Chapter 1: Brain Cipher Ransomware: Key Trends and Outlook
Brain Cipher Ransomware is known to be a variant of the infamous Lockbit 3.0 ransomware which actors had been previously arrested in Ukraine back in May 2024. Due to the leaked data source of the Lockbit 3.0 ransomware, it was speculated that the threat actors of Brain Cipher ransomware utilize the remnants of the Lockbit 3.0 and create a new variant named the “Brain Cipher”.
However it is still unclear whether the actors of the Brain Cipher ransomware originates from the Lockbit 3.0 threat actors as further detail has not been confirmed yet. The Brain Cipher ransomware first surfaced on the internet on May 18th, followed up by the recent incident of Indonesia’s National Data Center (PDN) of the Ministry of Communication and Information (Menkominfo).
Mirroring the Lockbit threat actors, Brain Cipher threat actors are also financially motivated and utilize the double extortion strategy to increase the chances of earning profit.
Currently there have been 2 different ransom notes samples of the Brain Cipher ransomware, possibly indicating there are variants being utilized in the wild. However, further information of the existence, differences, and which variants were utilized on the most recent campaign of attacking Indonesia’s National Data Center (PDN) of the Ministry of Communication and Information (Menkominfo) still remains unclear.
In Depth of Brain Cipher Ransomware Attack towards Indonesia’s Pusat Data Nasional
According to the government, signs of an impending attack on the National Data Center (PDN) had been detected since June 17 at 11:15 PM, indicated by attempts to disable Windows Defender antivirus. However, there was no swift response to this incident, leading to a ransomware attack on the PDN on June 20 at 12:54 AM. Among the detected activities were installing malicious files, deleting critical system files, deactivating running services, and disabling storage-related files such as VSS, Hyper-V Volume, VirtualDisk, and Veeam vPower NFS. This ransomware was later identified as Brain Cipher ransomware on June 23. This ransomware attack disrupted services like immigration and passport control and prolonged airport delays. The hacker group also demanded a ransom of $8 million in Monero cryptocurrency, threatening to leak stolen data if their demands were not met.
In a surprising turn of events, the Brain Cipher group apologized to Indonesia’s citizens on July 1st, expressing regret for the disruption caused by their actions. Following that, on June 2nd, 2024, the Brain Cipher group also announced that on Wednesday, June 3rd, 2024, they would release a decryption key for free. The group emphasized that their decision was made independently, without pressure from law enforcement or other agencies, and requested public acknowledgment of their actions. The group also highlighted that the attack on Temporary National Data Centre (PDN)-2 was not politically motivated but intended to remind the government of how critical the need for cybersecurity funding and specialists.
True to their word, on June 3rd, 2024, the Brain Cipher group made another post with a link allowing anyone to download the decryption key file. The key was in the form of a 54 kb ESXi file that consists of a complex string of numbers, letters, and symbols that was specifically designed to decrypt data from the Temporary National Data Centre (PDN)-2 and did not extend to other encrypted files. Later, the Ministry of Communications and Informatics (Kominfo) confirmed the decryption key worked and the Temporary National Data Centre (PDN)-2 has successfully unlocked six sets of data.
However, an in-depth analysis of the ransomware attack on Temporary National Data Centre (PDN)-2 revealed that the ransomware attack was caused by the involvement of two distinct ransomware types from the same group, Brain Cipher. The first ransomware, Lockbit 3.0, targeted the Windows Operating System. The second ransomware, Babuk, attacked the Hypervisor ESXi environment. And it is said that the decryption key provided by Brain Cipher previously, only succeeded in decrypting data on the ESXi server encrypted by the Babuk ransomware. However, the hacker group behind Lockbit 3.0 claimed that the ESXi decryption key should be sufficient to recover all the encrypted data, suggesting no separate decryption key for Lockbit 3.0 was necessary.
A researcher has made a separate analysis of the Babuk ransomware following the release of the decryption key. The researcher said that the builders for both LockBit and Babuk ransomware had been leaked on the internet for several years. Therefore, there are already many malware derivatives of it due to how easy it is to compile them. The variant of Babuk ransomware employed in the PDNS incident itself was primarily distinguished by its .encrptd extension and decryption key, unlike the original version of the ransomware with .babyk extension.
