On June 20, 2024, government services were knocked offline as a cyberattack rocked the Indonesian National Data Center. Investigators would attribute the outage to a new hacker group infecting targets with a novel ransomware variant: Brain Cipher.
A variant of the LockBit ransomware family, Brain Cipher was created using the leaked LockBit 3.0 Builder. It has been deployed against targets worldwide to carry out double-extorsion schemes, in which files are stolen from the victim’s network prior to encryption.
For actionable insights, we’ll break down Brain Cipher through static and dynamic analysis, then demonstrate detections to block it using Cynet’s All-in-One Cybersecurity Solution.
- Static analysis will inspect Brain Cipher’s source code to better understand the malware’s functionality and capabilities.
- Dynamic analysis executes Brain Cipher in a controlled environment to demonstrate its attack flow.
For more step-by-step demonstrations to stop real-world threats, make sure to watch “How to Achieve Total Protection with an All-in-One Platform.”
Static Analysis
By parsing Brain Cipher’s source code, we can better understand the ransomware’s functionality.
- The file’s high entropy suggests that it is packed:
- Brain Cipher’s file strings do not indicate which operations it is designed to enact.
Because the file is packed, execution is necessary to unleash its full capabilities.
Dynamic Analysis
Next, we’ll execute BrainCipher in a controlled environment to observe its attack flow step-by-step.
- Upon execution, BrainCipher executes DllHost.exe with parameters to run the CLASID {3E5FC7F9-9A51-4367- 9063-A120244FBEC7}, this CLSID correlates to cmstplua.dll, and is commonly abused by attackers to bypass User Account Control (UAC).
- DllHost.exe then spawns another instance of the BrainCipher executable, and the original process terminates:
- The new BrainCipher process creates the ransom note file “C:sYMY1N6ah.README.txt”:
- The process continues by scanning the file system and initiating encryption of files. Encrypted file names are changed to a random string of characters and are appended with a randomly generated extension “.sYMY1N6ah”:
- The Brain Cipher ransom note is then dropped into every affected folder.
- It forbids the victim from contacting law enforcement or trying to recover the files themselves. If these actions are taken, the note warns, the threat actors will cut off all communication with victims.
- Victims are instead instructed to contact the threat actors via their Onion page hosted on the TOR network:
- The process then attempts to create the file “\
*MAILSLOTNETNETLOGON”.
- This relates to the “Remote Mailslot Protocol” that can be used to achieve communication between client and server applications over NetBIOS datagram transport protocol.
- In this instance, the Remote Mailslot Protocol is used by the Netlogon Remote Protocol to locate domain controllers
- The process continues by modifying the registry keys of all Windows event logs channels.
- The process attempts to change the “ChannelAccess” and the “Enabled” registry values of each channel registry key to disable future logging and remove the user’s access to view the existing files:
- Any attempt to view the Windows event log files prompts the following error message:
- Executing the Windows Event Viewer application itself shows that it holds no data:
- The process creates and executes the file “C:ProgramData9EA9.tmp” before terminating itself. The newly created process renames the Brain Cipher executable to “C:Users*DesktopAAAAAAAAAAAAAAA”:
- The file is then renamed again to “C:Users*DesktopBBBBBBBBBBBBBBB”:
- This continues through all the alphabetical characters until “C:UsersuserDesktopZZZZZZZZZZZZZZZ”, after which the file is deleted:
- “9EA9.tmp” executes “cmd.exe”, running with commands to delete itself from the host, ending the malware’s execution:
Here is a view of the full process tree:
MITRE ATT&CK Tactics & Techniques
Execution | Privilege escalation | Defense evasion | Discovery | Impact |
Command andScriptingInterpreter | Abuse ElevationControl Mechanism | Abuse ElevationControl Mechanism | File and DirectoryDiscovery | Data Encrypted for Impact |
Inter-ProcessCommunication | File and DirectoryPermissionsModification | Service Stop | ||
Indicator Removal | ||||
Modify Registry |
Cynet vs Brain Cipher
Here we will demonstrate how to detect Brain Cipher ransomware using Cynet’s All-in-One Cybersecurity Platform.
- Note that during the execution simulation, Cynet is configured in Detection Mode (without prevention) to allow Brain Cipher’s full flow to execute. This facilitates the triggering and logging of each step in the attack.
Fortunately for Cynet partners and customers, the All-in-One Cybersecurity Platform easily detects and prevents this ransomware using four layered mechanisms.
- File Dumped on the Disk
Cynet’s AV/AI engine detects that a malicious file was dumped on the disk or is attempting to run:
- Malicious Binary
By inspecting the file’s SSDEEP hash value, Cynet determines that the file is malicious:
- Process Monitoring
Cynet detects the attempts to bypass UAC (User Account Control) to achieve privilege escalation, as well as the suspicious execution of an unsigned process:
- Unauthorized File Operation Attempt
Cynet detects and reports Brain Cipher’s attempts to modify Cynet’s ransomware decoy files, in addition to the presence of a ransom note file:
Take action
Brain Cipher’s behavior is typical of financially motivated threat actors. Therefore, organizations — especially MSPs and small-to-medium enterprises with limited cybersecurity resources — must implement cost-effective protections to reduce their risk.
“Cynet was purpose-built to unify a full security suite on a single, simple solution. To see these advantages in action, sign up to watch as experts simulate real-world threats or, for an even deeper dive, book a one-on-one demo with Cynet experts today.