Brain Cipher is a ransomware strain that surfaced in the middle of 2024, rapidly making its presence felt across various sectors worldwide. Its popularity skyrocketed following a high-profile attack on Indonesia’s National Data Center, which disrupted over 200 government agencies and critical public services, including immigration systems. Built on the leaked LockBit 3.0 builder, Brain Cipher shares several similarities with its predecessor but distinguishes itself through unique capabilities, such as encrypting both file contents and filenames. Victims are left with ransom notes bearing a distinct format, [extension].README.txt, adding to its signature tactics.

The ransomware employs a multifaceted extortion strategy, demanding ransoms between $20,000 and $8 million in cryptocurrencies like Monero. Threat actors behind Brain Cipher leverage phishing campaigns and initial access brokers to infiltrate systems, disable security measures, steal credentials, and propagate across networks to maximize damage. Brain Cipher has emerged as a formidable threat with targets spanning industries like healthcare, education, media, and government across Southeast Asia, Europe, and the Americas.

In this blog post, we demonstrate how organizations can detect activities and malicious behaviors associated with the Brain Cipher ransomware on infected Windows endpoints.

Brain Cipher ransomware behavior

Below are some of the behaviors observed when Brain Cipher ransomware successfully infects a Windows endpoint:

  • During execution, Brain Cipher triggers DllHost.exe with specific parameters to activate the CLSID {3E5FC7F9-9A51-4367-9063-A120244FBEC7}, which is linked to cmstplua.dll. This Class Identifier (CLSID) is frequently exploited by attackers to bypass User Account Control (UAC).
  • The DllHost.exe initiates a new instance of the Brain Cipher process, terminating the initial process.
  • The ransomware attempts to steal credentials by accessing the LSASS (Local Security Authority Subsystem Service).
  • To prevent recovery, the ransomware deletes the Volume Shadow Copy Service registry key HKLM\System\CurrentControlSet\Services\VSS which deletes the service from the endpoint.
  • The newly initiated Brain Cipher process encrypts files and generates a ransom note file sYMY1N6ah.README.txt located in the “C:\” root folder.
  • The ransomware proceeds to scan the system and encrypt more files. Encrypted file names are changed to a random string of characters, with the suffix “.sYMY1N6ah” appended.
  • The Brain Cipher ransom note is placed into every compromised folder.
  • The ransomware makes a DNS query signaling potential communication with a Command and Control (C2) server.
  • To clear tracks and avoid detection, the ransomware modifies the registry settings for all Windows event log channels, specifically targeting the “ChannelAccess” and “Enabled” registry keys. This action prevents further logging and blocks users from accessing existing event log entries.
  • When a user attempts to access the Windows event log files, the error message Service eventlog was not found on computer is displayed.

Analyzed IOC

Hash AlgorithmValue
SHA256eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12
SHA1935c0b39837319fda571aa800b67d997b79c3198
MD5448f1796fe8de02194b21c0715e0a5f6

Infrastructure

We use the following infrastructure to demonstrate the detection of Brain Cipher ransomware with Wazuh:

  • A pre-built, ready-to-use Wazuh OVA 4.10.0 which includes the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow this guide to download and set up the Wazuh virtual machine.
  • A Windows 11 endpoint with the Wazuh agent 4.10.0 installed and enrolled to the Wazuh server. This endpoint is monitored for the Brain Cipher ransomware activities.

Detection with Wazuh

Detection rules

We monitor system events on the Windows endpoint using Sysmon and create custom rules on the Wazuh server to detect the malicious behavior of Brain Cipher ransomware.

Windows endpoint

Follow the steps below to configure Sysmon on the monitored endpoint and forward logs in the Sysmon event channel to the Wazuh server for analysis.

1. Download the latest version of Sysmon from the Microsoft Sysinternals page.

2. Extract the compressed Sysmon file to your preferred location. 

3. Download the Sysmon configuration file – sysmonconfig.xml using PowerShell as an administrator. Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable.

> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml

4. Switch to the folder containing the Sysmon executable. Run the command below to install and start Sysmon:

> .\Sysmon64.exe -accepteula -i sysmonconfig.xml

5. Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file to forward Sysmon events to the Wazuh server:

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

6. Restart the Wazuh agent to apply the changes:

> Restart-Service -Name wazuh

Wazuh server

In this section, we create rules to detect the activities of the Brain Cipher ransomware on the monitored Windows endpoint.