Notably, the encryption of the Babuk ransomware to the ESXi can only be done if the attacker can log in to the ESXi and then run the encryptor manually. Therefore, a preliminary step must have been taken before the attacker could proceed with the attack. There are usually only two ways to log in to the ESXi environment, either by exploiting the ESXi bug (if it hasn’t been patched) or by using a password (if you know the password). Once logged in, the attacker can therefore run the encryptor from the command line.
ESXi itself is a hypervisor or software used to run virtual machines. A virtual machine usually has several files, in which one of the most important files is the VMDK file. A VMDK file is the disk image file of a Virtual Machine. This file can have tens to hundreds of GB in size, especially in the case of PDNS the size would be very large therefore it will take a long time to encrypt everything. While the Lockbit takes the approach of encrypting a certain number of gigabytes initially, and N gigabytes each. Babuk’s approach is simpler, it will only encrypt the first 520MB of the file with Each key file different for each file, this key is then encrypted with a master key, added at the end of the file (the last 32 bytes of the file are the key but encrypted).
The researcher explained that the Babuk ransomware that attacked the ESXi environment usually only encrypts the first 520MB of virtual machine data, leaving the crucial system data untouched, typically ensuring a 50-100% recovery rate for affected files. This recovery rate was observed because mostly on Operating Systems, the first 520MB of the disk only contains the operating system information.
The official forensic document regarding this incident has not yet been released by the National Cyber and Crypto Agency (BSSN), so the initial access point for the threat actors remains unknown. However, some experts criticize the use of Windows Defender as the main and only antivirus for the PDN, arguing that a defense system with better features should have been employed.
National Data Center (PDN) in Indonesia is managed by TelkomSigma from the Telkom group, and Lintasarta. PDN contains heavily sensitive public information notably including immigration data which causes the immigration processes to be heavily disrupted. The immigration verification process resorted to manual verification for the time being, hindering the operations. The government has reported adding multiple counters in the Soekarno-Hatta Airport just to sustain the operation.
According to Dirjen Aplikasi Informatika Kemenkominfo, Semuel Abrijani Pengerapan, at least 210 government institutions both local and central, are known to utilize PDN as their data storage. Tracing back to the most recent user data that utilizes PDN cited from aptika.kominfo (2020 – 2021) as follows:
Institutions | 2020 | 2021 |
Ministry / Instances | 12 | 43 |
Province | 4 | 9 |
Regency | 19 | 86 |
City | 7 | 24 |
Due to the high profiles of the PDN’s service users, the Brain Cipher ransomware attack on the PDN is classified as a national threat.
Chapter 2: Technical Analysis
Known MITRE ATT&CK TTPs
Initial Access (Suspected)
T1566 Phishing
T068 Exploitation
Execution
T1059.003: Windows Command Shell
T1204.002: User Execution Malicious File
Privilege Escalation
T1548.002: Bypass User Account Control
Defense Evasion
T1548.002: Bypass User Account Control
Credential Access
T1539: Steal Web Session Cookies
T1555.003: Credentials from Web Browsers
T1552.001: Credentials in Files
Discovery
T1005: Data from Local System
T1012: Query Registry
T1082: System Information Discovery
T1518: Software Discovery
T1552.001 – Credentials in Files
Exfiltration
T1041: Exfiltration Over C2 Channel
Impact
T1486: Data Encryption for Impact
Initial Access (Suspected)
While the officials has not released an adversary, several suspicion arises as the method to breach PDN, notably:
- VMSA-2024-0012 (CVE-2024-3079, CVE-2024-37079 (CVSS Score: 9.8 Critical)
This vulnerability arises from a buffer overflow in the DCERPC protocol implementation in vCenter Server, allowing threat actors to send a specially crafted payload that results in remote code execution.
CVE-2024-37079 (CVSS Score: 9.8 Critical)
This vulnerability stems from a buffer overflow vulnerability in the DCERPC protocol implementation in vCenter Server, allowing threat actors to send specially crafted payloads, resulting in remote code execution.
