BrainCipher Ransomware Group Targets Cyceron: A Detailed Analysis

Cyceron, a renowned neuroscience and imaging research center located in Caen, Normandy, France, has recently fallen victim to a ransomware attack orchestrated by the BrainCipher group. The attackers have reportedly exfiltrated 100 GB of sensitive data and are threatening to release it within the next 18-19 days.

About Cyceron

Cyceron is a prominent biomedical imaging platform established in 1985 and recognized as an IBiSA (Infrastructures en Biologie, Santé et Agronomie) platform since 2007. The facility is located at the EPOPEA super-campus in Caen and serves as a critical technological base for in vivo imaging research. Cyceron hosts five research units, three companies, and one institute, employing approximately 355 staff members, including researchers, engineers, and technicians. The center is known for its advanced imaging techniques, such as MRI and PET, which are utilized for both preclinical and clinical investigations.

Cyceron operates under the umbrella of several academic institutions, including INSERM (the French National Institute of Health and Medical Research) and CNRS (the National Centre for Scientific Research). The center's contributions to neuroscience are significant, with over 1,350 publications and 50,000 citations, making it a leading biomedical platform in France.

Attack Overview

The ransomware attack on Cyceron was claimed by the BrainCipher group via their dark web leak site. The attackers have reportedly gained access to 100 GB of the organization's data, which they are threatening to release within the next 18-19 days. The attack has raised concerns about the security of sensitive research data and the potential impact on ongoing studies and collaborations.

About BrainCipher

BrainCipher is a relatively new ransomware group that emerged in early June 2023. The group gained notoriety after a high-profile attack on Indonesia’s National Data Center, which disrupted essential public services. BrainCipher primarily uses phishing and spear phishing as delivery methods and relies on initial access brokers to infiltrate target environments. The ransomware payloads are based on LockBit 3.0 and are constructed from a leaked version of the popular ransomware builder.

BrainCipher distinguishes itself by employing sophisticated persistence and evasion techniques, including hiding threads from debuggers and executing in a suspended mode. The group operates a TOR-based data leak site where they publish information about companies that fail to protect personal data adequately. Ransom notes and data leak site communications warn victims against involving third-party negotiators or law enforcement agencies.

Potential Vulnerabilities

Cyceron's extensive use of advanced imaging technologies and collaborative environment may have made it an attractive target for threat actors like BrainCipher. The reliance on interconnected systems and the handling of sensitive research data could have provided multiple entry points for the attackers. Additionally, the high value of the data stored at Cyceron, including unpublished research and proprietary imaging techniques, would be a significant leverage point for ransomware groups seeking substantial ransom payments.

Sources

• Cyceron Official Website
• SentinelOne: Brain Cipher
• Sangfor: Brain Cipher Ransomware
• Bleeping Computer: Brain Cipher
• NCBI: Neurovascular Inflammatory Responses