Back to Attacks News

Emerging Threat Actors: BrainCipher, Mad Liberator, RansomCortex, SenSayQ, Cicada3301

Published on
August 7, 2024

In June and July 2024, the ransomware landscape saw the emergence of several significant actors targeting diverse industries. Notable groups such as BrainCipher, Mad Liberator, RansomCortex, SenSayQ, and Cicada3301, employed distinct tactics, techniques, and procedures (TTPs) to attack high-profile organizations.

BrainCipher and Mad Liberator are ransomware operators known for deploying ransomware payloads and engaging in data exfiltration. BrainCipher's attack on Indonesia's National Data Center disrupted crucial services, while Mad Liberator's breach of the Italian Ministry of Culture highlighted their dual focus on encryption and data theft. The way these groups use encryption and phishing shows just how important it is to have strong cybersecurity measures to protect sensitive information.

RansomCortex operates as a Ransomware-as-a-Service (RaaS) provider, offering tools and infrastructure to affiliate attackers. This business model has lowered entry barriers for cybercriminals, leading to increased ransomware incidents. RansomCortex's attacks on healthcare facilities in Brazil and Canada exemplify the growing threat posed by collaborative and scalable ransomware operations.

Cicada3301 functions as a data extortion group, focusing on stealing and selling sensitive information rather than using ransomware payloads. This group has caused long-term damage through identity theft and corporate espionage by leaking stolen data. Meanwhile, SenSayQ combines traditional ransomware tactics with innovative techniques, making it increasingly challenging for organizations to defend against their attacks.

With ransomware threats constantly changing, understanding each group's unique strategies is vital. This insight helps in crafting effective cybersecurity defenses and staying ahead of cybercriminals' ever-shifting tactics.

BrainCipher

BrainCipher, emerging as a formidable cyber threat in June 2024, operates both as a ransomware group and data broker. In June 2024, the group made headlines with a high-profile attack on Indonesia’s National Data Center, disrupting essential public services like immigration and student registration systems.  

This assault demonstrated their advanced capabilities and potential for widespread chaos. Since then, the threat actor has targeted numerous companies worldwide, cementing their status as a persistent and dangerous adversary.

BrainCipher employs phishing and spear-phishing tactics, tricking individuals into opening malicious attachments or clicking harmful links. Their collaboration with Initial Access Brokers (IABs) facilitates easier infiltration into target environments.  

The ransomware payloads, based on a leaked version of LockBit 3.0, encrypt files and append a distinctive file extension while also encrypting file names to complicate recovery efforts. Advanced techniques include hiding threads from debuggers and enabling security privileges to evade detection.

BrainCipher's targets span critical industries, including medical, educational, manufacturing sectors, and government agencies. As a data broker, the gang publishes information about companies that fail to protect personal data, serving both as a warning to potential victims and a marketplace for stolen data.

In the National Data Center attack, the group demanded $8 million in Monero cryptocurrency. The Indonesian government refused to pay the ransom, instead migrating critical data to Amazon Web Services.  

In an unexpected twist, BrainCipher apologized to Indonesia and released a free decryption tool, though they have continued their activities following this incident.

BrainCipher Victims:

Cole Technologies Group

  • Date of Attack: July 22, 2024
  • Details: Brain Cipher attacked Cole Technologies Group, a company specializing in inspection services, compromising an unknown amount of sensitive data. The attack disrupted the company’s operations.
  • Impact: Potential exposure of critical engineering service data, affecting the company’s ability to deliver services.

    Mars 2 LLC
  • Date of Attack: July 22, 2024
  • Details: Brain Cipher encrypted over 15GB of confidential documents from Mars 2 LLC, a diversified investment company. The encrypted data included critical business information, client details, and proprietary research.
  • Impact: Significant operational and financial risks, having to decide between paying the ransom or finding alternative recovery methods.

    Sherbrooke Metals
  • Date of Attack: July 22, 2024
  • Details: Brain Cipher exfiltrated 25GB of confidential data from Sherbrooke Metals, a manufacturer of copper and silver tungsten products. A sample of the stolen data was leaked.
  • Impact: Threatened the company’s intellectual property and operational integrity.

Mad Liberator

Mad Liberator, a notorious ransomware group, made headlines following a significant attack on the Italian Ministry of Culture on July 17, 2024. This incident, revealed on their Data Leak Site (DLS), involved the theft of sensitive data, including directories, agreements, documentation, and photographs.  

The group demanded a ransom payment within five days to prevent the public release of this information, highlighting a severe security lapse and emphasizing the escalating threat posed by ransomware groups.

Employing advanced encryption techniques such as AES/RSA, Mad Liberator effectively locks victim files, using both legal threats and intimidation to coerce compliance. They caution victims about potential repercussions under GDPR and CCPA regulations and threaten to misuse stolen data for fraudulent purposes.  