CVE-2024-37080 (CVSS Score: 9.8 Critical)
It has the same impact and attack concept as the previous vulnerability, stemming from a buffer overflow in the DCERPC protocol implementation in vCenter Server. This allows threat actors to send a specially crafted payload that results in remote code execution.
CVE-2024-37081 (CVSS Score: 7.8 Critical)
This vulnerability originates from a misconfiguration of sudo in vCenter Server, allowing authenticated local users to exploit this flaw to elevate their privileges to root on the vCenter Server Appliance.
Affected Products:
● VMware vCenter Server 8.0 (all versions before 8.0u2d)
● VMware vCenter Server 7.0 (all versions before 7.0u3r)
● VMware vCenter Server 6.0 (all versions) ~ end of life
● VMware Cloud Foundation 5.x (all versions before KB88287)
● VMware Cloud Foundation 4.x (all versions before KB88287)
Associated Port: 135 (TCP/UDP): - CVE-2024-4577 (CVSS Score: 9.8 Critical)
PHP is a popular open-source programming language commonly used as a web development platform for Windows and Linux servers.
CVE-2024-4577 originates from a mishandling in character encoding conversion, specifically the ‘Best-Fit’ feature on Windows when PHP is used in CGI mode. This oversight could allow unauthenticated threat actors to bypass protection measures previously implemented for CVE-2012-1823 (CVSS Score: 7.5 High), which involved a vulnerability to CGI command injection enabling remote code execution (RCE).
It is also known that if PHP is not configured to use CGI mode, CVE-2024-4577 can still be exploited if PHP executables (php.exe or php-cgi.exe) are located in a directory accessible from the server. However, since CGI configuration is not enabled by default through XAMPP for Traditional Chinese, Simplified Chinese, or Japanese languages, it is believed that most XAMPP installations on Windows with these languages will be affected by this vulnerability.
It is challenging to determine if a system is vulnerable to CVE-2024-4577 because two factors can lead to successful exploitation: whether CGI mode is enabled or PHP binaries are exposed. Security researchers recommend updating to the latest version of PHP as the best preventive measure.
The rising speculation of the initial entryway utilizing the CVE-2024-4577 was from the high rising number of server ransomware attacks over the past week, reported to be exploited in more than 1000 attacks.
Products affected by CVE-2024-4577:
● PHP 5.x (all versions)
● PHP 7.x (all versions)
● PHP 8.0 (all versions)
● PHP 8.1 (all versions before 8.1.29)
● PHP 8.2 (all versions before 8.2.20)
● PHP 8.3 (all versions before 8.3.8)
Associated Ports:
● Port 80 (HTTP)
● Port 443 (HTTPS) - Phishing Campaign
Some sources also hinted at a possible phishing campaign as an entry way towards the National Data Center (PDN). However, the further details of the phishing campaign remains unexplored.
Discovery
The ransomware’s detection methods involve querying the registry, gathering system information, and discovering installed software. These steps enable the ransomware to map the infected environment and identify high-value targets for encryption.
Credential Access
Credential access is a crucial part of Brain Cipher’s strategy. It involves stealing web session cookies, credentials from web browsers, and credentials stored in files, giving attackers the information needed to further penetrate the network or exfiltrate data.
Exfiltration
In the sample analyzed, a network connection was identified from the victim’s device into IP of 2.17.107.144 on HTTP port (port 80). Checking the IP is owned by AS20940 – Akamai.
International B.V. Akamai is known as a CDN, so from that behavior, we know that the original C2 server is somewhere else behind the CDN.
