The new Brain Cipher robber program has begun actively attacking organizations around the world. A recent incident in Indonesia has drawn public attention, where the national data center was hit by a powerful cyber attack.
On June 20, government servers were encrypted in the attack, causing disruptions to immigration services, passport controls, event permit issuance, and other online services. Over 200 state institutions were compromised, with the attackers demanding an $8 million ransom in Monero cryptocurrency for a decoder and to refrain from publishing allegedly stolen data. The Indonesia Government opted not to meet the cybercriminals’ demands, and experts are working to decrypt the captured information independently.
In response to the attack, President Joko Widodo of Indonesia ordered a review of state data centers after discovering a lack of backup copies for much of the stored information.
Bleeping Computer found out that during negotiations, the extortionists threatened to release a “press release about the quality of the protection of personal data,” hinting at possible data theft. The government confirmed that the attack was carried out by the new Brain Cipher Monitor Program, which launched in early June and has already targeted multiple organizations globally. Despite initially lacking a site for data leaks, recent ransom notes now include a link to such a site, suggesting the use of double extortion tactics.
Over the past two weeks, Bleeping Computer has identified several samples of the Brain Cipher virus on various sites distributing malicious software. These samples were created using the LockBit 3.0 designer, whose code was made public in 2022. The leaked LockBit code is now being utilized by other cybercriminals for their own extortion campaigns, such as the recent attack by the Sexi operators on a data center in Chile.
Brain Cipher, however, has implemented slight modifications to its encryption method. Among the changes is the encryption of file names in addition to adding an extension to the encrypted files.
Furthermore, the code generates ransom demands in the .Readme.txt format in notes attached to the encrypted files. These notes briefly outline the situation, include threats, and provide links to negotiation sites and data leakage sites on the Tor network.
In a deviation from the template, attackers used the name “How to Restore Your Files.txt” in one of the notes.