BrainCipher is a ransomware threat actor and associated malware operation active by at least 2025 and 2026. It has been linked to attacks against organizations in multiple countries, including the United States, Brazil, Canada, and the United Kingdom, with observed victims spanning healthcare, manufacturing, technology, business services, and other sectors. Reported incidents indicate a financially motivated extortion model centered on data theft and ransomware deployment. BrainCipher has been described as a LockBit 3.0 variant or as activity tied to the broader LockBit ecosystem. Reporting has also associated BrainCipher-linked incidents with a wiper component known as WipeBlack, used to remove traces of the ransomware executable and hinder forensic recovery. This overlap suggests operational or tooling relationships with other LockBit-derived campaigns, although the precise organizational relationship is not fully established. Observed tradecraft includes double extortion, with data exfiltration preceding encryption, and selective targeting of high-value systems such as file servers and core infrastructure. In broader reporting tied to LockBit-related activity, associated operators have used rapid post-compromise escalation, lateral movement, credential and administrative abuse, and deployment patterns consistent with enterprise ransomware intrusions. BrainCipher has also been reported in connection with exploitation of CVE-2023-28252 in 2025. Known victims attributed to BrainCipher include healthcare entities such as Delta County Memorial Hospital and River Region Cardiology, alongside additional organizations in industrial, commercial, and professional services sectors. The actor is best characterized as a ransomware operation within or closely aligned to the LockBit-derived criminal ecosystem rather than a confirmed nation-state group. Known aliases are limited in the available reporting, with BrainCipher itself being the primary name in use.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting a ransomware attack against iac-intl.com.
Conducting a ransomware attack against robroy.com / Rob Roy Industries.
Conducting a ransomware attack against Printronix.
Conducting a ransomware attack resulting in a data breach against goldenstateortho.com, a U.S. healthcare organization.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.