brain cipher
Intelligence Profile
In mid-June 2024, a new ransomware operation named Brain Cipher emerged, notably targeting Indonesia's National Data Center. This attack disrupted immigration operations at airports and various other government services.
The payload employed by this group is based on the leaked LockBit 3.0 builder. Comparative analyses have confirmed significant similarities between Brain Cipher and LockBit 3.0 samples. Notably, the attackers modified the ransomware to not only append a new extension to encrypted files but also to encrypt the filenames themselves.
Additionally, it was identified that the group appears to be in its early stages, as evidenced by their use of the leaked LockBit 3.0 builder and their recent operations. After encrypting the data, the ransomware generates ransom notes named “added_extension.README.txt.” These notes contain a description of what occurred and a link to the attackers' website hosted on the Tor network.
Threat Analysis
brain cipher is a ransomware operation that deploys encryption-based extortion against organizations globally. This group maintains a data leak site (DLS) to pressure victims into paying ransom demands.
Financially motivated threat actors like brain cipher prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.
Known Campaigns
Brain Cipher is conducting an active ransomware campaign targeting organizations across 0 countries. 3 confirmed victims recorded in the last 45 days. Campaign status: ACTIVE (last activity 6 Apr 2026).