Chapter 3: IOCs of Brain Cipher Ransomware
MD5:
294f964fc4b1624d0829ff0592858b
e5c2f4c75aaf024ed1b07327f15cd7
9cb96848386327410ca588b6cd5f6401
SHA1:
968c4ae64dcb71c9eeffd812ef38a69d5548b3bb
978148c2f73da29a87b18d6aee8a0db9102f47c9
E2cadedb23396d1be66089217ce4f11b691bc110
SHA256:
0ed5729655b3f09c29878e1cc10de55e0cbfae7ac344f574d471827c256cf086
eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12
SHA512:
9376295b1dec89b18929b182a15a76163429f238a222b58d112c33006f19f33411314554fa5dbe12280d1278a17d5be04bc78aa52636965e7597d28153270940
SSDEEP:
3072:XVNK3GFlSbCrEEcoDhYXARN1fKxf4vV9pN:XPKCyodNYxwvpN
URL:
hxxp://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad[.]onion/
hxxp://dexspot2cx.club/statweb577/
hxxps://transfer.sh/get/671Cix/123[.]exe
hxxp://servicem977xm.xyz/statweb577/
hxxps://learndash.825testsites.com/b/abc[.]exe
hxxp://rexstat35x.xyz/statweb955/
hxxp://whxzqkbbtzvdyxdeseoiyujzs.co/index[.]php
hxxp://kkudndkwatnfevcaqeefytqnh.top/index[.]php
hxxp://starxpush7xm.xyz/statweb577/
hxxp://uohhunkmnfhbimtagizqgwpmv.to/index[.]php
hxxp://rexspot7x.xyz/statweb955/
hxxp://193.233.132.177/lbb[.]exe
hxxp://servicem977x.xyz/statweb955/
hxxp://starxpush7x.xyz/statweb955/
hxxps://transfer.sh/get/KgHDsr/s3g53o[.]dotm
hxxp://atxspot20x.xyz/statweb955/
hxxp://91.92.128.152/files/super[.]exe
hxxps://viviendas8.com/bb/abc[.]exe
hxxp://atxspot20cx.best/statweb577/
hxxp://tinneatonenessnabobical.com/v6/down/v6_stealer_tinneatonenessnabobical[.]com_sprite[.]exe
hxxp://rexspot7xm.xyz/statweb577/
hxxp://dexspot2x.xyz/statweb955/
hxxps://t.me/zaskullz
hxxp://135.181.87.234/
hxxps://transfer.sh/get/JQJU3c/fdrsetrgh[.]exe
hxxps://steamcommunity.com/profiles/76561199486572327
hxxp://195.201.101.146/12341rgergg435g4tr[.]exe
hxxp://nnzqahmamqucusarjveovbuyt.cyou/index[.]php
hxxps://learndash.825testsites.com/b/fgi5k8[.]dotm
hxxp://ppaauuaa11232.cc/aaa[.]exe
hxxp://91.107.210.207/tinytask[.]exe
hxxp://advertxman7cx.xyz/statweb577/
hxxp://45.129.96.86/file/host_so[.]exe
hxxp://fdmail85.club/statweb955/
hxxp://datasectex.com/statweb577/
hxxp://163.5.169.23/index[.]php
hxxp://91.107.210.207/b66ssc[.]dotm
hxxp://195.201.101.146/o19wzg[.]dotm
hxxp://rexstat35xm.xyz/statweb577/
hxxps://viviendas8.com/bb/qhrx1h[.]dotm
hxxp://advertxman7x.xyz/statweb955/
IP Address:
2.17.107[.]144
2.17.107[.]216
104.71.214[.]69
217.20.58[.]99
135.181.87[.]234
163.5.169[.]23
194.150.118[.]7
49.212.179[.]180
5.149.249[.]242
69.64.62[.]4
Note (25/06/2024): Protergo has contributed by uploading IOC Brain Cipher Ransomware to OTX AlienVault (now Level Blue), enabling the detection of Brain Cipher Ransomware variant activities in SOC monitoring.
(To assess, visit: https://otx.alienvault.com/pulse/667a4a587fcaf3c56325ecaa).
Chapter 4: Recommendations and Mitigations Strategies
Robust Authentication
Implementing strong, unique passwords in accordance with the NIST Special Publication 800-63B (For more information, visit: https://pages.nist.gov/800-63-3/sp800-63b.html) and requiring multi-factor authentication (MFA) can act as the best first line of defense.
