Detecting Brain Cipher ransomware with Wazuh

Brain Cipher is a ransomware strain that surfaced in the middle of 2024, rapidly making its presence felt across various sectors worldwide. Its popularity skyrocketed following a high-profile attack on Indonesia’s National Data Center, which disrupted over 200 government agencies and critical public services, including immigration systems. Built on the leaked LockBit 3.0 builder, Brain Cipher shares several similarities with its predecessor but distinguishes itself through unique capabilities, such as encrypting both file contents and filenames. Victims are left with ransom notes bearing a distinct format, [extension].README.txt, adding to its signature tactics.
The ransomware employs a multifaceted extortion strategy, demanding ransoms between $20,000 and $8 million in cryptocurrencies like Monero. Threat actors behind Brain Cipher leverage phishing campaigns and initial access brokers to infiltrate systems, disable security measures, steal credentials, and propagate across networks to maximize damage. Brain Cipher has emerged as a formidable threat with targets spanning industries like healthcare, education, media, and government across Southeast Asia, Europe, and the Americas.
In this blog post, we demonstrate how organizations can detect activities and malicious behaviors associated with the Brain Cipher ransomware on infected Windows endpoints.
Below are some of the behaviors observed when Brain Cipher ransomware successfully infects a Windows endpoint:
DllHost.exe
with specific parameters to activate the CLSID {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
, which is linked to cmstplua.dll
. This Class Identifier (CLSID) is frequently exploited by attackers to bypass User Account Control (UAC).DllHost.exe
initiates a new instance of the Brain Cipher process, terminating the initial process.LSASS
(Local Security Authority Subsystem Service).HKLM\System\CurrentControlSet\Services\VSS
which deletes the service from the endpoint.sYMY1N6ah.README.txt
located in the “C:\”
root folder..sYMY1N6ah
” appended.ChannelAccess
” and “Enabled
” registry keys. This action prevents further logging and blocks users from accessing existing event log entries.Hash Algorithm | Value |
SHA256 | eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12 |
SHA1 | 935c0b39837319fda571aa800b67d997b79c3198 |
MD5 | 448f1796fe8de02194b21c0715e0a5f6 |
Infrastructure
We use the following infrastructure to demonstrate the detection of Brain Cipher ransomware with Wazuh:
We monitor system events on the Windows endpoint using Sysmon and create custom rules on the Wazuh server to detect the malicious behavior of Brain Cipher ransomware.
Follow the steps below to configure Sysmon on the monitored endpoint and forward logs in the Sysmon event channel to the Wazuh server for analysis.
1. Download the latest version of Sysmon from the Microsoft Sysinternals page.
2. Extract the compressed Sysmon file to your preferred location.
3. Download the Sysmon configuration file – sysmonconfig.xml using PowerShell as an administrator. Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable.
> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml
4. Switch to the folder containing the Sysmon executable. Run the command below to install and start Sysmon:
> .\Sysmon64.exe -accepteula -i sysmonconfig.xml
5. Add the following configuration within the <ossec_config>
block of the C:\Program Files (x86)\ossec-agent\ossec.conf
file to forward Sysmon events to the Wazuh server:
<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
6. Restart the Wazuh agent to apply the changes:
> Restart-Service -Name wazuh
In this section, we create rules to detect the activities of the Brain Cipher ransomware on the monitored Windows endpoint.