1. Create a file braincipher_ransomware.xml in the /var/ossec/etc/rules/ directory:

# touch /var/ossec/etc/rules/braincipher_ransomware.xml

2. Add the following detection rules to the /var/ossec/etc/rules/braincipher_ransomware.xml file:

<group name="Brain Cipher, ransomware,">

<!-- Brain Cipher ransomware loaded -->
  <rule id="100121" level="12">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\.exe</field>
    <field name="win.eventdata.hashes" type="pcre2">(?i)SHA256=EB82946FA0DE261E92F8F60AA878C9FEF9EBB34FDABABA66995403B110118B12|0080EC82DA326F6BEBCAB521F2C4F79BAFB09E5D0EEA3BE39CA8A2BD6EF9AA8B|7D67C8711B4CAD0F585604FF3F9F8F40359E4F8E1524E152F50159B0F56D0952|27A3CC834C1CD00AD5378C373D76957998BB54BBCFE67BBF3AE5C7BE5A5A66DD|6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417</field>
    <description>Brain Cipher ransomware executable loaded. Brain Cipher ransomware detected.</description>
  </rule>

<!-- Local Security Authority Subsystem Service accessed -->
  <rule id="100122" level="12">
    <if_sid>61612</if_sid>
    <field name="win.eventdata.sourceImage" type="pcre2">.*\.exe</field>
    <field name="win.eventdata.targetImage" type="pcre2">(?i)[C-Z]:\\\\Windows\\\\system32\\\\lsass.exe</field>
    <description>The process $(win.eventdata.targetImage) has been accessed by $(win.eventdata.sourceImage). Possible credential dumping detected.</description>
    <mitre>
      <id>T1003</id>
      <id>T1003.001</id>
    </mitre>
  </rule>
  
<!-- Volume Shadow copy Service (VSS) deletion -->
  <rule id="100123" level="12">
    <if_sid>61614, 61615</if_sid>
    <field name="win.eventdata.eventType" type="pcre2">DeleteKey</field>
    <field name="win.eventdata.targetObject" type="pcre2">HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS$</field>
    <description>Volume Shadow copy Service (VSS) $(win.eventdata.targetObject) deleted. Possible ransomware activity detected.</description>
    <mitre>
      <id>T1562</id>
      <id>T1562.002</id>
    </mitre>
  </rule>

<!-- Ransom note file creation -->
  <rule id="100124" level="15" timeframe="100" frequency="2">
    <if_sid>61613</if_sid>
	<field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\\\\.*.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*.sYMY1N6ah.README.txt</field>
    <description>Brain Cipher ransom note $(win.eventdata.targetFilename) has been created in multiple directories. Possible Brain Cipher ransomware detected.</description>
    <mitre>
      <id>T1486</id>
    </mitre>
  </rule>

<!-- DNS Query by Brain Cipher executable -->
  <rule id="100125" level="12">
    <if_sid>61650</if_sid>
    <field name="win.eventdata.image" type="pcre2">.*\.exe</field>
    <field name="win.eventdata.queryName" type="pcre2">_ldap\._tcp\.dc\._msdcs\.[A-Za-z0-9\-]+</field>
    <description>Potential malicious activity detected. DNS query by $(win.eventdata.image).</description>
    <mitre>
      <id>T1071</id> 
      <id>T1071.004</id>
    </mitre>
  </rule>

<!-- Antimalware Scan Interface Debugging Channel Access Modification -->
  <rule id="100126" level="12">
    <if_sid>61615</if_sid>
    <field name="win.eventdata.targetObject" type="pcre2">HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\AMSI\/Debug\\\\ChannelAccess</field>
    <field name="win.eventdata.details" type="pcre2">O:BAG:SYD:\(A;;0x1;;;SY\)\(A;;0x5;;;BA\)\(A;;0x1;;;LA\)$</field>
    <description>Registry modification detected for AMSI Debugging Channel Access. Possible tampering or evasion attempt.</description>
    <mitre>
      <id>T1562</id>
      <id>T1562.001</id>
    </mitre>
  </rule>


