HOMETHREATSbrain cipher
RANSOMWARE OPERATION💰 FINANCIAL

brain cipher

1
campaigns
1
aliases

Intelligence Profile

In mid-June 2024, a new ransomware operation named Brain Cipher emerged, notably targeting Indonesia's National Data Center. This attack disrupted immigration operations at airports and various other government services.

The payload employed by this group is based on the leaked LockBit 3.0 builder. Comparative analyses have confirmed significant similarities between Brain Cipher and LockBit 3.0 samples. Notably, the attackers modified the ransomware to not only append a new extension to encrypted files but also to encrypt the filenames themselves.

Additionally, it was identified that the group appears to be in its early stages, as evidenced by their use of the leaked LockBit 3.0 builder and their recent operations. After encrypting the data, the ransomware generates ransom notes named “added_extension.README.txt.” These notes contain a description of what occurred and a link to the attackers' website hosted on the Tor network.

Threat Analysis

brain cipher is a ransomware operation that deploys encryption-based extortion against organizations globally. This group maintains a data leak site (DLS) to pressure victims into paying ransom demands.

Financially motivated threat actors like brain cipher prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

Known Campaigns

Brain Cipher — Active Campaign April 2026

Brain Cipher is conducting an active ransomware campaign targeting organizations across 0 countries. 3 confirmed victims recorded in the last 45 days. Campaign status: ACTIVE (last activity 6 Apr 2026).

ACTIVELOW2026

External References

Quick Facts

TypeRansomware Operation
Motivation💰 financial
Aliases1

Also Known As

brain cipher

DLS Infrastructure

○ OFFLINEmybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion
● ONLINEvkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion
○ OFFLINEcuuhrxbg52c5agytmtjpwfu7mrs4xtaitc4mukkiy2kqdxeqbcmuhaid.onion
○ OFFLINEp6wmotxzvg34tdmpwm4beqgrcyp5iys43snkccsahnw74la3k3xx6pad.onion
○ OFFLINEbrain4zoadgr6clxecixffvxjsw43cflyprnpfeak72nfh664kqqriyd.onion

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.