1. Create a file braincipher_ransomware.xml
in the /var/ossec/etc/rules/
directory:
# touch /var/ossec/etc/rules/braincipher_ransomware.xml
2. Add the following detection rules to the /var/ossec/etc/rules/braincipher_ransomware.xml
file:
<group name="Brain Cipher, ransomware,"> <!-- Brain Cipher ransomware loaded --> <rule id="100121" level="12"> <if_sid>61609</if_sid> <field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\.exe</field> <field name="win.eventdata.hashes" type="pcre2">(?i)SHA256=EB82946FA0DE261E92F8F60AA878C9FEF9EBB34FDABABA66995403B110118B12|0080EC82DA326F6BEBCAB521F2C4F79BAFB09E5D0EEA3BE39CA8A2BD6EF9AA8B|7D67C8711B4CAD0F585604FF3F9F8F40359E4F8E1524E152F50159B0F56D0952|27A3CC834C1CD00AD5378C373D76957998BB54BBCFE67BBF3AE5C7BE5A5A66DD|6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417</field> <description>Brain Cipher ransomware executable loaded. Brain Cipher ransomware detected.</description> </rule> <!-- Local Security Authority Subsystem Service accessed --> <rule id="100122" level="12"> <if_sid>61612</if_sid> <field name="win.eventdata.sourceImage" type="pcre2">.*\.exe</field> <field name="win.eventdata.targetImage" type="pcre2">(?i)[C-Z]:\\\\Windows\\\\system32\\\\lsass.exe</field> <description>The process $(win.eventdata.targetImage) has been accessed by $(win.eventdata.sourceImage). Possible credential dumping detected.</description> <mitre> <id>T1003</id> <id>T1003.001</id> </mitre> </rule> <!-- Volume Shadow copy Service (VSS) deletion --> <rule id="100123" level="12"> <if_sid>61614, 61615</if_sid> <field name="win.eventdata.eventType" type="pcre2">DeleteKey</field> <field name="win.eventdata.targetObject" type="pcre2">HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS$</field> <description>Volume Shadow copy Service (VSS) $(win.eventdata.targetObject) deleted. Possible ransomware activity detected.</description> <mitre> <id>T1562</id> <id>T1562.002</id> </mitre> </rule> <!-- Ransom note file creation --> <rule id="100124" level="15" timeframe="100" frequency="2"> <if_sid>61613</if_sid> <field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\\\\.*.exe</field> <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*.sYMY1N6ah.README.txt</field> <description>Brain Cipher ransom note $(win.eventdata.targetFilename) has been created in multiple directories. Possible Brain Cipher ransomware detected.</description> <mitre> <id>T1486</id> </mitre> </rule> <!-- DNS Query by Brain Cipher executable --> <rule id="100125" level="12"> <if_sid>61650</if_sid> <field name="win.eventdata.image" type="pcre2">.*\.exe</field> <field name="win.eventdata.queryName" type="pcre2">_ldap\._tcp\.dc\._msdcs\.[A-Za-z0-9\-]+</field> <description>Potential malicious activity detected. DNS query by $(win.eventdata.image).</description> <mitre> <id>T1071</id> <id>T1071.004</id> </mitre> </rule> <!-- Antimalware Scan Interface Debugging Channel Access Modification --> <rule id="100126" level="12"> <if_sid>61615</if_sid> <field name="win.eventdata.targetObject" type="pcre2">HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\AMSI\/Debug\\\\ChannelAccess</field> <field name="win.eventdata.details" type="pcre2">O:BAG:SYD:\(A;;0x1;;;SY\)\(A;;0x5;;;BA\)\(A;;0x1;;;LA\)$</field> <description>Registry modification detected for AMSI Debugging Channel Access. Possible tampering or evasion attempt.</description> <mitre> <id>T1562</id> <id>T1562.001</id> </mitre> </rule> <!-- Microsoft-Windows-Servicing Channel Access Modification --> <rule id="100127" level="12"> <if_sid>61615</if_sid> <field name="win.eventdata.targetObject" type="pcre2">HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Servicing\/Debug\\\\ChannelAccess</field> <field name="win.eventdata.details" type="pcre2">O:BAG:SYD:\(A;;0x1;;;SY\)\(A;;0x5;;;BA\)\(A;;0x1;;;LA\)$</field> <description>Registry modification detected for Microsoft-Windows-Servicing Channel Access. Possible tampering with event logging channels detected.</description> <mitre> <id>T1562</id> <id>T1562.002</id> </mitre> </rule> <!-- Microsoft-Windows-UAC Channel Access Modification --> <rule id="100128" level="12"> <if_sid>61615</if_sid> <field name="win.eventdata.targetObject" type="pcre2">HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-UAC\/Operational\\\\ChannelAccess</field> <field name="win.eventdata.details" type="pcre2">O:BAG:SYD:\(A;;0x1;;;SY\)\(A;;0x5;;;BA\)\(A;;0x1;;;LA\)$</field> <description>Registry modification detected for User Account Control (UAC) Channel Access.</description> <mitre> <id>T1562</id> <id>T1562.002</id> </mitre> </rule> </group>