<!-- Microsoft-Windows-Servicing Channel Access Modification -->
  <rule id="100127" level="12">
    <if_sid>61615</if_sid>
    <field name="win.eventdata.targetObject" type="pcre2">HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Servicing\/Debug\\\\ChannelAccess</field>
    <field name="win.eventdata.details" type="pcre2">O:BAG:SYD:\(A;;0x1;;;SY\)\(A;;0x5;;;BA\)\(A;;0x1;;;LA\)$</field>
    <description>Registry modification detected for Microsoft-Windows-Servicing Channel Access. Possible tampering with event logging channels detected.</description>
    <mitre>
      <id>T1562</id>
      <id>T1562.002</id>
    </mitre>
  </rule>

<!-- Microsoft-Windows-UAC Channel Access Modification -->
  <rule id="100128" level="12">
    <if_sid>61615</if_sid>
    <field name="win.eventdata.targetObject" type="pcre2">HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-UAC\/Operational\\\\ChannelAccess</field>
    <field name="win.eventdata.details" type="pcre2">O:BAG:SYD:\(A;;0x1;;;SY\)\(A;;0x5;;;BA\)\(A;;0x1;;;LA\)$</field>
    <description>Registry modification detected for User Account Control (UAC) Channel Access.</description>
    <mitre>
      <id>T1562</id>
      <id>T1562.002</id>
    </mitre>
  </rule>
    
</group>

Brain Cipher ransomware execution on the victim endpoint triggers the following rule IDs:

  • 100121 is triggered when the Brain Cipher executable is loaded.
  • 100122 is triggered when LSASS is accessed by the ransomware executable. This may trigger as a result of other legitimate processes accessing the LSASS. 
  • 100123 is triggered when the Volume Shadow copy Service (VSS) registry key is deleted.
  • 100124 is triggered when the Brain Cipher ransom note is dropped in multiple directories.
  • 100125 is triggered when the Brain Cipher ransomware makes a DNS query signaling communication with the Command and Control (C2) server.
  • 100126 is triggered when the security protection services are tampered with.
  • 100127 is triggered when the event logging channel is disabled.
  • 100128 is triggered when User Access Control (UAC) is modified.

3. Restart the Wazuh server to apply the changes:

# systemctl restart wazuh-manager

Wazuh dashboard detection alerts

Follow the steps below to view the alerts generated on the Wazuh dashboard when the Brain Cipher ransomware is executed on the Windows endpoint.

1. Navigate to Threat intelligence > Threat Hunting.

2. Click + Add filter. Then filter by rule.id.

3. In the Operator field, select is one of.

4. Search and select 100121, 100122, 100123, 100124, 100125, 100126, 100127, and 100128 in the Values field.

5. Click Save.

Brain Cipher Ransomware
Brain Cipher Ransomware Wazuh dashboard

Removing malicious files with Wazuh integration

Detecting and removing ransomware before execution is the proactive approach to defending against this type of malware. This ensures that the malicious executable is removed and that there is no successful execution on a monitored endpoint. Wazuh File Integrity Monitoring (FIM) module offers the feature of scanning monitored endpoints within predefined intervals to detect any file additions or modifications.

Wazuh integration with threat intelligence and malware analysis platforms like YARA and VirusTotal helps to achieve a proactive defense against malware. These databases are continuously updated with malware signatures. When a malicious file is detected, the Wazuh Active Response module can be configured to remove the identified file before it crystallizes into a bigger risk. By adopting this approach, organizations can detect and remove malicious files early on.

In this section, we illustrate how to detect and remove malicious files by leveraging Wazuh integration with YARA.

We configure the Wazuh FIM module to track file modification or addition in a specific directory. When a change is detected in the monitored directory, the Wazuh Active Response module initiates a YARA scan which detects potentially malicious files based on predefined rules.

Windows endpoint

Perform the steps below to set up the monitored endpoint for this integration.