Secure Remote Access Software
Given how many ransomware threat actors use Remote Access Software to gain initial access in their campaigns, it makes sense to secure every Remote Access Software. For more information on how to secure remote access software, please visit: https://www.cisa.gov/resources-tools/resources/guide-securing-remote-access-software
Network Segmentation
Segment networks to limit the spread of ransomware in case of a successful attack.
Regular Security Audits
Periodically review user accounts, deactivate unused ones, and ensure stringent access controls. Ensure unused remote access ports such as TCP/3389 (RDP) and ports of other remote access applications (e.g., TeamViewer, AnyDesk, and VPN) are disabled from public Internet access or restricted only to selected users and/or IP addresses.
Software Vigilance
Keeping all software updated can shield against vulnerabilities that ransomware often exploits.
Implement Regular Data Backups
Conduct regular backups, especially offline ones, to safeguard data, ensuring its availability even after an attack, and potentially combating double extortion methods when paired with encryption of sensitive files.
Encrypt Sensitive Files
To further ensure the security of your organization’s sensitive files, utilize encryption to add another layer of defense to your sensitive files. This initiative can also combat the double extortion method that is now trending in ransomware campaigns, as even if the encrypted files are retrieved and locked, the threat actors wouldn’t be able to open them easily.
Enhance Continuous Cyber Awareness
Keep employees informed about the latest ransomware threats and safe online practices to prevent inadvertent breaches.
Combatting Suspicion #1 Initial Access by VMSA-2024-0012
Immediately update the affected products to the latest version:
● VMware vCenter Server 8.0 (version 8.0u2d) (to update, visit: VMware vCenter Server 8.0u2d Release Notes)
● VMware vCenter Server 7.0 (version 7.0u3r) (to update, visit: VMware vCenter Server 7.0u3r Release Notes)
● Cloud Foundation 5.x (version KB88287) (to update, visit: Broadcom KB88287)
● Cloud Foundation 4.x (version KB88287) (to update, visit: Broadcom KB88287)
If you are using an unsupported version of VMware vCenter Server (e.g., VMware vCenter Server 6.x), immediately update to the latest version.
Combatting Suspicion #2 Initial Access by CVE-2024-4577
Immediately update PHP to the latest version to avoid potential exploitation campaigns:
● PHP 8.1 (version 8.1.29)
● PHP 8.2 (version 8.2.20)
● PHP 8.3 (version 8.3.8)
Combatting Suspicion #3 Initial Access by Phishing Campaign
● Implement Technical Controls in Your Web Browser Experience
Implement technical controls such as email filtering, web filtering, and endpoint protection. Using a multi-layered security model will make systems more resilient to phishing attempts via email.
● Utilize Email Security Protocols such as DMARC, SPF, TLS, or Other
Ensure the integrity of received emails by using appropriate email security protocols.
Detecting Brain Cipher Ransomware Utilizing YARA Rules
rule BrainCipher_Ransomware {
meta:
author = “Vinzel”
description = “Detects Brain Cipher Ransomware, a new variant of Lockbit”
date = “2024-06-23”
sha256_photorec_win = “6d8b94a72a61b13560ad60f0b455597524e16bf3f53b7a2977ca798ee9109cc4”
md5_photorec_win = “eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12”
sha1_photorec_win = “eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12”
reference = “CSIRT report”
strings:
$file_name = “photorec_win.exe”
$ransom_note = /[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}\.README\.txt/
$behavior1 = “ACM.Untrst-RLsass!g1”
$behavior2 = “SONAR.Ransom!gen82”
$behavior3 = “SONAR.Ransomware!g38”
$file_based = “Rescate.Lockbit!g6”
$ml_based = “Hora.AdvML.B!200”
condition:
(filesize < 1MB) and (
hash.sha256($file_name) == "6d8b94a72a61b13560ad60f0b455597524e16bf3f53b7a2977ca798ee9109cc4" or
hash.md5($file_name) == "eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12" or
hash.sha1($file_name) == "eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12" or
$ransom_note or
any of ($behavior*) or
$file_based or
$ml_based
)
}
Chapter 5: Effective Solutions for Brain Cipher Ransomware Protection
Strengthen with Regular Security Audits
To ensure your systems are resilient against ransomware threats like Brain Cipher, our cybersecurity company offers comprehensive security audits. These audits are essential for identifying vulnerabilities and reinforcing your security posture:
● Systems Network Architecture (SNA)
We conduct a thorough assessment of your network’s architecture to identify any weaknesses. This ensures your systems are robust and up-to-date with the latest security standards.