Brain Cipher ransomware execution on the victim endpoint triggers the following rule IDs:
100121
is triggered when the Brain Cipher executable is loaded.100122
is triggered when LSASS is accessed by the ransomware executable. This may trigger as a result of other legitimate processes accessing the LSASS. 100123
is triggered when the Volume Shadow copy Service (VSS) registry key is deleted.100124
is triggered when the Brain Cipher ransom note is dropped in multiple directories.100125
is triggered when the Brain Cipher ransomware makes a DNS query signaling communication with the Command and Control (C2) server.100126
is triggered when the security protection services are tampered with.100127
is triggered when the event logging channel is disabled.100128
is triggered when User Access Control (UAC) is modified.3. Restart the Wazuh server to apply the changes:
# systemctl restart wazuh-manager
Follow the steps below to view the alerts generated on the Wazuh dashboard when the Brain Cipher ransomware is executed on the Windows endpoint.
1. Navigate to Threat intelligence > Threat Hunting.
2. Click + Add filter. Then filter by rule.id
.
3. In the Operator field, select is one of
.
4. Search and select 100121
, 100122
, 100123
, 100124
, 100125
, 100126
, 100127
, and 100128
in the Values field.
5. Click Save.
Detecting and removing ransomware before execution is the proactive approach to defending against this type of malware. This ensures that the malicious executable is removed and that there is no successful execution on a monitored endpoint. Wazuh File Integrity Monitoring (FIM) module offers the feature of scanning monitored endpoints within predefined intervals to detect any file additions or modifications.
Wazuh integration with threat intelligence and malware analysis platforms like YARA and VirusTotal helps to achieve a proactive defense against malware. These databases are continuously updated with malware signatures. When a malicious file is detected, the Wazuh Active Response module can be configured to remove the identified file before it crystallizes into a bigger risk. By adopting this approach, organizations can detect and remove malicious files early on.
In this section, we illustrate how to detect and remove malicious files by leveraging Wazuh integration with YARA.
We configure the Wazuh FIM module to track file modification or addition in a specific directory. When a change is detected in the monitored directory, the Wazuh Active Response module initiates a YARA scan which detects potentially malicious files based on predefined rules.
Perform the steps below to set up the monitored endpoint for this integration.
1. Install the following prerequisites:
pip
pre-installed).Note: Run PowerShell as an administrator
2. Download YARA:
> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.5.2/yara-v4.5.2-2326-win64.zip -OutFile v4.5.2-2326-win64.zip
3. Extract the downloaded YARA file:
> Expand-Archive v4.5.2-2326-win64.zip
4. Create a yara
folder in the C:\Program Files (x86)\ossec-agent\active-response\bin\
folder and copy the YARA binary into it:
> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\' > cp .\v4.5.2-2326-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
5. To download the YARA rules, use the pip
utility to install valhallaAPI
. This API retrieves the public signature-based YARA ruleset:
> pip install valhallaAPI
6. Create a file download_yara_rules.py
, and paste the below script into it:
from valhallaAPI.valhalla import ValhallaAPI v = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111") response = v.get_rules_text() with open('yara_rules.yar', 'w') as fh: fh.write(response)
7. Run the download_yara_rules.py
script file to download YARA rules:
> python download_yara_rules.py
8. Create C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\
folder and copy the rules into it:
> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\' > cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
9. Edit the downloaded YARA rule file C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar
and add the following Brain Cipher ransomware rule:
