Skip to content
Ransomware group

BrainCipher

Brain Cipher is a ransomware and extortion threat actor active by at least 2024 and observed targeting organizations across multiple sectors and countries, including healthcare, manufacturing, technology, telecommunications, business services, energy, and public-sector services.

Profile source: Mallory opens in a new tab

BrainCipher

Family profile

Brain Cipher is a ransomware and extortion threat actor active by at least 2024 and observed targeting organizations across multiple sectors and countries, including healthcare, manufacturing, technology, telecommunications, business services, energy, and public-sector services. The group is best known for operating a dedicated leak site and associated support infrastructure used to pressure victims, manage negotiations, and publish stolen data when extortion demands are not met. Known aliases include braincipher and brain_cipher.

Brain Cipher has been publicly linked to intrusions involving data theft and ransomware deployment, and its operations are consistent with double-extortion tradecraft. Reported victimology spans the United States, Canada, the United Kingdom, Brazil, and other regions. The group has been associated with attacks on healthcare entities and with the compromise of Rhode Island’s RIBridges benefits administration environment, where investigators reported prolonged unauthorized access, credential harvesting, privilege escalation, lateral movement, and large-scale data exfiltration before public disclosure on the group’s leak platform.

Observed tactics and techniques include use of stolen or compromised credentials for remote access, exploitation of weak passwords, reconnaissance of internal environments, lateral movement to high-value systems such as domain controllers and file servers, privilege escalation, credential harvesting, persistence through legitimate remote administration tooling, data staging, and exfiltration prior to extortion. Brain Cipher has also been associated with structured post-compromise operations, including victim-specific leak pages, FAQ and rules pages, support portals, segmented communication channels, and distributed onion-based storage used to host exfiltrated archives and improve resilience of its disclosure infrastructure.

Multiple reports indicate ties between Brain Cipher and the LockBit ecosystem. Brain Cipher has been described as a LockBit 3.0 variant, and related investigations have noted overlap with tooling or components previously seen in LockBit-linked incidents, including the WipeBlack wiper component. These links suggest code, tooling, or operational lineage overlap, but do not by themselves establish full organizational identity with LockBit.

Overall, Brain Cipher is best characterized as an organized cybercriminal ransomware actor that combines intrusion, data theft, negotiation, and controlled public disclosure through a maintained extortion infrastructure. Its activity reflects a mature extortion workflow rather than opportunistic smash-and-grab operations.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Md5

12 total
  • 523c501118ef5d7957ce54aee86d9b1d
  • 9c5698924d4d1881efaf88651a304cb3
  • 448f1796fe8de02194b21c0715e0a5f6
  • b32a8951fc4c2e4c2d63d17200ca0032
  • 714b31629c37dee57038ca4e52ef65ac
  • 71c109f3bf4da2fc0173b9bcff07e979
  • 41050b2b9f619cdd9916e3bdd5b9f2f9
  • 0da1f4ede654e83241eaad7719a708a0
  • f94d17b5f232e9cfd2255ca9823cb18a
  • 8b3a45ebb7f2331e90ac57a2a20536fd

Email

3 total
  • ibrain.support@cyberfear.com
  • brain.dataleak@cyberfear.com
  • brain.decrypt@cyberfear.com

Ransomware.live

Recent claims

All published claims ↗

MITRE ATT&CK

BrainCipher in ATT&CK

5 distinct techniques

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.