Cyber attack in Indonesia: the new Brain Cipher ransomware brings services to their knees

A new ransomware group called Brain Cipher has recently appeared on the international scene, spreading panic among cybersecurity specialists. This group launched a devastating attack on a data center in Indonesia, putting the growing danger of cyber threats under the spotlight. Indonesia is currently developing new national data centers to optimize the management of online services for citizens and to store data securely. However, on June 20, a cyber attack hit one of these centers, encrypting government servers and disrupting various critical online services such as immigration, passport control and public event authorizations. This attack had notable consequences, disrupting the operations of over 200 government agencies and leading to a ransom demand of $8 million in Monero, with a promise not to disclose the stolen data if the ransom was paid.

Impact and ransom demands

The Indonesian government has confirmed that the ransomware attack is the work of the Brain Cipher group, which has been active since early June and is known for targeting various organizations globally. Popular security firm Broadcom released a bulletin regarding Brain Cipher on June 16, highlighting the threats posed by this new group. At first, Brain Cipher operated without a website for posting stolen data, but recent ransom demands indicate that it now has a dedicated portal. The structure of Brain Cipher ransomware is based on LockBit 3.0, but has some differences: In addition to encrypting files, the ransomware adds a specific extension and also encrypts file names. Ransom demands are documented in text files containing explanations of the event, payment instructions, and threats related to publishing the data on a Tor site.

Technical features of Brain Cipher

Based on the LockBit 3.0 builder, Brain Cipher is notable for some technical changes that further complicate the lives of IT administrators affected by ransomware. The main feature of Brain Cipher is the additional extension to encrypted files and the encryption of the file name itself, making decryption even more complex. Currently, there is no decryptor that can recover files encrypted by Brain Cipher, other than through paying the requested ransom. This poses a serious threat to affected organizations, as data recovery is closely linked to satisfying the demands of cybercriminals. Brain Cipher's approach is methodical: initial compromise of the corporate network, lateral movement within the infrastructure until administrator credentials are acquired, and finally, global data encryption.

Attack and defense strategy

The strategy used by Brain Cipher follows attack models already known in the ransomware landscape. After the initial compromise of the corporate network, the ransomware spreads laterally affecting other connected devices. The ultimate goal is to gain administrative access to the network to deploy the ransomware on a large scale. A worrying aspect of Brain Cipher is the use of double extortion: before encrypting the data, the attackers steal it, so that they can threaten the victim with the disclosure of sensitive data if the ransom is not paid. This method significantly increases the pressure on victims, forcing them to make quick and often painful decisions to safeguard the confidentiality of their data. To protect yourself from these advanced threats, it is critical to implement robust security measures, including regular backups, continuous monitoring, and staff training on cybersecurity practices.