Threat Group Profile
BrainCipher
β Active β last 30 days
Victim claims
24
First seen
May 2026
Last activity
09 Jul 2026
Tracked since
Jul 2024
Group overview
Brain Cipher emerged in July 2024. Both Windows and Linux variants are available. Brain Cipher using the leaked build of LockBit Black for their operations. The group suspected to have exploited CVE-2023-28252 (Microsoft Windows CLFS Driver Privilege Escalation Vulnerability). The Ransom demand ranges from $150,000 to $1,00,0000. Demand to be paid with Monero (XMR) cryptocurrency. In 2025, they have shifted their new Negotiation portal to new server with vanity TOR Domain starting with 'brain'.
Preferred targets
Business Services Β· 6
Manufacturing Β· 3
Technology Β· 3
Healthcare Β· 2
Agriculture and Food Production Β· 2
Consumer Services Β· 1
Most targeted countries
US Β· 7
GB Β· 6
CA Β· 5
BR Β· 1
AT Β· 1
AU Β· 1
Tactics & techniques (MITRE ATT&CK)
Execution
User Execution
Defense Evasion
Indicator Removal: File Deletion
Impair Defenses: Disable or Modify Tools
Discovery
File and Directory Discovery
Impact
Data Encrypted for Impact