rule BrainCipher_ransomware { meta: description = "Brain Cipher ransomware executable detection" author = "Aishat Motunrayo Awujola" reference = "https://github.com/Neo23x0/yarGen" date = "2025-01-20" hash1= "eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12" strings: $s1 = "L%nu%s\"^6" fullword ascii $s2 = "D$PWSP" fullword ascii /* Goodware String - occurred 1 times */ $s3 = "2'2b2v2" fullword ascii /* Goodware String - occurred 1 times */ $s4 = "Loyn?P00" fullword ascii $s5 = "4f5l5x5~5" fullword ascii /* Goodware String - occurred 1 times */ $s6 = "4 444u4" fullword ascii /* Goodware String - occurred 1 times */ $s7 = "wSYM ,9" fullword ascii $s8 = "=V=\\={=" fullword ascii /* Goodware String - occurred 1 times */ $s9 = "5E6L6S6Z6" fullword ascii /* Goodware String - occurred 1 times */ $s10 = ";&;P;_;" fullword ascii /* Goodware String - occurred 1 times */ $s11 = "?0N0]0l0" fullword ascii /* Goodware String - occurred 1 times */ $s12 = "9D$$ua" fullword ascii /* Goodware String - occurred 2 times */ $s13 = "4.4=4L4" fullword ascii /* Goodware String - occurred 2 times */ $s14 = "SQRVW3" fullword ascii $s15 = "_^ZY[]" fullword ascii /* Goodware String - occurred 3 times */ $s16 = "?%U$38O" fullword ascii $s17 = "9&9,949" fullword ascii $s18 = "303M3W3" fullword ascii $s19 = "7+7:7I7H8R8z8" fullword ascii $s20 = "+D$H[_]^" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 400KB and 8 of them }
10. Monitor the Downloads
folder of all users in real-time by adding the below configuration within the <syscheck>
block of the C:\Program Files (x86)\ossec-agent\ossec.conf
file:
<directories realtime="yes">C:\Users\*\Downloads</directories>
Note: In this blog post, we only monitored the Downloads
folder of all users. However, you can configure other directories you wish to monitor.
11. Create a batch file yara.bat
in the C:\Program Files (x86)\ossec-agent\active-response\bin\
folder and copy the below script into it. The Wazuh Active Response module runs this script to perform YARA scans for malware detection and removal:
:: This script deletes Brain Cipher ransomware executable as well as other malicious files matched by the YARA Rules @echo off setlocal enableDelayedExpansion reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT if %OS%==32BIT ( SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log" ) if %OS%==64BIT ( SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log" ) set input= for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do ( set input=%%a ) set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt" set syscheck_file_path= echo %input% > %json_file_path% FOR /F "tokens=* USEBACKQ" %%F IN (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) DO ( SET syscheck_file_path=%%F ) set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe" set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar" echo %syscheck_file_path% >> %log_file_path% for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do ( echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path% :: Deleting the scanned file. del /f "%syscheck_file_path%" >nul 2>&1 if exist "%syscheck_file_path%" ( echo wazuh-yara: INFO - Error removing threat: %%a >> %log_file_path% ) else ( echo wazuh-yara: INFO - Successfully deleted: %%a >> %log_file_path% ) ) exit /b
12. Restart the Wazuh agent to apply the changes:
> Restart-Service -Name wazuh
We configure rules, custom decoders, and active response to capture alerts related to the addition and removal of the ransomware sample.
1. Create custom rules in the /var/ossec/etc/rules/local_rules.xml
file. These rules trigger alerts when files are added or modified in the Downloads
folder on the monitored endpoint.
<group name= "syscheck,"> <rule id="100211" level="7"> <if_sid>550</if_sid> <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field> <description>File modified in the Downloads folder.</description> </rule> <rule id="100212" level="7"> <if_sid>554</if_sid> <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field> <description>File added to the Downloads folder.</description> </rule> </group>
Where:
100211
is triggered when a file is modified in the Downloads
folder.100212
is triggered when a file is added to the Downloads
folder.2. Add the following configuration within the <ossec_config>
block of the /var/ossec/etc/ossec.conf
file:
<command> <name>yara</name> <executable>yara.bat</executable> <timeout_allowed>no</timeout_allowed> </command> <active-response> <command>yara</command> <location>local</location> <rules_id>100211,100212</rules_id> </active-response>
The Wazuh Active Response module runs the yara.bat
script when a file is added or modified in the Downloads folder.