1. Install the following prerequisites:

Note: Run PowerShell as an administrator

2. Download YARA:

> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.5.2/yara-v4.5.2-2326-win64.zip -OutFile v4.5.2-2326-win64.zip

3. Extract the downloaded YARA file:

> Expand-Archive v4.5.2-2326-win64.zip

4. Create a yara folder in the C:\Program Files (x86)\ossec-agent\active-response\bin\ folder and copy the YARA binary into it:

> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
> cp .\v4.5.2-2326-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'

5. To download the YARA rules, use the pip utility to install valhallaAPI. This API retrieves the public signature-based YARA ruleset:

> pip install valhallaAPI

6. Create a file download_yara_rules.py, and paste the below script into it:

from valhallaAPI.valhalla import ValhallaAPI
v = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111")
response = v.get_rules_text()
with open('yara_rules.yar', 'w') as fh:
    fh.write(response)

7. Run the download_yara_rules.py script file to download YARA rules:

> python download_yara_rules.py

8. Create C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\ folder and copy the rules into it:

> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
> cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'

9. Edit the downloaded YARA rule file C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar and add the following Brain Cipher ransomware rule:

rule BrainCipher_ransomware {
   meta:
      description = "Brain Cipher ransomware executable detection"
      author = "Aishat Motunrayo Awujola"
      reference = "https://github.com/Neo23x0/yarGen"
      date = "2025-01-20"
    hash1= "eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12"

  strings:
      $s1 = "L%nu%s\"^6" fullword ascii
      $s2 = "D$PWSP" fullword ascii /* Goodware String - occurred 1 times */
      $s3 = "2'2b2v2" fullword ascii /* Goodware String - occurred 1 times */
      $s4 = "Loyn?P00" fullword ascii
      $s5 = "4f5l5x5~5" fullword ascii /* Goodware String - occurred 1 times */
      $s6 = "4 444u4" fullword ascii /* Goodware String - occurred 1 times */
      $s7 = "wSYM ,9" fullword ascii
      $s8 = "=V=\\={=" fullword ascii /* Goodware String - occurred 1 times */
      $s9 = "5E6L6S6Z6" fullword ascii /* Goodware String - occurred 1 times */
      $s10 = ";&;P;_;" fullword ascii /* Goodware String - occurred 1 times */
      $s11 = "?0N0]0l0" fullword ascii /* Goodware String - occurred 1 times */
      $s12 = "9D$$ua" fullword ascii /* Goodware String - occurred 2 times */
      $s13 = "4.4=4L4" fullword ascii /* Goodware String - occurred 2 times */
      $s14 = "SQRVW3" fullword ascii
      $s15 = "_^ZY[]" fullword ascii /* Goodware String - occurred 3 times */
      $s16 = "?%U$38O" fullword ascii
      $s17 = "9&9,949" fullword ascii
      $s18 = "303M3W3" fullword ascii
      $s19 = "7+7:7I7H8R8z8" fullword ascii
      $s20 = "+D$H[_]^" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 400KB and
      8 of them
}

10. Monitor the Downloads folder of all users in real-time by adding the below configuration  within the <syscheck> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file:

<directories realtime="yes">C:\Users\*\Downloads</directories>

Note: In this blog post, we only monitored the Downloads folder of all users. However, you can configure other directories you wish to monitor.

11. Create a batch file yara.bat in the C:\Program Files (x86)\ossec-agent\active-response\bin\ folder and copy the below script into it. The Wazuh Active Response module runs this script to perform YARA scans for malware detection and removal:

:: This script deletes Brain Cipher ransomware executable as well as other malicious files matched by the YARA Rules
 
@echo off
setlocal enableDelayedExpansion
reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT
if %OS%==32BIT (
    SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log"
)
if %OS%==64BIT (
    SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log"
)
set input=
for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do (
    set input=%%a
)
set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"
set syscheck_file_path=
echo %input% > %json_file_path%
FOR /F "tokens=* USEBACKQ" %%F IN (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) DO (
SET syscheck_file_path=%%F
)
set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe"
set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"
echo %syscheck_file_path% >> %log_file_path%
for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do (
    echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path%
    :: Deleting the scanned file.
	del /f "%syscheck_file_path%" >nul 2>&1
if exist "%syscheck_file_path%" (
    echo wazuh-yara: INFO - Error removing threat: %%a >> %log_file_path%
) else (
    echo wazuh-yara: INFO - Successfully deleted: %%a >> %log_file_path%
)
 )
exit /b

12. Restart the Wazuh agent to apply the changes:

> Restart-Service -Name wazuh

Wazuh server

We configure rules, custom decoders, and active response to capture alerts related to the addition and removal of the ransomware sample.

