A recent cyberattack on Indonesian government services has shed light on a larger operation that goes by at least four different names, according to researchers from Group-IB. The attack, carried out by a ransomware group known as “Brain Cipher,” wreaked havoc on Indonesia’s national data center, causing delays and disruptions across the country.
The ransomware group initially demanded $8 million in exchange for unlocking the encrypted data, but eventually released the decryptor for free after facing pressure with no promise of payment. This incident exposed the existence of Brain Cipher, which researchers have linked to three other groups operating under different names. These groups have been responsible for various cyberattacks around the world, although many of these attacks have not resulted in significant consequences.
Despite its relatively recent emergence, Brain Cipher has already targeted countries such as Israel, South Africa, the Philippines, Portugal, and Thailand. The malware used by the group is based on the leaked Lockbit 3.0 builder and has also incorporated a variant of Babuk in at least one attack on an Indonesian victim. This diversity in malware allows threat actors to target a range of operating systems and environments, expanding the scope of potential victims.
One notable aspect of Brain Cipher’s ransom notes is their lack of personality but clear instructions on how victims can pay for data recovery. The group provides victim portals, customer support services, and leak sites as part of the ransomware process. Surprisingly, Brain Cipher did not leak data from most of the victims identified by Group-IB, leading researchers to believe that the group does not actually exfiltrate data as they claim.
Brain Cipher’s operational security (opsec) has also come under scrutiny, as its ransom notes, contact information, and Tor website overlap with other purportedly independent groups like Reborn Ransomware, EstateRansomware, SenSayQ, and another unnamed entity. These groups have carried out ransomware attacks in various countries, including China, France, Indonesia, Kuwait, Hong Kong, Italy, Lebanon, Malaysia, and the US.
Operating under multiple names and utilizing different encryptors provides several advantages to threat actors, as it hampers efforts by security researchers and law enforcement to track their activities. This tactic also obfuscates attribution, making it difficult to identify the responsible parties and prolonging investigations. Additionally, adopting multiple identities allows threat actors to target different sectors or regions without facing reputational consequences.
The ability to rapidly change personas also helps safeguard against operational disruptions in case any identities are compromised. Moreover, these personas could potentially facilitate future exit scams, as discussed by industry experts like Sarah Jones of Critical Start and Tara Gould of Cado Security.
In conclusion, the attack on Indonesia’s government services by Brain Cipher has revealed a complex and interconnected web of ransomware operations that span multiple countries and industries. As these threat actors continue to evolve and adapt their tactics, it becomes increasingly challenging for cybersecurity professionals and law enforcement agencies to combat the growing threat of cyberattacks.