Threat Actor Profile
Medium
Cybercriminal
Description
Brain Cipher emerged in July 2024. Both Windows and Linux variants are available. Brain Cipher using the leaked build of LockBit Black for their operations. The group suspected to have exploited CVE-2023-28252 (Microsoft Windows CLFS Driver Privilege Escalation Vulnerability). The Ransom demand ranges from $150,000 to $1,00,0000. Demand to be paid with Monero (XMR) cryptocurrency. In 2025, they have shifted their new Negotiation portal to new server with vanity TOR Domain starting with 'brain'.
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (5)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': '2024-07-01',
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'Brain Cipher emerged in July 2024. Both Windows and Linux '
'variants are available. Brain Cipher using the leaked build '
'of LockBit Black for their operations. The group suspected to '
'have exploited CVE-2023-28252 (Microsoft Windows CLFS Driver '
'Privilege Escalation Vulnerability). The Ransom demand ranges '
'from $150,000 to $1,00,0000. Demand to be paid with Monero '
'(XMR) cryptocurrency. In 2025, they have shifted their new '
'Negotiation portal to new server with vanity TOR Domain '
"starting with 'brain'. ",
'firstseen': '2024-07-01T19:10:39+00:00',
'group': 'BrainCipher',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2025-10-29T21:37:33.219114+00:00',
'locations': [{'available': False,
'fqdn': 'cuuhrxbg52c5agytmtjpwfu7mrs4xtaitc4mukkiy2kqdxeqbcmuhaid.onion',
'slug': 'http://cuuhrxbg52c5agytmtjpwfu7mrs4xtaitc4mukkiy2kqdxeqbcmuhaid.onion/',
'title': 'BrainCipher Storage',
'type': 'Files'},
{'available': False,
'fqdn': 'zktnif5vckhmz5tyrukp5bamatbfhkxjnb23rspsanyzywcrx3bvtqad.onion',
'slug': 'http://zktnif5vckhmz5tyrukp5bamatbfhkxjnb23rspsanyzywcrx3bvtqad.onion/',
'title': 'BrainCipher Storage',
'type': 'Files'},
{'available': False,
'fqdn': 'mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion',
'slug': 'http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion',
'title': 'Brain Cipher Client Area',
'type': 'Chat'},
{'available': False,
'fqdn': 'brain4zoadgr6clxecixffvxjsw43cflyprnpfeak72nfh664kqqriyd.onion',
'slug': 'http://brain4zoadgr6clxecixffvxjsw43cflyprnpfeak72nfh664kqqriyd.onion/',
'title': 'BrainCipher Client Area',
'type': 'Chat'},
{'available': True,
'fqdn': 'vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion',
'slug': 'http://vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion',
'title': 'Brain Cipher Dataleak',
'type': 'DLS'},
{'available': False,
'fqdn': '4ldgw2wuidqu5ef3rzx4byonf3y7rdnh43jiw2z4sbtjiwic6gkov7yd.onion',
'slug': 'http://4ldgw2wuidqu5ef3rzx4byonf3y7rdnh43jiw2z4sbtjiwic6gkov7yd.onion/',
'title': 'Not Found',
'type': 'Files'},
{'available': False,
'fqdn': '77nrxelcwh47yikvpaz2rvtsten4sen2elybo5r5st6wlxsbitv255qd.onion',
'slug': 'http://77nrxelcwh47yikvpaz2rvtsten4sen2elybo5r5st6wlxsbitv255qd.onion/',
'title': 'BrainCipher Client Area',
'type': 'Chat'},
{'available': False,
'fqdn': 'p6wmotxzvg34tdmpwm4beqgrcyp5iys43snkccsahnw74la3k3xx6pad.onion',
'slug': 'http://p6wmotxzvg34tdmpwm4beqgrcyp5iys43snkccsahnw74la3k3xx6pad.onion/',
'title': 'BrainCipher Client Area',
'type': 'Chat'}],
'negotiation_count': 0,
'ransomnotes_count': 3,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'cuuhrxbg52c5agytmtjpwfu7mrs4xtaitc4mukkiy2kqdxeqbcmuhaid.onion',
'slug': 'http://cuuhrxbg52c5agytmtjpwfu7mrs4xtaitc4mukkiy2kqdxeqbcmuhaid.onion/',
'title': 'BrainCipher Storage',
'type': 'Files'},
{'available': False,
'fqdn': 'zktnif5vckhmz5tyrukp5bamatbfhkxjnb23rspsanyzywcrx3bvtqad.onion',
'slug': 'http://zktnif5vckhmz5tyrukp5bamatbfhkxjnb23rspsanyzywcrx3bvtqad.onion/',
'title': 'BrainCipher Storage',
'type': 'Files'},
{'available': False,
'fqdn': 'mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion',
'slug': 'http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion',
'title': 'Brain Cipher Client Area',
'type': 'Chat'},
{'available': False,
'fqdn': 'brain4zoadgr6clxecixffvxjsw43cflyprnpfeak72nfh664kqqriyd.onion',
'slug': 'http://brain4zoadgr6clxecixffvxjsw43cflyprnpfeak72nfh664kqqriyd.onion/',
'title': 'BrainCipher Client Area',
'type': 'Chat'},
{'available': True,
'fqdn': 'vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion',
'slug': 'http://vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion',
'title': 'Brain Cipher Dataleak',
'type': 'DLS'},
{'available': False,
'fqdn': '4ldgw2wuidqu5ef3rzx4byonf3y7rdnh43jiw2z4sbtjiwic6gkov7yd.onion',
'slug': 'http://4ldgw2wuidqu5ef3rzx4byonf3y7rdnh43jiw2z4sbtjiwic6gkov7yd.onion/',
'title': 'Not Found',
'type': 'Files'},
{'available': False,
'fqdn': '77nrxelcwh47yikvpaz2rvtsten4sen2elybo5r5st6wlxsbitv255qd.onion',
'slug': 'http://77nrxelcwh47yikvpaz2rvtsten4sen2elybo5r5st6wlxsbitv255qd.onion/',
'title': 'BrainCipher Client Area',
'type': 'Chat'},
{'available': False,
'fqdn': 'p6wmotxzvg34tdmpwm4beqgrcyp5iys43snkccsahnw74la3k3xx6pad.onion',
'slug': 'http://p6wmotxzvg34tdmpwm4beqgrcyp5iys43snkccsahnw74la3k3xx6pad.onion/',
'title': 'BrainCipher Client Area',
'type': 'Chat'}],
'negotiation_count': 0,
'ransomnotes_count': 3,
'ransomware_live_group': 'braincipher',
'tools': {},
'url': 'https://www.ransomware.live/group/braincipher',
'victims': 44,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {},
'ttps': [{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'technique_details': 'Executes a malicious file on '
"the victim's system.",
'technique_id': 'T1204.002',
'technique_name': 'User Execution'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'Disables Windows Defender (if '
'it is running).',
'technique_id': 'T1562.001',
'technique_name': 'Impair Defenses: Disable or '
'Modify Tools'},
{'technique_details': 'The ransomware self-deletes '
'after execution.',
'technique_id': 'T1070.004',
'technique_name': 'Indicator Removal: File '
'Deletion'}]},
{'tactic_id': 'TA0007',
'tactic_name': 'Discovery',
'techniques': [{'technique_details': 'Enumerates directories to '
'encrypt files.',
'technique_id': 'T1083',
'technique_name': 'File and Directory Discovery'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'Uses data encryption as a '
'means of extorting the '
'victim.',
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'}]}],
'url': 'https://www.ransomware.live/group/braincipher',
'victims': 44,
'vulnerabilities': []}