Brain Cipher Ransomware Analysis with Cynet’s All-in-One Platform


On June 20, 2024, government services were knocked offline as a cyberattack rocked the Indonesian National Data Center. Investigators would attribute the outage to a new hacker group infecting targets with a novel ransomware variant: Brain Cipher.

A variant of the LockBit ransomware family, Brain Cipher was created using the leaked LockBit 3.0 Builder. It has been deployed against targets worldwide to carry out double-extorsion schemes, in which files are stolen from the victim’s network prior to encryption.

EHA

For actionable insights, we’ll break down Brain Cipher through static and dynamic analysis, then demonstrate detections to block it using Cynet’s All-in-One Cybersecurity Solution.

  • Static analysis will inspect Brain Cipher’s source code to better understand the malware’s functionality and capabilities.
  • Dynamic analysis executes Brain Cipher in a controlled environment to demonstrate its attack flow.

For more step-by-step demonstrations to stop real-world threats, make sure to watchHow to Achieve Total Protection with an All-in-One Platform.”

Static Analysis

By parsing Brain Cipher’s source code, we can better understand the ransomware’s functionality.

  • The file’s high entropy suggests that it is packed:
    A screenshot of a computer

Description automatically generated
  • Brain Cipher’s file strings do not indicate which operations it is designed to enact.

Because the file is packed, execution is necessary to unleash its full capabilities. 

Dynamic Analysis

Next, we’ll execute BrainCipher in a controlled environment to observe its attack flow step-by-step.

  • Upon execution, BrainCipher executes DllHost.exe with parameters to run the CLASID {3E5FC7F9-9A51-4367- 9063-A120244FBEC7}, this CLSID correlates to cmstplua.dll, and is commonly abused by attackers to bypass User Account Control (UAC).
    • DllHost.exe then spawns another instance of the BrainCipher executable, and the original process terminates:
Brain Cipher Ransomware Analysis with Cynet’s All-in-One Platform
Brain Cipher Ransomware Analysis with Cynet’s All-in-One Platform
  • The new BrainCipher process creates the ransom note file “C:sYMY1N6ah.README.txt”:
    A black text on a white background

Description automatically generated
  • The process continues by scanning the file system and initiating encryption of files. Encrypted file names are changed to a random string of characters and are appended with a randomly generated extension “.sYMY1N6ah”:
    A screenshot of a computer

Description automatically generated
  • The Brain Cipher ransom note is then dropped into every affected folder.
    • It forbids the victim from contacting law enforcement or trying to recover the files themselves. If these actions are taken, the note warns, the threat actors will cut off all communication with victims.
    • Victims are instead instructed to contact the threat actors via their Onion page hosted on the TOR network:
A screenshot of a computer screen

Description automatically generated
  • The process then attempts to create the file “\*MAILSLOTNETNETLOGON”.
  • This relates to the “Remote Mailslot Protocol” that can be used to achieve communication between client and server applications over NetBIOS datagram transport protocol.
  • In this instance, the Remote Mailslot Protocol is used by the Netlogon Remote Protocol to locate domain controllers
  • The process continues by modifying the registry keys of all Windows event logs channels.
A screenshot of a computer error

Description automatically generated
  • The process attempts to change the “ChannelAccess” and the “Enabled” registry values of each channel registry key to disable future logging and remove the user’s access to view the existing files:A screenshot of a computer program

Description automatically generated
  • Any attempt to view the Windows event log files prompts the following error message:
    A screenshot of a computer

Description automatically generated
  • Executing the Windows Event Viewer application itself shows that it holds no data:
    A screenshot of a computer

Description automatically generated
  • The process creates and executes the file “C:ProgramData9EA9.tmp” before terminating itself. The newly created process renames the Brain Cipher executable to “C:Users*DesktopAAAAAAAAAAAAAAA”:
    A screenshot of a computer

Description automatically generated
  • The file is then renamed again to “C:Users*DesktopBBBBBBBBBBBBBBB”:
    A screenshot of a computer error

Description automatically generated
  • This continues through all the alphabetical characters until “C:UsersuserDesktopZZZZZZZZZZZZZZZ”, after which the file is deleted:
    A computer screen shot of a computer screen

Description automatically generated
  • “9EA9.tmp” executes “cmd.exe”, running with commands to delete itself from the host, ending the malware’s execution:
    A screenshot of a computer program

Description automatically generated

Here is a view of the full process tree:

Brain Cipher Ransomware Analysis with Cynet’s All-in-One Platform
A close up of a text

Description automatically generated

MITRE ATT&CK Tactics & Techniques

Execution Privilege escalation Defense evasion Discovery Impact
Command andScriptingInterpreter Abuse ElevationControl Mechanism Abuse ElevationControl Mechanism File and DirectoryDiscovery Data Encrypted for Impact
Inter-ProcessCommunication File and DirectoryPermissionsModification Service Stop
Indicator Removal
Modify Registry

Cynet vs Brain Cipher

Here we will demonstrate how to detect Brain Cipher ransomware using Cynet’s All-in-One Cybersecurity Platform.

  • Note that during the execution simulation, Cynet is configured in Detection Mode (without prevention) to allow Brain Cipher’s full flow to execute. This facilitates the triggering and logging of each step in the attack.

Fortunately for Cynet partners and customers, the All-in-One Cybersecurity Platform easily detects and prevents this ransomware using four layered mechanisms.

  1. File Dumped on the Disk
    Cynet’s AV/AI engine detects that a malicious file was dumped on the disk or is attempting to run:
    A screenshot of a computer

Description automatically generated

    A screenshot of a computer

Description automatically generated

  1. Malicious Binary
    By inspecting the file’s SSDEEP hash value, Cynet determines that the file is malicious:
    A screenshot of a computer

Description automatically generated
  1. Process Monitoring
    Cynet detects the attempts to bypass UAC (User Account Control) to achieve privilege escalation, as well as the suspicious execution of an unsigned process:
    A screenshot of a computer

Description automatically generated

    A screenshot of a computer program

Description automatically generated

  1. Unauthorized File Operation Attempt
    Cynet detects and reports Brain Cipher’s attempts to modify Cynet’s ransomware decoy files, in addition to the presence of a ransom note file:
    A screenshot of a computer

Description automatically generated

    A screenshot of a computer

Description automatically generated

Take action

Brain Cipher’s behavior is typical of financially motivated threat actors. Therefore, organizations — especially MSPs and small-to-medium enterprises with limited cybersecurity resources — must implement cost-effective protections to reduce their risk.

“Cynet was purpose-built to unify a full security suite on a single, simple solution. To see these advantages in action, sign up to watch as experts simulate real-world threats or, for an even deeper dive, book a one-on-one demo with Cynet experts today.



Source link