A new ransomware operation known as Brain Cipher has emerged, targeting organizations worldwide. This operation recently gained media attention due to an attack on Indonesia's temporary National Data Center.
Indonesia is developing National Data Centers to securely store servers used by the government for online services and data hosting. On June 20th, one of these temporary centers was attacked, leading to the encryption of government servers. This disruption affected immigration services, passport control, event permit issuance, and other online services.
The Indonesian government confirmed that Brain Cipher, a new ransomware operation, was responsible for the attack, impacting over 200 government agencies. The attackers demanded $8 million in Monero cryptocurrency for a decryptor and to prevent the leak of allegedly stolen data.
BleepingComputer has learned from negotiation chats that the threat actors claimed they would issue a "press release" about the "quality of personal data protection" in the attack, implying that data was stolen.
Brain Cipher is a new ransomware operation that began earlier this month and has been conducting attacks on organizations worldwide. Initially, the ransomware gang did not have a data leak site, but their latest ransom notes now include links to one, indicating their use of double-extortion tactics. BleepingComputer has found numerous samples of Brain Cipher ransomware on various malware-sharing sites over the past two weeks.
These samples [1, 2, 3] were created using the leaked LockBit 3.0 builder, which has been widely used by other threat actors to launch their own ransomware operations. However, Brain Cipher has made minor modifications to the encryptor.
One change is that it not only appends an extension to encrypted files but also encrypts the file names. The encryptor also creates ransom notes named in the format of [extension].README.txt, which briefly describe the attack, make threats, and provide links to the Tor negotiation and data leak sites. In one instance seen by BleepingComputer, the ransom note deviated from the template and was named 'How To Restore Your Files.txt.'
Each victim receives a unique encryption ID to enter into the threat actor's Tor negotiation site. Similar to other recent ransomware operations, the negotiation site is straightforward, featuring a chat system for communication with the ransomware gang.
Brain Cipher has also launched a new data leak site, although it currently does not list any victims. In negotiations observed by BleepingComputer, the ransomware gang has demanded ransoms ranging from $20,000 to $8 million.
The encryptor, based on the leaked LockBit 3 encryptor, has been thoroughly analyzed. Unless Brain Cipher has modified the encryption algorithm, there are no known methods to recover files for free.