Introduction
Brain Cypher is a new ransomware variant built using the leaked LockBit 3.0 builder. This ransomware variant does not appear to be offered as a RaaS offering, as many new variants are, and is likely built by a dedicated group of operators. The Brain Cypher group have claimed victims across the globe and employ the standard double extortion technique – encryption via ransomware and data theft for extortion. The Brain Cypher group have recently been in the news as they have been attributed with the high profile attack on Indonesia’s National Data Center[1]. This large scale attack affected more than 230 government agencies within Indonesia. Surprisingly following the publicity of the attack the Brain Cypher group have issued an apology and have offered to decrypt the encrypted data so that the Indonesian government systems can be restored[2].
Unfortunately details of the attack chain associated with the Indonesian National Data Center attack have not been released nor is there any significant reporting surrounding the Brain Cypher groups pre-ransomware TTPs. As a result, this article will focus only on FortiEDR’s ability to detect and mitigate behavior associated with the execution of a Brain Cypher sample rather than a whole Brian Cypher intrusion. In addition to detailing FortiEDR’s coverage of this behavior this article will also provide known atomic IOCs, MITRE ATT&CK mappings and FortiEDR Threat Hunting queries that could be used to identify potential Brain Cypher executions.
Analysis
Initial Execution
To encrypt as many victim endpoint as possible Brain Cypher operators will need to execute their ransomware binary at scale across victim networks. Whilst we cannot confirm the technique employed by the group for the analysis in this article we have used a PowerShell process to execute the ransomware (bc_eb8.exe). On execution we can see that a security event was generated as the ‘Unconfirmed Executable’ rule in the ‘Execution Prevention Policy’ was triggered. This rule indicates that the Brain Cipher executable exhibits characteristics commonly associated with malware. This rule prevents the Brain Cipher sample from executing, thus protecting a potential victim’s data. A sample of the associated security event is shown below in Figure 1.
Figure 1. FortiEDR security event associated with an attempt to execute a Brain Cypher executable.
Pre-encryption Preparation
A core component of recent ransomware family’s behavior is the pre-encryption preparation activities. These activities predominantly aim to achieve three main outcomes; target security software to prevent it from impairing encryption (T1562.001 – Impair Defenses: Disable or Modify Tools), stop services and processes that lock critical files to maximize encryption impact and to degrade local backups to increase the impact of successful encryption (T1490 – Inhibit System Recovery). In many previously analyzed ransomware families encryption preparations tasks have been performed by the prolific use of child processes that leverage LOLbins[3][4]. In the case of LockBit (and by extension Brain Cypher), these functions are only performed where required and a more sophisticated technique is employed, namely these functions are implemented through direct API calls rather than child processes. This method is ‘quieter’ producing less detection data sources such as command line arguments associated with processes and anomalous process chains.
By default, the Brain Cypher sample we analyzed disabled and marked for deletion a number of services related to security features and backup services on the victim endpoint as part of these pre-encryption preparations. Table 1 below shows the services that were disabled and their function.
|
Service Name |
Friendly Name |
Service Function |
|
VSS |
Volume Shadow Copy Service |
Used to create and manage volume shadow copies on a system. |
|
vmicvss |
Virtual Machine Integration Components Volume Shadow Copy Service |
Used to support integration with VSS on hosted Hyper-V VMs. |
|
wscsvc |
Windows Security Center Service |
Used to manage and monitor security-related features on a Windows system. |
|
sppsvc |
Security Protection Platform Service |
Used to manage and enforce licensing for a Windows system. |
|
Sense |
Windows Defender Advanced Threat Protection Service |
Part of the Windows Defender suite of tools. |
|
SecurityHealthService |
Windows Security Health Service |
Monitors and maintains the overall security health of a Windows system. |
Table 1. Services disabled by Brain Cypher as part of pre-encryption activity.
We can observe through FortiEDR Threat Hunting telemetry how at the time of this execution, the registry keys associated with the above services were disabled. This can be observed in Figure 2 below which shows the ‘wscsvc’ (Windows Security Center Service) being set to disabled (value set from 2 to 4).
Figure 2. FortiEDR Threat Hunting data showing registry modification events indicative of attempts to disable the services highlighted in Table 1.
Once disabled these services are also marked for deletion by setting the data in the ‘DeleteFlag’ value for each targeted service to ‘1’. This means that on reboot the service will be deleted. This activity is also detectable within FortiEDR threat hunting data as shown below in Figure 3.
Figure 3. FortiEDR Threat Hunting data showing registry modification events indicative of attempts to delete the services highlighted in Table 1 once they have been disabled.
To maximize the effectiveness of these pre-encryption activities ransomware from the LockBit family employs a privilege escalation technique through abuse of the TrustedInstaller service[5]. To employ this technique, the ransomware process first executes the TrustedInstaller service and then attempts to duplicate its token. The duplicated token is then assigned to a thread within the ransomware’s process. This allows the thread to operate in the context of the TrustedInstaller user which functions as SYSTEM. FortiEDR detects and mitigates this privilege escalation technique as it triggers the ‘Access to Critical System Information’, ‘Invalid Checksum’ and ‘Suspicious Application’ rules within the ‘Exfiltration Prevention’ security policy. The security event related to this behavior is shown below in Figure 4.
Figure 4. FortiEDR security event triggered by privilege escalation activity performed by the Brain Cypher process.
Analysis of this ransomware was performed with FortiEDR set to ‘Log’ security events rather than ‘Block’. If FortiEDR was set to block this behavior would have been mitigated, preventing the privilege escalation attempt allowing user access controls to function correctly and prevent these services from being impacted.