Where:
<name>
specifies that yara
is the name of the command being called in the active response section.<executable>
specifies that yara.bat
is the executable file to run.<command>
specifies the command that the active response will use.<active response>
block calls the <command>
block when the rule ID 100211
or 100212
is triggered.<location>
specifies where the active response script is executed.3. Add the following decoders to the /var/ossec/etc/decoders/local_decoder.xml
file to decode the logs generated by the active response script:
<decoder name="yara_decoder"> <prematch>wazuh-yara:</prematch> </decoder> <decoder name="yara_decoder1"> <parent>yara_decoder</parent> <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex> <order>log_type, yara_rule, yara_scanned_file</order> </decoder> <decoder name="yara_decoder1"> <parent>yara_decoder</parent> <regex>wazuh-yara: (\S+) - Successfully deleted: (\S+) (\S+)</regex> <order>log_type, yara_rule, yara_scanned_file</order> </decoder> <decoder name="yara_decoder1"> <parent>yara_decoder</parent> <regex>wazuh-yara: (\S+) - Error removing threat: (\S+) (\S+)</regex> <order>log_type, yara_rule, yara_scanned_file</order> </decoder>
4. Create custom rules in the /var/ossec/etc/rules/local_rules.xml
to generate alerts when response actions are taken:
<!-- Rule for the decoder (yara_decoder) --> <group name="yara,"> <rule id="100213" level="0"> <decoded_as>yara_decoder</decoded_as> <description>Yara grouping rule</description> </rule> <!-- YARA scan detects a positive match --> <rule id="100214" level="12"> <if_sid>100213</if_sid> <match type="pcre2">wazuh-yara: INFO - Scan result: </match> <description>File "$(yara_scanned_file)" is a ransomware. Yara rule: $(yara_rule)</description> </rule> <!-- Wazuh successfully deletes malware with a positive match --> <rule id="100215" level="12"> <if_sid>100213</if_sid> <match type="pcre2">wazuh-yara: INFO - Successfully deleted: </match> <description>Successfully removed "$(yara_scanned_file)" by active response due to YARA rule $(yara_rule) positive match</description> </rule> <!-- Wazuh encounters an error when deleting malware with a positive match --> <rule id="100216" level="12"> <if_sid>100213</if_sid> <match type="pcre2">wazuh-yara: INFO - Error removing threat: </match> <description>Error removing "$(yara_scanned_file)". YARA rule: $(yara_rule)</description> </rule> </group>
Where:
100213
is the base rule for detecting YARA related events.100214
is triggered when YARA scans and detects the Brain Cipher executable.100215
is triggered when the executable has been successfully removed by the Wazuh active response module.100216
is triggered when the executable is not removed successfully by Wazuh active response.5. Restart the Wazuh manager for the changes to take effect:
# systemctl restart wazuh-manager
When the Brain Cipher ransomware executable is added to the Downloads
folder of the victim endpoint and removed by the Active Response module, alerts are generated on the Wazuh dashboard.
To view these alerts:
1. Navigate to Threat intelligence > Threat Hunting.
2. Click + Add filter. Then filter by rule.id
.
3. In the Operator field, select is one of
.
4. Search and select rule IDs 100212
, 100214
, and 100215
in the Values field.
5. Click Save.
Conclusion
In this blog post, we demonstrated how organizations can detect Brain Cipher ransomware activities on monitored Windows endpoints. By integrating Sysmon, we enriched logs from the victim endpoint and created Wazuh detection rules to identify malicious behavior related to Brain Cipher ransomware.
Wazuh is a free open source security platform providing a wide range of capabilities to monitor and safeguard your infrastructure against malicious activities. If you have any questions about this blog post or Wazuh, we invite you to join our Slack community, where our team is available to assist you.
References