1. Create custom rules in the /var/ossec/etc/rules/local_rules.xml file. These rules trigger alerts when files are added or modified in the Downloads folder on the monitored endpoint.

<group name= "syscheck,">
  <rule id="100211" level="7">
    <if_sid>550</if_sid>
    <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
    <description>File modified in the Downloads folder.</description>
  </rule>

  <rule id="100212" level="7">
    <if_sid>554</if_sid>
    <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
    <description>File added to the Downloads folder.</description>
  </rule>
</group>

Where:

  • 100211 is triggered when a file is modified in the Downloads folder.
  • 100212 is triggered when a file is added to the Downloads folder.

2. Add the following configuration within the <ossec_config> block of the /var/ossec/etc/ossec.conf file:

<command>
  <name>yara</name>
  <executable>yara.bat</executable>
  <timeout_allowed>no</timeout_allowed>
</command>
<active-response>
  <command>yara</command>
  <location>local</location>
  <rules_id>100211,100212</rules_id>
</active-response>

The Wazuh Active Response module runs the yara.bat script when a file is added or modified in the Downloads folder.

Where:

  • <name> specifies that yara is the name of the command being called in the active response section.
  • <executable> specifies that yara.bat is the executable file to run.
  • <command> specifies the command that the active response will use.
  • The <active response> block calls the <command> block when the rule ID 100211 or 100212 is triggered.
  • <location> specifies where the active response script is executed.

3. Add the following decoders to the /var/ossec/etc/decoders/local_decoder.xml file to decode the logs generated by the active response script:

<decoder name="yara_decoder">
    <prematch>wazuh-yara:</prematch>
</decoder>
<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Successfully deleted: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Error removing threat: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

4. Create custom rules in the /var/ossec/etc/rules/local_rules.xml to generate alerts when response actions are taken:

<!--  Rule for the decoder (yara_decoder) -->
<group name="yara,">
  <rule id="100213" level="0">
    <decoded_as>yara_decoder</decoded_as>
    <description>Yara grouping rule</description>
  </rule>

<!--  YARA scan detects a positive match -->
  <rule id="100214" level="12">
    <if_sid>100213</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Scan result: </match>
    <description>File "$(yara_scanned_file)" is a ransomware. Yara rule: $(yara_rule)</description>
  </rule>

<!--  Wazuh successfully deletes malware with a positive match -->
  <rule id="100215" level="12">
    <if_sid>100213</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Successfully deleted: </match>
    <description>Successfully removed "$(yara_scanned_file)" by active response due to YARA rule $(yara_rule) positive match</description>
  </rule>

<!--  Wazuh encounters an error when deleting malware with a positive match -->
  <rule id="100216" level="12">
    <if_sid>100213</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Error removing threat: </match>
    <description>Error removing "$(yara_scanned_file)". YARA rule: $(yara_rule)</description>
  </rule>
</group>

Where:

  • 100213 is the base rule for detecting YARA related events.
  • 100214 is triggered when YARA scans and detects the Brain Cipher executable.
  • 100215 is triggered when the executable has been successfully removed by the Wazuh active response module.
  • 100216 is triggered when the executable is not removed successfully by Wazuh active response.

5. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Visualizing the detection alerts

When the Brain Cipher ransomware executable is added to the Downloads folder of the victim endpoint and removed by the Active Response module, alerts are generated on the Wazuh dashboard. 

To view these alerts:

1. Navigate to Threat intelligence > Threat Hunting.

2. Click + Add filter. Then filter by rule.id.

3. In the Operator field, select is one of.

4. Search and select rule IDs 100212, 100214, and 100215 in the Values field.

5. Click Save.

Wazuh detection alerts

Conclusion

In this blog post, we demonstrated how organizations can detect Brain Cipher ransomware activities on monitored Windows endpoints. By integrating Sysmon, we enriched logs from the victim endpoint and created Wazuh detection rules to identify malicious behavior related to Brain Cipher ransomware. 

Wazuh is a free open source security platform providing a wide range of capabilities to monitor and safeguard your infrastructure against malicious activities. If you have any questions about this blog post or Wazuh, we invite you to join our Slack community, where our team is available to assist you.

References