Encryption
Once the preparations have completed the ransomware process begins encrypting victim files. Like previous variants developed using the LockBit 3.0 builder, the Brain Cypher ransomware employs the file overwrite method of encryption. In this method each targeted file is overwritten with its encrypted contents. In the case of Brain Cypher, the file is then renamed with an encrypted copy of its original filename and a unique file extension is added. The encryption key and the file extension is unique to each affected system. These repeated file operations are detected by FortiEDR’s ‘File Encryptor’ rule within the ‘Ransomware Prevention’ security policy. During our analysis we observed over 170k file write events associated with this encryption activity. The security event generated by FortiEDR during our analysis is shown below in Figure 5.
Figure 5. FortiEDR security event associated with Brain Cypher encryption activity.
Ransom note
Once encryption of victim files has completed the Brain Cypher process creates a ransom note in every directory where a file was encrypted named ‘<unique 9 alpha-numeric characters matching encryption file extension>.README.txt’. These file create events can be observed in FortiEDR Threat Hunting data as shown below in Figure 6. Additionally, a screenshot of one of these ransom notes is shown below in Figure 7.
Figure 6. FortiEDR Threat Hunting data showing file create events related to Brain Cypher creating multiple ransom notes following successful encryption.
Figure 7. Copy of a Brain Cypher ransom note dropped following file encryption.
Conclusion
The Brain Cypher group have highlighted the need for all organizations to focus on building detections for common detections regardless of an organizations industry. The Brain Cypher group have been able to leverage the leaked LockBit 3.0 builder to access high-end ransomware and have demonstrated the ability to deploy it at scale. As outlined in this article FortiEDR is able to mitigated the risk associated with the execution and subsequent behavior of Brain Cypher ransomware. The characteristics and behavior detected by FortiEDR is not specific to the Brain Cypher ransomware and offer protections from a broad range of ransomware families. FortiEDR is likely to continue to be effective against other future ransomware variants built using the LockBit 3.0 builder as the core behavior of these executables will continue to be consistent between builds. Included below are FortiEDR Threat Hunting queries that can be used to identify potential indicators of Brain Cypher ransomware operation as well as MITRE ATT&CK mappings and observables associated with Brain Cypher activity.
Threat Hunting
The following threat hunting query will return value set events where a registry key value with the name ‘Start’ has its data value set to ‘4’. This behavior is indicative of a service being disabled[6] and occurs when Brain Cypher ransomware attempts to disable various Windows services as part of its encryption preparation. False positives may occur where services are being modified but are unlikely. Particular attention should be paid where the corresponding services (identifiable by the associated registry key) correlates with any of the services in Table 1 above.
Type:"Value Set" AND Registry.Name: ("Start") AND Registry.Data:"4"
The following threat hunting query will return value created events for a ‘DeleteFlag’ value with value data of ‘1’. This is indicative of a service being marked for deletion[7] and in the case of Brain Cypher this is one of the indicators of encryption preparation activity as this ransomware disables and deletes all the services outlined in Table 1. False positives may occur during software uninstallation which may need to be tuned out but particular attention should be paid to services listed in Table 1.
Type:"Value Created" AND Registry.Name: ("DeleteFlag") AND Registry.Data:"1"
The following threat hunting query will return file create events where the filename matches characteristics of the Brain Cypher ransom note. The query looks for file creation events where the filename is 9 characters followed by the ‘.README.txt’ string. The 9 random characters are the unique code created per infection and will change between victims. False positives may occur for legitimate software however successful execution of Brain Cypher ransomware will result in a large volume of events over a short time period. Detection at this stage of execution is useful for scoping affected hosts and may be used to identify associated ransomware executable names.
Type:"File Create" AND Target.File.Name:?????????.README.txt
MITRE ATT&CK Mappings
TA0004 – Privilege Escalation
|
Technique ID |
Technique Description |
Observed Activity |
|
T1134 |
Access Token Manipulation |
Brain Cypher ransomware exploits TrustedInstaller to gain SYSTEM level privileges to perform its operations and bypass user level controls. |
TA0005 – Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1562.001 |
Impair Defenses: Disable or Modify Tools |
Brain Cypher ransomware disabled and then deletes services in Table 1. This inhibits system recovery, improves encryption effectiveness and prevents defender tools from impacting encryption. Services are disabled through direct API calls so corresponding registry changes originate from services.exe process. |
TA0040 – Impact
|
Technique ID |
Technique Description |
Observed Activity |
|
T1486 |
Data Encrypted for Impact |
1) Encrypts user files. Encryption is performed by the main ransomware process. Files are overwritten with encrypted content then renamed to include 9 char alpha numeric file extension. File extension is different for each victim. |
|
T1490 |
Inhibit System Recovery |
Brain Cypher ransomware disabled and then deletes services in Table 1. This inhibits system recovery (through volume shadow copy restoration), improves encryption effectiveness and prevents defender tools from impacting encryption. Services are disabled through direct API calls so corresponding registry changes originate from services.exe process. |
IOCs
|
Indicator Description |
Indicator |
Indicator Type |
Associated Kill Chain |
Notes |
First Observed |
|
Malicious Executable |
935c0b39837319fda571aa800b67d997b79c3198 |
SHA1 Hash |
Actions on Objectives |
Brain Cypher Ransomware |
2024-06-16 |
|
448f1796fe8de02194b21c0715e0a5f6 |
MD5 Hash |
[1] https://news.republika.co.id/berita/sfkqas484/bbsn-sebut-gangguan-pdns-2-akibat-ransomware-brainciph...
[2] https://www.abc.net.au/news/2024-07-04/indonesian-national-data-centre-hacker-apologise/104052668
[3] https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-Psoglav-ran...
[4] https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-Megazord/ta...
[5] https://www.tiraniddo.dev/2017/08/the-art-of-becoming-trustedinstaller.html
[6] https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ServicesAndDrivers.html
[7] https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ServicesAndDrivers.html