This combination of sophisticated encryption and aggressive extortion tactics underscores the group's capabilities and the challenges they pose to cybersecurity.

Mad Liberator's dark web portal lists numerous victims across various sectors, including governmental and private entities, demonstrating their extensive reach and ability to infiltrate highly secured systems. Their dual role as ransomware actors and data brokers involves not only encrypting data and demanding ransom but also stealing and selling information.

Mad Liberator Victims:

ZB Financial Holdings

  • Date of Attack: July 2024
  • Details: Mad Liberator attacked ZB Financial Holdings, a leading financial institution in Zimbabwe. The group encrypted critical files, compromising sensitive financial information and disrupting operations.
  • Impact: Potential exposure of financial data, affecting the company's operations and client trust.

    Vitaldent
  • Date of Attack: July 2024
  • Details: Mad Liberator attacked Vitaldent, a dental clinic chain, accessing internal files, including patient follow-ups and invoices.
  • Date of Attack: July 17, 2024
  • Details: Mad Liberator compromised the Ministry of Culture’s systems, leaking directories and files with sensitive data from 2017 to 2024.
  • Impact: Threat to the security of cultural heritage information and operational capabilities.

RansomCortex

RansomCortex has emerged as a leading ransomware group, notorious for targeting healthcare facilities with precision and expertise. By capitalizing on the lucrative and sensitive nature of medical data, the cybergang seeks to maximize financial gain through various fraudulent activities. Their actions highlight the severe threat ransomware poses to global cybersecurity, particularly within the healthcare sector.

RansomCortex employs cutting-edge encryption techniques to lock victims' data, demanding ransoms for its release. Uses of stolen data include financial fraud, extortion, black market sales, and phishing attacks. They utilize patient information to open bank accounts, request credit cards, or secure loans.  

Extortion tactics involve threats to disclose sensitive patient information unless a ransom is paid. Additionally, they sell personal medical data on dark web marketplaces and use stolen data for targeted phishing campaigns and identity theft.

The group operates a sophisticated data leak site and recruits individuals to assist with ransom payments and other activities. Their communication channels include Tox, email, and Session ID. They claim to enforce strict operational ethics, avoiding attacks on specific nations and companies that have previously paid ransoms.  

RansomCortex blends traditional ransomware tactics with data theft and resale, functioning both as ransomware actors and data brokers. As Ransomware-as-a-Service (RaaS) operators, they provide tools and infrastructure to affiliates, contributing to the proliferation of ransomware incidents.

RansomCortex Victims:

Perfeita Plástica

  • Date of Attack: July 2024
  • Details: RansomCortex attacked Perfeita Plástica, a plastic surgery clinic in São Paulo, Brazil, seizing 20GB of sensitive data, including financial details and patient information.
  • Date of Attack: July 2024
  • Details: RansomCortex encrypted 90GB of critical data at Instituto Respirar Londrina, a multidisciplinary healthcare facility specializing in respiratory medicine.
  • Impact: Compromised financial and operational data, challenging the hospital's functionality and patient care services.

    PainPRO Clinics
  • Date of Attack: July 2024
  • Details: RansomCortex seized 100GB of sensitive data from painPRO Clinics, a healthcare provider in British Columbia, Canada, and threatened to publish the stolen documents.
  • Impact: Significant risk to patient data, exposing vulnerabilities in data protection and cybersecurity measures.

SenSayQ

SenSayQ, a newly identified ransomware group that emerged in mid-June 2024, is known for its double-extortion tactics. They exfiltrate data and encrypt files to maximize leverage over victims. Utilizing a variant of the notorious LockBit ransomware, the group leaves ransom notes in most folders, named with a random ID followed by README.txt.  

These notes open with the message, "---Welcome! You are locked by SenSayQ!---," urging victims to contact them within 72 hours to prevent their stolen data from being published on the group’s website.

As of June 2024, SenSayQ has listed two victims on their data leak site. While their detailed methods remain unclear, it is evident they target organizations and exfiltrate sensitive data, posing a growing menace in the cybercrime landscape.  

Their double-extortion strategy, combining data encryption and exfiltration, applies pressure on victims to pay the ransom and avoid data leaks. The ransom notes guide victims on contacting SenSayQ and proceeding with the ransom payment, utilizing a strong variant of LockBit ransomware to carry out attacks.

SenSayQ operates as both a ransomware actor and a data broker. As ransomware actors, they specialize in encrypting data and demanding a ransom for decryption, using advanced encryption algorithms and demanding payment in cryptocurrency.  

They exploit system vulnerabilities through phishing emails, malicious downloads, or compromised websites. As data brokers, SenSayQ steals and sells sensitive information, infiltrating systems to exfiltrate data, which is then sold on dark web marketplaces.  