● Firewall Review
Our experts thoroughly examine your firewall configurations to ensure they are optimally set up to block potential threats. We help you set up and maintain firewalls that effectively block unauthorized access and potential threats.
● Forensic Readiness
We prepare your systems to handle and investigate any security incidents, ensuring swift and effective responses. This includes setting up systems and processes that enable quick and effective incident response and investigation, minimizing the impact of any security breach.
Continuous Cyber Awareness
Building a security-conscious culture is crucial in defending against ransomware attacks. Our services include:
● Phishing Campaigns
We conduct realistic simulated phishing attacks to test and train your employees. By exposing them to potential phishing scenarios, we help them recognize and respond appropriately to phishing attempts, reducing the risk of successful attacks.
● Security Awareness Training: As part of our red teaming efforts, we offer extensive security awareness training programs. These programs educate your staff on the latest security threats and best practices, empowering them to act as the first line of defense against cyber-attacks.
Apply Security Operations Center (SOC)
Our SOC provides round-the-clock monitoring and analysis to detect and block cyber-attacks in real-time. With 24/7 vigilance, we ensure your systems remain protected against ongoing and emerging threats.
Use Next-Gen Antivirus
Use our Next-Gen Antivirus to protect all devices from cyber attacks. This advanced software blocks known and unknown threats, including new and complex ransomware, like Brain Cipher.
References:
- Tim DF-IR BSSN. (2024, June 24). Indicator of Compromise Brain Cipher Ransomware. Pusat Data Nasional.
- Ensign. (2024, June 24). Security Advisory: Brain Cipher Ransomware Group
- https://www.cnbcindonesia.com/tech/20240624131040-37-548794/bssn-pusat-data-nasional-diserang-pelaku-minta-rp-131-miliar
- https://www.bloombergtechnoz.com/detail-news/41653/kominfo-sebut-210-instansi-terdampak-dari-hacker-ransomware-pdn/2
- https://www.broadcom.com/support/security-center/protection-bulletin/brain-cipher-ransomware
- https://kumparan.com/kumparantech/apa-itu-brain-cipher-ransomware-yang-bikin-lumpuh-server-pdn-kominfo-2302QtPRjyx/full
- https://us-test-sandbox.recordedfuture.com/240618-k2pt6a1bjq
- https://rri.co.id/nasional/777401/mengenal-brain-cipher-ransomware-ganas-yang-serang-pdn
- https://arstechnica.com/security/2024/06/thousands-of-servers-infected-with-ransomware-via-critical-php-vulnerability/
- https://www.bloombergtechnoz.com/detail-news/41766/daftar-data-ri-yang-diduga-dibocorkan-grup-peretasan
- https://www.peris.ai/post/peris-ai-analysis-brain-cipher-ransomware-attack-on-indonesias-national-data-center
- https://aptika.kominfo.go.id/2022/07/pusat-data-nasional-pdn/
- https://thehackernews.com/2024/06/new-php-vulnerability-exposes-windows.html
- https://www.bleepingcomputer.com/news/security/php-fixes-critical-rce-flaw-impacting-all-versions-for-windows/
- https://duo.com/decipher/critical-php-flaw-cve-2024-4577-patched
- https://www.scmagazine.com/news/php-updates-urged-over-critical-vulnerability-that-could-lead-to-rce
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453
- https://www.scmagazine.com/news/vmware-fixes-2-critical-bugs-check-if-your-vcenter-server-is-affected
- https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-vcenter-rce-vulnerability-patch-now/
- https://thehackernews.com/2024/06/vmware-issues-patches-for-cloud.html
- https://katadata.co.id/lifestyle/edukasi/667aa4a828e6a/apa-itu-brain-cipher-ransomware-ini-penjelasannya