Nearly four weeks after the cyberattack on dozens of French national museums during the Olympic Games, the Brain Cipher ransomware group claims responsibility for the incident and says 300 GB of data will be leaked later today.
Le Grand Palais and dozens of other national museums and institutions overseen by Réunion des Musées Nationaux – Grand Palais (RMN-GP) were targeted by cybercriminals over August 3-4.
French newswires reported at the time that the people behind the attack targeted a system used to "centralize financial data" related to the approximately 40 institutions under RMN-GP's watch.
Brain Cipher's post to its leak blog this week revealed nothing about the nature of the data it allegedly stole, only saying it amounted to 300 GB. The post includes a countdown timer, indicating that RMN-GP's data may be leaked at 2000 (UTC).
The Register contacted the crooks for additional details about their alleged attack, but they did not respond in time for publication.
Since the incident was officially disclosed to the public on August 6, details about the police probe into the incident or the affected institutions' respective recovery efforts have not been forthcoming.
The last time Le Grand Palais, which hosted Olympic events such as fencing and taekwondo, addressed the matter, it said there was no operational impact, suggesting that no systems were encrypted.
It also said there was no evidence to suggest that data had been exfiltrated, but the national cybersecurity and data protection agencies in France, ANSSI and CNIL, were made aware of the incident.
The Register asked RMN-GP for additional information about the claims made by Brain Cipher, but it also did not reply in time for publication.
ANSSI did reply, but didn't offer any information beyond what it shared weeks ago.
Its statement said: "ANSSI, French Cybersecurity Agency, was alerted about the incident and provides assistance to Grand Palais RMN. The incident does not affect information systems involved in the holding of the 2024 Olympic and Paralympic Games."
What is Brain Cipher?
The group allegedly behind the attack only spun up as recently as June. Regular readers may remember the name in connection with the attack on an Indonesian national datacenter a few months ago, which affected more than 200 government institutions.
- Iran's Pioneer Kitten hits US networks via buggy Check Point, Palo Alto gear
- Dick's Sporting Goods discloses cyberattack
- Volt Typhoon suspected of exploiting Versa SD-WAN bug since June
- AMD internal data reportedly offered for sale
Cybersecurity researchers believe Brain Cipher developed its ransomware payload based on the LockBit 3.0 builder, which was leaked in 2022. Many fledgling groups have done the same, so there's nothing to suggest the two groups are linked in any way, other than their penchant for digital mischief.
The leaked builder gives baby ransomware gangs a leg up in terms of being able to start attacking organizations with little setup and development time, but comes with a major drawback. Its signatures are widely known, meaning those with robust, regularly updated defenses will likely be able to detect and quarantine an attack before any real nastiness can unfold.
However, SentinelOne and SOCRadar both said in their respective rundowns of Brain Cipher that its payload appears to feature more advanced code obfuscation techniques than the leaked LockBit builder, making analysis of how it works more difficult.
"Brain Cipher is equipped with several persistence and evasion techniques," said SOCRadar. "It hides threads from debuggers and executes in a suspended mode to avoid detection. Additionally, it enables debug and security privileges, potentially allowing it to bypass security measures. The use of code obfuscation further complicates detection and analysis efforts.
"The obfuscation technique used in Brain Cipher involves the instruction sequence push FFFFFF9Ch; retf. This sequence pushes the hexadecimal value FFFFFF9C onto the stack and then performs a far return (retf), which uses the value on the stack to alter the instruction pointer and code segment registers. This method complicates the control flow, making it difficult for analysis tools and researchers to trace the malware's execution path."
SentinelOne also noted that the group uses the same email domain (cyberfear[.]com) for communication with victims as fellow newbie groups such as Risen and SenSayQ.
CyberFear markets itself as a "spy-proof" encrypted email service that doesn't use know-your-customer (KYC) checks or require phone verification. It says its servers are located "offshore" of the US and it accepts anonymous payments from more than 50 cryptocurrencies. ®