SenSayQ Victims:

Vimer Industrie Grafiche Italiane

  • Date of Attack: June 4, 2024
  • Details: SenSayQ targeted Vimer Industrie Grafiche Italiane, a prominent Italian printing and graphics company. The attack encrypted critical data and involved the exfiltration of sensitive information, posing a severe threat to the company's operational integrity and client confidentiality.
  • Impact: Significant disruption to operations, with risks to client confidentiality and operational security.

    Premium Broking House
  • Date of Attack: June 2024
  • Details: The SenSayQ ransomware group targeted Premium Broking House, a boutique international reinsurance brokerage firm in Lebanon. The attack led to significant operational disruptions and involved the exfiltration and encryption of sensitive data.
  • Impact: Major operational disruptions, highlighting vulnerabilities in the firm's cybersecurity measures and threatening the confidentiality of sensitive data.

Cicada3301

Cicada3301, a newly emerged threat actor group since June 2024, has gained significant notoriety by diverging from traditional ransomware tactics and operating primarily as a data broker. Instead of encrypting data and demanding ransoms, the group focuses on the exfiltration, sale, and distribution of stolen data.  

This shift marks a strategic evolution in cybercriminal activities, emphasizing long-term exploitation and profit through data monetization. Since its emergence, Cicada3301 has published data from four victims on its leak site, showcasing its ability to compromise and extract sensitive information.  

By leveraging the threat of releasing this data, they exert pressure on organizations to meet their demands. However, the group's primary goal is not direct ransom payments but the sale of exfiltrated data on dark web marketplaces.  

This tactic distinguishes the threat actor during a time when other major ransomware groups like LockBit have faced increased scrutiny and operational difficulties, leading to a decline in traditional ransomware incidents.

Cicada3301's operations involve infiltrating systems to steal valuable information, which is then sold to the highest bidder. They maintain a leak site where they publish samples of stolen data, serving both as a warning to potential victims and as a marketing tool for buyers.  

Their extortion methods include threatening to release the stolen data unless demands are met, but their main revenue comes from data sales. This strategy causes long-term damage to organizations, resulting in identity theft, corporate espionage, regulatory penalties, and loss of customer trust.

Cicada3301 Victims:

ASST Rhodense

  • Date of Attack: June 15, 2024
  • Details: Cicada3301 targeted ASST Rhodense, a healthcare organization in Lombardy, Italy, exfiltrating 1000 GB of sensitive data.
  • Impact: Major compromise of patient and staff privacy, posing severe risks to healthcare service continuity.

    Leech Lake Gaming
  • Date of Attack: June 2024
  • Details: Cicada3301 attacked Leech Lake Gaming, operating three casinos in Minnesota, exfiltrating 223 GB of sensitive data.
  • Impact: Significant cybersecurity vulnerabilities, with major pressures from the threat of data exposure.

    Groupe PRO-B
  • Date of Attack: June 2024
  • Details: Cicada3301 infiltrated Groupe PRO-B, a French professional audio equipment manufacturer, exfiltrating 305 GB of data.
  • Impact: Posed significant risks to operations and data security, showcasing the threat to industrial sectors.

     

Cicada 3301

To clarify, the name “Cicada 3301” was originally associated with an online puzzle that gained notoriety between 2012-2014. However, the name has since been appropriated by a separate and unrelated ransomware group, which has been the focus of recent reports, including ours.

Halcyon fully respects the legacy of the original “Cicada 3301” organization and recognizes their distinction from the activities of the ransomware group using the same name. Our reporting on the ransomware group is consistent with fair use, aiming to inform the public about cybersecurity threats.  For those interested in the original “Cicada 3301” and their official stance on this matter, we encourage you to visit their statement here.

We appreciate your understanding as we strive to maintain clarity and accuracy in our reporting.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.

Related Posts

See All Ransomware News
November 18, 2024

INC Ransomware Gang Infiltrates Hungarian Defense Network

Despite their criminal activities, INC Ransom brands itself as a "moral agent," claiming to help victims identify cybersecurity weaknesses, a narrative that adds nuance to their motives...
November 18, 2024

Ransomware on the Move: Helldown, Lynx, Medusa, RansomHub

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the #ransomware gangs on the move last week: Helldown, Lynx, Medusa, and RansomHub...
November 18, 2024

RansomHub Claims Attack on Government of Mexico

Strategic target selection has been a hallmark of RansomHub’s approach, initially focusing on healthcare due to the sensitive and lucrative nature of its data...
November 18, 2024

Embargo Ransomware Group Disrupts American Associated Pharmacies

Embargo deploys MDeployer, a specialized loader, and MS4Killer, an endpoint detection and response (EDR) killer, allowing the attackers to bypass defenses with remarkable precision...

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

1
2
3
Let's get started
1
1
2
3
1
1
2
2
3
Back
Next
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.