The threat actor behind a major attack on Indonesian government services is just one manifestation of an operation that goes by at least three other names.

On June 20, a ransomware operation dubbed “Brain Cipher” bit off more than it could chew when it locked down Indonesia’s national data center. Hours-long lines formed in the world’s fourth-largest country as ferry passengers waited for booking systems to come back online and international arrivals were frozen at passport verification kiosks. The effects were felt by more than 200 national and local government agencies in total. Under pressure and with no promise of payment, the group dropped its $8 million ransom demand and released its decryptor for free.

Researchers at Group-IB have since studied Brain Cipher and discovered that it related to at least three other groupsor perhaps just operating under four different names. Together, these entities with different names have carried out attacks all over the world, but often without much consequence.

Brain Cipher TTPs

Evidence for Brain Cipher’s existence dates back only to the attack on the Indonesian government. Despite its young age, it has already spread to Israel, South Africa, the Philippines, Portugal, and Thailand. However, this is not necessarily evidence of any degree of sophistication.

The malware it uses is based on the leaked Lockbit 3.0 builder. It has also used a variant of Babuk in the case of at least one Indonesian victim. “Using different encryptors allows threat actors to target multiple operating systems and environments,” explained Tara Gould, threat research lead at Cado Security. “Different encryptors can be optimized for different operating systems, broadening the scope of potential targets and ultimately maximizing impact.”

What the ransom notes lack in personality, they make up for in clarity, with short, step-by-step instructions on how to pay them for data recovery. That process includes all the usual ransomware pitfalls: a victim portal, customer service, and a leak site.

Interestingly, the group did not leak data for most of the victims tracked by Group-IB. This led researchers to conclude that Brain Cipher does not actually exfiltrate data as it claims.

The Many Identities of Brain Cipher

Brain Cipher also struggles with opsec. Its ransom notes, contact information, and Tor website all overlap with those of other supposedly independent groups, including Reborn Ransomware, EstateRansomware, SenSayQ, and another entity with no nom de guerre, whose artifacts date back to April.

Together, these supposedly independent operations have sent overlapping ransomware attacks around the world. Reborn has counted victims in China, France, Indonesia, and Kuwait, and the other groups have France, Hong Kong, Italy, Lebanon, Malaysia, and the US on their list.

“Operating under multiple names and using different encryptors offers several advantages to threat actors,” explains Sarah Jones, cyber threat intelligence research analyst at Critical Start. “By continually evolving their tactics, these actors hinder the ability of security researchers and law enforcement to track their activities. Using multiple identities blurs attribution, prolongs investigations, and allows different industries or geographies to be targeted without reputational consequences.”

“The flexibility to quickly adopt new personas protects against operational disruptions in the event of compromised identities,” Jones said.

Gould of Cado Security adds that these personas can also grease the future exit fraud.