what new name this group may choose in the future. Experts emphasize the importance of constant monitoring and analysis of the activities of such groups in order to develop effective methods of protection against their attacks.
In conclusion, Group-IB gave a number of recommendations to protect against such attacks. These include: regular monitoring and auditing of accounts, implementation of update management policies, segmentation of critical systems, implementation of application control on hosts and endpoint detection and response (EDR) solutions. It is also recommended to subscribe to the Managed Threat Hunting (MTH) service.
Source
Indonesian government services have been subjected to a large-scale cyberattack by the Brain Cipher group. On June 20, 2024, hackers dealt a severe blow to the country's critical infrastructure, paralyzing about 210 national and local government services. Customs and immigration have been particularly hard hit, resulting in significant delays for travelers at airports.
Initially, the attackers demanded a ransom of $8 million. However, they later unexpectedly published a decryptor for free. This case attracted the attention of specialists from Group-IB, who decided to conduct a thorough investigation of the group's activities.
The hackers left characteristic ransom notes on the infected systems. They contained instructions for communicating with the group to decrypt data. Contact information ranged from email addresses to links to hidden services on the Tor network.
Researchers have found that Brain Cipher has been active since at least April 2024. Analysis of various variants of the ransom notes has linked this group to other hacking associations, such as the EstateRansomware and SenSayQ.
One of the key discoveries was the connection between the Brain Cipher notes and the Lockbit malware samples. Experts also found similarities in the style and content of the notifications with those used by the SenSayQ group. Moreover, the online infrastructure of both groups, including sites on the Tor network, used similar technologies and scripts.
Interestingly, the contact email addresses of the SenSayQ, EstateRansomware, and another unnamed group were the same. The first traces of the EstateRansomware's activities were detected in April 2024. Based on this data, researchers have speculated that the same individuals may be behind the Brain Cipher and EstateRansomware.
Brain Cipher did not limit themselves to attacking Indonesia. Victims of their attacks were also found in the Philippines, Portugal, Israel, South Africa and Thailand. The group has its own data breach site (DLS), which at the time of writing has published data from seven companies.
Most of the ransom-demanding notifications left by Brain Cipher were related to malware samples identified as Lockbit. In addition, the group published a Linux decryptor for an Indonesian victim, which turned out to be a variant of the Babuk ransomware sample.
Analysis showed that in July 2024, attacks with similar notes were carried out under the name of the RebornRansomware group. Victims of this group were found in France, China, Kuwait and Indonesia.
The features of the Brain Cipher data leak site are also interesting. It contained information about hacked companies, with a countdown timer set for each leak. Such tactics created additional pressure on victims and forced them to make a decision on payment faster.
Group-IB analysts have compiled a timeline of events showing changes in the ransom notes of the supposedly related ransomware groups. Some Brain Cipher victims were discovered as early as August 2024, and some of the SenSayQ victims were added to their leak site later in June 2024.
The similarities in the notes, the correlation of the email addresses, and the chronological sequence of the name changes suggest that the same individuals are behind the EstateRansomware, SenSayQ, Brain Cipher, and RebornRansomware. However, researchers refrain from speculating about the reasons for the group's constant brand change in an era of active hunting for large ransomware.
Group-IB notes that their team will continue to monitor Brain Cipher's activities, regardless of what new name this group may choose in the future. Experts emphasize the importance of constant monitoring and analysis of the activities of such groups in order to develop effective methods of protection against their attacks.
In conclusion, Group-IB gave a number of recommendations to protect against such attacks. These include: regular monitoring and auditing of accounts, implementation of update management policies, segmentation of critical systems, implementation of application control on hosts and endpoint detection and response (EDR) solutions. It is also recommended to subscribe to the Managed Threat Hunting (MTH) service.
Source
