Ransomware Group Behind Major Indonesian Attack Wears Many Masks

The threat actor behind a major attack on Indonesian government services is just one manifestation of an operation going by at least three other names.

On June 20, a ransomware operation known as "Brain Cipher" bit off more than it could chew when it locked up Indonesia's national data center. Hours-long lines began to form across the world's fourth-largest country as ferry passengers waited for booking systems to come back online, and international arrivals stood frozen at passport verification kiosks. Effects were felt throughout more than 200 national and local government agencies in all. Under pressure and with no promise of payment, the group abandoned its $8 million ransom demand, publishing its decryptor for free.

Researchers from Group-IB have since studied Brain Cipher and found that it's related to at least three other groups, or perhaps just operating under four different names. Together, these variously named entities have carried out attacks across the globe, but often without much consequence.

Brain Cipher's TTPs

Evidence of Brain Cipher's existence dates back only to its attack against the Indonesian government. Despite being so young, it already has spread to Israel, South Africa, the Philippines, Portugal, and Thailand. This, however, isn't necessarily proof of any degree of sophistication.

The malware it uses is based on the leaked Lockbit 3.0 builder. It has also used a variant of Babuk in the case of at least one Indonesian victim. "The use of varying encryptors allows threat actors to target multiple operating systems and environments," explains Tara Gould, threat research lead at Cado Security. "Different encryptors may be optimized for different operating systems which widens the scope of potential targets, ultimately maximizing the impact."

What its ransom notes lack in personality they make up for in clarity, with brief, step-by-step instructions on how to pay them for data recovery. That process involves all the usual ransomware trappings: a victim portal, customer support services, and a leak site.

Notably, though, the group did not leak data belonging to most of its victims tracked by Group-IB. This led the researchers to conclude that Brain Cipher does not actually exfiltrate data as it promises.

Brain Cipher's Many Identities

Brain Cipher also struggles with opsec. Its ransom notes, contact information, and Tor website all overlap with other supposedly independent groups, including Reborn Ransomware, EstateRansomware, SenSayQ, and another entity without a nom de guerre, artifacts from which date back to April.

Together, these purportedly independent operations have sent overlapping ransomware attacks across the globe. Reborn has tallied up victims in China, France, Indonesia, and Kuwait, and the other groups have France, Hong Kong, Italy, Lebanon, Malaysia, and the US on their lists.

"Operating under multiple names and using different encryptors offers several advantages to threat actors," explains Sarah Jones, cyber threat intelligence research analyst at Critical Start. "By continually evolving their tactics, these actors hinder the ability of security researchers and law enforcement to track their activities. The use of multiple identities obfuscates attribution, prolonging investigations and enabling targeting of various sectors or regions without reputational consequences."

"The flexibility to rapidly adopt new personas safeguards against operational disruption in the event of compromised identities," Jones says.

Cado Security's Gould adds that these personas may also lubricate future exit scams.